Kestori

Data Processing Addendum

Last updated: 2026-06-01

This Data Processing Addendum ("DPA") is available for merchants who use Kestori and need written GDPR data processing terms. For the Shopify inventory forecasting and low-stock digest service, the merchant is the controller and Forethought Studios is the processor.

How to request a signed DPA

Email [email protected] from the shop owner email address on file with the subject "Kestori DPA request". Include your Shopify myshopify.com domain, legal business name, registered business address, authorized signer name and title, and the email address where the countersigned copy should be sent.

If a request is missing the Shopify myshopify.com domain, legal business name, registered address, or authorized signer, we will ask for the missing details before preparing the DPA. Once the request is complete, we will send a signature-ready PDF within 5 business days. The DPA takes effect when signed by both the merchant and Forethought Studios.

DPA template

This template supplements the Kestori terms of service and applies only to personal data processed for a merchant's use of Kestori. If this DPA conflicts with the terms of service, this DPA controls for the processing of personal data.

1. Subject matter

Forethought Studios processes Shopify store, inventory, order-line, settings, and merchant contact data for the purpose of providing Kestori to the merchant's Shopify store.

2. Duration

Processing begins when the merchant installs Kestori and continues until the app is uninstalled, the merchant account is closed, or the parties otherwise terminate the service relationship. Post-termination deletion follows the return or deletion section below.

3. Nature and purpose

Kestori reads Shopify product, variant, inventory, and order-line facts; stores merchant settings; computes sales velocity and low-stock thresholds; displays the embedded admin dashboard; and sends transactional daily low-stock digest email to opted-in merchant recipients.

4. Categories of personal data

The processing may include Shopify shop identifiers, merchant account email addresses, staff email addresses that opt in to digest email, product and variant metadata, inventory snapshots, order-line facts used for velocity calculations, app settings, and operational logs. Kestori discards customer identifiers attached to orders before storing sales velocity source data and does not intentionally store customer names, billing addresses, shipping addresses, or payment details.

5. Data subjects

Data subjects are merchant owners, merchant staff who use or receive email from Kestori, and any Shopify customers whose order-line facts are transiently received from Shopify before customer identifiers are discarded.

6. Controller instructions

Forethought Studios will process personal data only to provide Kestori, comply with the merchant's documented instructions, comply with applicable law, or protect the service from abuse or security incidents. The merchant's documented instructions are the terms of service, this DPA, Shopify app installation permissions, app settings selected by the merchant, and written instructions sent to [email protected].

7. Confidentiality

Forethought Studios limits access to merchant data to the operator who needs access to provide, secure, support, and maintain Kestori. Anyone with access to merchant data is bound by confidentiality obligations.

8. Security measures

Forethought Studios maintains technical and organizational measures appropriate to the risk of the processing, including HTTPS with TLS 1.2 or higher, restricted production database access, least-privilege server access, passwordless or key-based server authentication where available, encrypted backup transport, webhook signature verification, OAuth token protection, dependency monitoring, logging for security and operational events, and 30-day backup retention.

9. Subprocessors

Forethought Studios may use subprocessors to host Kestori infrastructure, store backups, route DNS or edge traffic, and deliver email. Current subprocessors are listed on the subprocessor page, and email delivery uses Amazon SES. Forethought Studios remains responsible for subprocessor performance under this DPA and will use subprocessors only under written terms that protect personal data.

10. Assistance with data subject requests

Forethought Studios will provide reasonable assistance for GDPR data subject requests that relate to Kestori processing. Shopify-mediated privacy webhooks for customers/data_request, customers/redact, and shop/redact are handled through Kestori's compliance webhook flow. Merchant-originated requests can be sent to [email protected].

11. Personal data breach

Forethought Studios will notify the merchant without undue delay after confirming a personal data breach affecting the merchant's Kestori data. The notice will include the nature of the breach, affected data categories where known, likely consequences where known, mitigation steps taken, and contact details for follow-up.

12. International transfers

Kestori production data is stored on Kestori-controlled infrastructure in Germany. Where processing or support causes personal data to be transferred outside the European Economic Area, Forethought Studios will use a lawful transfer mechanism, such as the European Commission Standard Contractual Clauses or another mechanism recognized under GDPR.

13. Return or deletion

On uninstall or termination, Forethought Studios deletes shop-scoped production data within 30 days, subject to backup retention and legal obligations. Backups expire on their normal 30-day rotation. Because Kestori is an operational SaaS service, return of data is limited to reasonable export assistance available before deletion.

14. Audit information

Forethought Studios will make reasonable information available to demonstrate compliance with this DPA, including this published template, the privacy policy, security and infrastructure documentation, and written answers to reasonable merchant questions. Audits must be limited to once per year unless required by a regulator or following a confirmed personal data breach, must avoid disruption to Kestori operations, and must preserve other merchants' confidential information.

15. Contact

Questions about this DPA or a signed copy request: [email protected].