Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of Minimist's Terms of Service. It governs the processing of personal data that Minimist performs on behalf of customers ("Controllers") in connection with the Services. By accepting the Terms of Service, you agree to the terms of this DPA.

Last updated: April 2026

Contact: [email protected]


1. Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the Main Agreement or the GDPR, as applicable.

TermDefinition
ControllerThe Customer, as identified in the Main Agreement, who determines the purposes and means of the Processing of Personal Data.
ProcessorMinimist FlexCo, which Processes Personal Data on behalf of the Controller in connection with the Services.
Sub-processorAny third party engaged by the Processor (or by any other Sub-processor of the Processor) to carry out specific Processing activities on behalf of the Controller.
Personal DataAny information relating to an identified or identifiable natural person ("Data Subject") that is Processed by the Processor on behalf of the Controller in connection with the Services.
ProcessingAny operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data SubjectAn identified or identifiable natural person to whom the Personal Data relates.
Supervisory AuthorityThe Austrian Data Protection Authority (Datenschutzbehoerde, "DSB"), or any other competent supervisory authority under the GDPR with jurisdiction over the Controller or Processor.
GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
ServicesThe SaaS inventory management platform and related services provided by Minimist to the Customer under the Main Agreement, including the mobile application, web dashboard, marketplace integrations, AI-powered analysis, and all associated functionality.
Customer DataAll data, including Personal Data, that the Controller or its authorized users submit to, store within, or generate through the use of the Services.
DPAThis Data Processing Agreement, including all Annexes to this DPA.
Main AgreementThe subscription agreement, terms of service, or other agreement between the Controller and the Processor governing the Controller's use of the Services.

2. Scope and Purpose of Processing

2.1 Roles of the Parties

The Customer acts as the Controller and Minimist acts as the Processor with respect to the Processing of Personal Data described in this DPA. The Processor shall Process Personal Data only in accordance with the Controller's documented instructions as set forth in this DPA, the Main Agreement, and any subsequent written instructions provided by the Controller.

2.2 Subject Matter

The subject matter of the Processing is the provision of the Services, a SaaS-based inventory management platform that enables the Controller's personnel to:

  • Capture and manage product images via a Flutter-based mobile application;
  • Manage inventory, listings, and order data via a web-based dashboard;
  • Generate product descriptions, categorizations, and pricing suggestions through AI-powered analysis;
  • Publish and synchronize listings across third-party marketplaces (including eBay, Shopify, Vinted, and Discogs); and
  • Receive notifications, analytics, and support in connection with the foregoing.

2.3 Duration

This DPA shall remain in effect for the duration of the Main Agreement. Upon termination or expiry of the Main Agreement, the provisions of this DPA relating to the return and deletion of Personal Data (Section 9) shall continue to apply until all Personal Data has been deleted or returned in accordance with Section 9.

2.4 Nature and Purpose of Processing

The Processing carried out by the Processor encompasses: hosting and storing Customer Data (including inventory records, product images, and associated metadata); transforming and optimizing media assets (background removal, resizing, compression); analyzing images and text using artificial intelligence services (classification, description generation, attribute extraction, price suggestion); publishing and synchronizing listings to and from third-party marketplace platforms; indexing data for search functionality; sending transactional email and push notifications; and collecting usage analytics and crash reports to maintain and improve the Services.

2.5 Categories of Data Subjects and Types of Personal Data

The categories of Data Subjects and types of Personal Data Processed are described in detail in Annex 1 to this DPA.


3. Obligations of the Processor

3.1 Processing on Documented Instructions

In accordance with Article 28(3)(a) GDPR, the Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. This DPA and the Main Agreement constitute the Controller's complete initial instructions to the Processor. Any additional or alternative instructions must be provided in writing and will be subject to Minimist's assessment of whether such instructions are lawful and technically feasible.

3.2 Confidentiality of Personnel

In accordance with Article 28(3)(b) GDPR, the Processor shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Services.

3.3 Security of Processing

In accordance with Article 28(3)(c) GDPR and taking into account Article 32 GDPR, the Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • (a) the pseudonymization and encryption of Personal Data;
  • (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  • (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

The specific technical and organizational measures implemented by the Processor are described in Annex 2 to this DPA. The Processor may update these measures from time to time, provided that such updates do not materially decrease the overall level of security of the Processing.

3.4 Sub-processor Management

3.4.1 General Authorization

In accordance with Article 28(3)(d) GDPR, the Controller provides the Processor with general written authorization to engage Sub-processors for the Processing of Personal Data in connection with the Services, subject to the conditions set out in this Section 3.4. The current list of authorized Sub-processors is set forth in Annex 3 to this DPA.

3.4.2 Prior Notice of Changes

The Processor shall inform the Controller in writing (including by email to the address associated with the Controller's account) at least thirty (30) calendar days in advance of any intended addition or replacement of a Sub-processor, providing the Controller with the opportunity to object to such changes.

3.4.3 Right to Object

If the Controller objects to a new or replacement Sub-processor on reasonable grounds relating to data protection, Minimist will work with the Controller to address those concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached within thirty (30) calendar days of the Processor's receipt of the objection, the Controller may terminate the affected portion of the Services (or, where not reasonably severable, the Main Agreement) without penalty, upon written notice to the Processor.

