This Data Processing Agreement (“DPA”) governs how Ordinatus processes customer personal data on behalf of the organizations that subscribe to it. It forms part of, and is incorporated by reference into, the Merchant Terms of Service, and is distinct from the customer-facing Privacy Policy.
Roles. For Customer Personal Data, the Organization is the Controller and Ordinatus is the Processor. Under US state privacy laws the Organization is the Business and Ordinatus is its Service Provider; under PIPEDA / Quebec Law 25 Ordinatus processes Customer Personal Data as a service provider acting on the Organization’s behalf and under its authority.
Ordinatus is a separate, independent Controller for (a) the Organization’s own account and administrative data (trainer and admin accounts) and (b) operating, securing, and improving the platform. Those are governed by Ordinatus’s Privacy Policy and the Merchant Terms of Service, not this DPA.
2.1 Ordinatus processes Customer Personal Data only: to provide the Ordinatus services to the Organization (Annex A purposes); in accordance with the Organization’s documented instructions, of which this DPA, the Merchant Terms of Service, and the Organization’s configuration choices in the app (intake forms, pricing, integrations enabled) are the complete set; and as required by applicable law (Ordinatus will inform the Organization of such a legal requirement before processing, unless the law prohibits it).
2.2 Ordinatus will notify the Organization if, in its opinion, an instruction infringes applicable data protection law.
2.3 No sale; no secondary use. Ordinatus does not sell or share Customer Personal Data, does not use it for cross-context behavioral advertising, and does not process it for any purpose other than the services. Ordinatus will not retain, use, or disclose Customer Personal Data outside the direct business relationship with the Organization, or combine it with data from other sources except as permitted by law to provide the services.
2.4 Data minimization. Ordinatus processes only the minimum Customer Personal Data required to provide the services. Default intake collects name, email, and phone; the Organization controls any additional fields via its intake forms and is responsible for the lawfulness of fields it adds.
Ordinatus ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations and access it only on a need-to-know basis.
4.1 Ordinatus implements appropriate technical and organizational measures (Annex B), including encryption in transit and at rest, access logging for protected customer data, retention limits, and a security incident response policy.
4.2 The measures account for the state of the art, costs, and the risk to data subjects, and are reviewed and updated as the service evolves.
5.1 The Organization provides general authorization for Ordinatus to engage the sub-processors listed in Annex C to process Customer Personal Data.
5.2 Ordinatus will impose data-protection obligations on each sub-processor that are no less protective than this DPA, and remains liable for its sub-processors’ performance.
5.3 Ordinatus will give the Organization advance notice of any intended addition or replacement of a sub-processor (by updating Annex C and notifying via the app or email). The Organization may object on reasonable data-protection grounds within 30 days; if the objection cannot be resolved, the Organization may terminate the affected service.
6.1 Data subject requests. Taking into account the nature of the processing, Ordinatus assists the Organization (by appropriate technical and organizational measures, insofar as possible) in fulfilling its obligation to respond to data subject requests to exercise their rights (access, correction, deletion, opt-out). Where Ordinatus receives a request directly from a data subject, it will refer the data subject to the Organization and will not respond except on the Organization’s instruction or as legally required.
6.2 Shopify compliance webhooks. Ordinatus operationalizes the above for stores connected via Shopify:
customers/data_request → Ordinatus compiles the customer’s stored
data and delivers it to the Organization (store owner).customers/redact → Ordinatus anonymizes that customer’s personal
data for the Organization.shop/redact → Ordinatus anonymizes all customer personal data for that
store and removes the store connection and tokens.6.3 Ordinatus assists the Organization with security, breach notification, and data protection impact assessments to the extent the Organization reasonably requires and the information is available to Ordinatus.
Ordinatus will notify the Organization without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information then available to enable the Organization to meet its own notification obligations, and will follow its security incident response policy.
8.1 Ordinatus makes available to the Organization information reasonably necessary to demonstrate compliance with this DPA, and allows for and contributes to audits, including inspections, conducted by the Organization or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits.
