Autoprinter

Data Processing Agreement

Last updated: 2026-04-24

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Econocraft Materials LLC ("Econocraft," "Processor") and the Shopify merchant that installs Autoprinter ("Merchant," "Controller"). This DPA governs Econocraft's processing of Personal Data on the Merchant's behalf in connection with Autoprinter (the "Service").

Where the Merchant is subject to the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, or the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), this DPA is binding and governs as the data protection addendum under those laws. By installing or continuing to use Autoprinter, the Merchant enters into this DPA.

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR or the CCPA, as applicable.

  • Personal Data — any information relating to an identified or identifiable natural person that Econocraft processes on the Merchant's behalf through the Service.
  • Data Subject — the identified or identifiable natural person to whom Personal Data relates.
  • Subprocessor — a third party engaged by Econocraft that processes Personal Data in providing the Service.
  • Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • Processing — any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, or deletion.

2. Roles

  • The Merchant is the Controller (or "Business" under the CCPA) of Personal Data processed through the Service.
  • Econocraft is the Processor (or "Service Provider" under the CCPA), acting on the Merchant's documented instructions.
  • The Merchant's configuration of the Service (choice of templates, routing rules, workstation assignments, and equivalent settings) constitutes a documented instruction under this DPA.
  • This DPA applies only to Personal Data that Econocraft processes on the Merchant's behalf. Processing of merchant account metadata, support communications, security logs, diagnostics, and product analytics for Econocraft's own operations is described in the Privacy Policy and is not governed by this DPA.

3. Scope, Nature, and Purpose of Processing

Subject matter. Econocraft processes Personal Data to provide Autoprinter, a printing-automation service for Shopify merchants.

Nature of the processing. Reading order data from the Shopify Admin API; rendering documents (packing slips, invoices, pick slips, return slips, gift receipts, and associated shipping-label workflows) on the Merchant's behalf; storing rendered HTML, print job records, and associated metadata; transmitting rendered documents to paired local printers via the Desktop Utility and Chrome Extension.

Duration. The term of the Agreement and the retention period described in the Data Retention Policy.

Categories of Data Subjects.

  • End customers of the Merchant whose orders are processed through the Service.
  • The Merchant's authorized staff who operate the Service.

Categories of Personal Data.

  • Identification and contact data — names, shipping and billing addresses, email addresses, phone numbers.
  • Order data — order identifiers, line items, product information, fulfillment status, order tags, custom attributes.
  • Merchant staff and device metadata — workstation names, hostnames, operating-system platform.

4. Merchant Instructions

Econocraft processes Personal Data only on the Merchant's documented instructions, including those set out in the Agreement, this DPA, and the Merchant's configuration of the Service, unless processing is required by applicable law. If Econocraft believes an instruction violates applicable data protection law, it will notify the Merchant without undue delay.

5. Confidentiality

Econocraft ensures that personnel authorized to process Personal Data are bound by written confidentiality obligations or appropriate statutory confidentiality duties.

6. Security Measures

Econocraft implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption in transit. TLS 1.2 or higher for all network connections to the Service.
  • Encryption at rest. PostgreSQL at-rest encryption provided by Railway.
  • Authentication. SHA-256 hashing of device pairing tokens; raw tokens are returned to the paired client once at pairing time and are never stored by Econocraft.
  • Header redaction. The authorization, cookie, and x-shopify-access-token HTTP headers are stripped from every error event before transmission to Sentry.
  • Scoped API access. The Service requests only the read_orders, read_products, read_fulfillments, and read_shipping Shopify scopes and makes no write calls to the Shopify Admin API.
  • Rate limiting. Public endpoints are rate-limited to deter brute-force and abuse.
  • Access control. Production systems are accessible only to authorized Econocraft personnel using unique credentials and multi-factor authentication where supported by the underlying platform.
  • Logging. Print-job lifecycle events are logged for 90 days for diagnostic and audit purposes.

Econocraft will periodically review and, where appropriate, update these measures.

7. Subprocessors

The Merchant authorizes Econocraft to engage the Subprocessors listed below. Each Subprocessor is engaged under a written agreement that imposes data protection obligations no less protective than those in this DPA.

Subprocessor Location Purpose
Railway Delaware, United States Application hosting and PostgreSQL database hosting. Stores all Personal Data at rest and handles it in transit.
Sentry (Functional Software Inc.) Delaware, United States Error tracking. Receives stack traces and redacted HTTP request metadata; does not receive order data.
Resend Delaware, United States Transactional email delivery from the autoprinter.app domain.
PostHog United States (US Cloud) Product analytics. Receives feature-usage events.
Shopify Canada The source platform for all order data. Processing on Shopify is governed by the Merchant's agreements with Shopify and Shopify's own data processing addendum.

Econocraft will notify the Merchant at least 30 days before adding or replacing any Subprocessor by (a) posting an updated list at autoprinter.app and (b) sending an email or in-app notice to the merchant contact associated with the Shopify installation. The Merchant may object to a new Subprocessor in writing during that notice period on reasonable data protection grounds. If the parties cannot resolve the objection, the Merchant may terminate the Agreement under its Termination provisions.

8. International Data Transfers

Econocraft's primary Subprocessors are located in the United States. Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or another third country, the transfer is carried out under the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), with Econocraft Materials LLC acting as data importer under Module Two (controller-to-processor) or, for onward transfers to Subprocessors, Module Three (processor-to-processor), as applicable. For transfers from the United Kingdom, the UK International Data Transfer Addendum (version B1.0) to the EU Standard Contractual Clauses, issued by the UK Information Commissioner's Office, applies. For transfers from Switzerland, the EU Standard Contractual Clauses apply with the adaptations required for Swiss data-protection law and recognized by the Swiss Federal Data Protection and Information Commissioner. The Merchant and Econocraft are deemed to have entered into these clauses through their acceptance of this DPA.

9. Data Subject Requests

Econocraft will, to the extent permitted by law, promptly notify the Merchant of any request received directly from a Data Subject. Econocraft will not respond to the request itself except to confirm receipt and to direct the Data Subject to the Merchant, unless required by applicable law.

Econocraft will provide reasonable assistance to the Merchant, at the Merchant's cost, in responding to Data Subject requests to exercise rights of access, rectification, erasure, restriction, portability, or objection. Taking into account the nature of processing and the information available to Econocraft, Econocraft will also reasonably assist the Merchant with the Merchant's obligations under GDPR Articles 32–36, including security of processing, personal-data-breach assessment and notification, data protection impact assessments, and prior consultations with supervisory authorities. Where Econocraft receives a valid Shopify customers/data_request webhook, it will provide the Merchant with the responsive customer and order data identified by Shopify to the extent that data remains in Autoprinter. Where Econocraft receives a valid Shopify customers/redact webhook, it will purge the specified Data Subject's Personal Data within 30 days in compliance with Shopify's service-level requirement, without requiring separate instruction from the Merchant.

10. Personal Data Breach Notification

Econocraft will notify the Merchant in writing without undue delay and, in any event, within 72 hours after becoming aware of a Personal Data Breach affecting the Merchant's Personal Data. Econocraft may provide information in phases as it becomes available. The notification will include, to the extent known at the time: the nature of the Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the Breach. Econocraft will cooperate with the Merchant's reasonable investigation and remediation efforts.

11. Audit Rights

The Merchant may request, no more than once per calendar year, a written summary of Econocraft's security posture, including a description of the technical and organizational measures listed in Section 6 and any material changes since the prior summary. Econocraft will provide this summary within 30 days of a written request.

Merchants do not have live access to Econocraft's production systems. Where a Merchant's regulator or auditor requires additional information to demonstrate compliance, Econocraft will respond to reasonable written inquiries and will cooperate in good faith to satisfy the regulator's or auditor's requirements, subject to reasonable confidentiality protections.

12. Return or Deletion of Personal Data

On termination of the Agreement, Econocraft will, at the Merchant's election, either return or delete Personal Data processed on the Merchant's behalf, to the extent technically available, and will delete remaining copies, except to the extent that retention is required by applicable law. Absent a contrary election communicated before uninstall, Econocraft will delete all such Personal Data within 30 days of the Shopify app/uninstalled webhook. Detailed schedules are set out in the Data Retention Policy.

13. CCPA-Specific Terms

To the extent Econocraft processes Personal Information of California residents under the CCPA, Econocraft:

  • acts as a Service Provider on the Merchant's behalf;
  • will not sell or share Personal Information;
  • will not retain, use, or disclose Personal Information for any purpose other than performing the Service specified in the Agreement, or as otherwise permitted by the CCPA;
  • will not retain, use, or disclose Personal Information outside of the direct business relationship between Econocraft and the Merchant;
  • will not combine Personal Information received from the Merchant with Personal Information received from any other source, except as permitted by the CCPA; and
  • will comply with applicable obligations under the CCPA and provide the same level of privacy protection as required of businesses under the CCPA; and
  • will notify the Merchant if Econocraft determines that it can no longer meet its obligations under the CCPA with respect to Personal Information processed under this DPA.

The Merchant may take reasonable and appropriate steps to ensure that Econocraft uses the Personal Information in a manner consistent with the Merchant's obligations under the CCPA, and to stop and remediate unauthorized use of Personal Information.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Agreement.

15. Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict and only with respect to the processing of Personal Data.

16. Contact

Data protection inquiries:

Econocraft Materials LLC 14255 N 79th St STE 4 Scottsdale, AZ 85260 United States Email: garrett@econocraftmaterials.com (canonical) or support@autoprinter.app