8.2 Ordinatus will participate in Shopify data protection reviews where required for protected customer data access, and may provide a relevant third-party report or certification (if any) in satisfaction of an audit request.
Ordinatus and its sub-processors process and store data primarily in the United States. For Customer Personal Data originating in Canada (including Quebec), the Organization authorizes this cross-border transfer; Ordinatus applies the security measures in Annex B and ensures comparable protection consistent with PIPEDA and Quebec Law 25. Ordinatus does not target the EU/UK; if the Organization’s customers include EU/UK residents, additional transfer mechanisms are out of scope and the Organization must not direct such processing without a separate agreement.
10.1 Ordinatus retains Customer Personal Data only as long as needed to provide the services or as required by law. An activity-based retention sweep anonymizes dormant customer data after the Organization’s configured window (default 36 months).
10.2 On termination of the services, Ordinatus will, at the Organization’s choice, delete or anonymize Customer Personal Data, except where retention is required by law or for the establishment, exercise, or defense of legal claims (e.g. financial or transaction records). Anonymization-in-place is used where booking or financial history must be preserved without identifying the individual. Ordinatus completes the deletion or anonymization within 60 days of termination. On request made before deletion, Ordinatus will make the Organization’s Customer Personal Data available for export in a commonly used format.
11.1 Order of precedence. If this DPA conflicts with the Merchant Terms of Service on a data-protection matter, this DPA controls for Customer Personal Data.
11.2 Term. This DPA is effective for as long as Ordinatus processes Customer Personal Data on the Organization’s behalf.
11.3 Governing law and venue. This DPA is governed by the laws of the State of Texas, without regard to its conflict-of-laws rules. The parties submit to the exclusive jurisdiction and venue of the state and federal courts located in Denton County, Texas.
11.4 Changes. Ordinatus may update this DPA to reflect changes in law or the service; material changes are notified via the app or email.
11.5 Notices and data-protection contact. Notices and data-protection requests under this DPA (sub-processor objections, data-subject-request assistance, breach queries) may be sent to Ordinatus at [email protected]. Notices to the Organization are sent to its account or admin email of record.
| Item | Detail |
|---|---|
| Subject matter | Provision of the Ordinatus scheduling and payment-facilitation services |
| Duration | For the term of the subscription plus the permitted retention period |
| Nature & purpose | Receiving session requests; routing to eligible trainers; scheduling; facilitating payment via Shopify; creating calendar events; sending transactional email reminders; customer service; dispute resolution |
| Categories of data subjects | The Organization’s customers and prospective customers (session bookers) |
| Categories of personal data | Name; email address; phone number; IP address; customer-submitted intake form answers; products/services purchased and booking/purchasing history; declared timezone |
| Excluded / not processed | Payment card data, CVV, bank details (handled by Shopify-hosted checkout); shipping/postal address (not collected); special-category/sensitive data (unless an Organization adds such a field to its own intake form, for which it is responsible) |
| Special categories | None by default |
| Frequency | Continuous, for the duration of the services |
| Sub-processor | Purpose | Data exposed |
|---|---|---|
| Shopify | Payment processing (hosted checkout, draft orders) + order/refund webhooks | Customer name, email; order/booking financial data |
| SMTP2Go | Transactional email delivery | Recipient email, message content (booking details) |
| Google (Calendar) | Trainer calendar sync | Booking event details; trainer calendar account info |
| Microsoft (Outlook Calendar) | Trainer calendar sync | Booking event details; trainer calendar account info |
| Zoho (Calendar + Assist) | Calendar sync + remote-session delivery | Booking event details; customer email/join info for remote sessions |
| DigitalOcean | Application + database hosting (US) | All stored Customer Personal Data (at rest) |
| Google Fonts | Font delivery on the booking page | IP address (received by the CDN when the page loads) |
By creating an Organization account or subscribing to Ordinatus, the person accepting on the Organization’s behalf represents that they are authorized to bind the Organization, and the Organization accepts this DPA.