3.4.4 Sub-processor Obligations

The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

3.5 Assistance with Data Subject Rights

In accordance with Article 28(3)(e) GDPR, the Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, data portability, and objection). The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject, and shall not respond to such request itself unless authorized by the Controller or required by applicable law.

3.6 Personal Data Breach Notification

In accordance with Article 28(3)(f) GDPR, the Processor shall notify the Controller without undue delay and in any event within forty-eight (48) hours after becoming aware of a Personal Data breach affecting Customer Data. Such notification shall include, to the extent available:

  • (a) a description of the nature of the Personal Data breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • (b) the name and contact details of the Processor's point of contact for further information;
  • (c) a description of the likely consequences of the Personal Data breach; and
  • (d) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take such commercially reasonable steps as the Controller may direct to assist in the investigation, mitigation, and remediation of the breach. The Processor shall further assist the Controller in ensuring compliance with the Controller's obligations under Articles 33 and 34 GDPR, taking into account the nature of the Processing and the information available to the Processor.

3.7 Deletion and Return of Personal Data

In accordance with Article 28(3)(g) GDPR, upon termination or expiry of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless Union or Member State law requires storage of the Personal Data. The specific timelines and procedures for deletion and return are set forth in Section 9 of this DPA.

3.8 Audit Rights

In accordance with Article 28(3)(h) GDPR, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The specific terms and conditions for the exercise of audit rights are set forth in Section 7 of this DPA.

3.9 Informing the Controller of Conflicting Instructions

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions. The Processor shall be entitled to suspend the performance of the relevant instruction until it is confirmed or modified by the Controller.


4. Obligations of the Controller

4.1 Lawful Basis for Processing

The Controller warrants that it has a lawful basis under the GDPR for the Processing of Personal Data as contemplated by this DPA and the Main Agreement. The Controller is responsible for ensuring that the Processing instructions given to the Processor are lawful and comply with the GDPR and all other applicable data protection laws.

4.2 Instructions

The Controller shall be responsible for providing the Processor with documented, lawful instructions regarding the Processing of Personal Data. The Controller shall ensure that its use of the Services and its instructions to the Processor do not cause the Processor to violate applicable law.

4.3 Data Subject Notifications

The Controller shall be responsible for providing any required notices to Data Subjects regarding the Processing of their Personal Data in connection with the Services, including in relation to the use of Sub-processors and international data transfers, and for obtaining any necessary consents from Data Subjects where required by applicable law.

4.4 Accuracy and Minimization

The Controller shall ensure that Personal Data submitted to the Services is accurate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed.


5. International Data Transfers

5.1 General Principle

The Processor's primary infrastructure for the Services is hosted within the European Economic Area ("EEA"). The Processor shall not transfer Personal Data to a country outside the EEA or to an international organization unless adequate safeguards are in place in accordance with Chapter V of the GDPR.

5.2 Transfer Mechanisms

Where Personal Data is transferred to Sub-processors located in third countries that have not received an adequacy decision from the European Commission, the Processor shall ensure that one of the following transfer mechanisms is in place:

  • (a) Standard Contractual Clauses: The Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"), Module 3 (processor-to-processor), are hereby incorporated by reference into this DPA. Where applicable, the Processor (as data exporter) and the relevant Sub-processor (as data importer) shall be deemed to have entered into the EU SCCs, with the details of the transfer as described in Annex 1 and Annex 2 to this DPA serving as the annexes to the EU SCCs.
  • (b) Other approved mechanisms: Any other legally recognized transfer mechanism approved under the GDPR, such as Binding Corporate Rules or an adequacy decision.

5.3 Sub-processors in the United States

The following Sub-processors are currently located in the United States and are subject to the EU SCCs as described in Section 5.2(a): Anthropic (AI services), OpenAI (AI services), Groq (AI services), SendGrid / Twilio (transactional email), Intercom (customer support), Branch.io (deep linking and attribution), Stripe (payment processing), and HubSpot (CRM and marketing). Additional details are provided in Annex 3.

5.4 Supplementary Measures

In addition to the contractual safeguards described above, the Processor implements the following supplementary measures to protect Personal Data transferred to third countries:

  • (a) EU-hosted infrastructure: The Services' primary compute, storage, and database infrastructure is hosted within the EEA (Hetzner, Germany; Google Cloud, Belgium/Netherlands);
  • (b) Server-side analytics: Analytics are processed server-side using Google Tag Manager Server-Side ("SGTM") deployed within the EEA, minimizing the transfer of end-user data to third-country analytics providers;
  • (c) Encryption in transit and at rest: All data transferred to Sub-processors outside the EEA is encrypted using industry-standard protocols (TLS 1.2 or higher in transit; AES-256 at rest);
  • (d) Data minimization: Only the minimum data necessary for the specific Sub-processor's function is transmitted (e.g., product images for AI analysis, email addresses for notification delivery);
  • (e) Contractual restrictions: Sub-processors are contractually prohibited from Processing Personal Data for their own purposes or disclosing it to third parties except as required by law.

6. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and, where necessary, prior consultations with the Supervisory Authority, in accordance with Articles 35 and 36 GDPR, taking into account the nature of the Processing and the information available to the Processor. Such assistance may include providing information about the Processing operations, the technical and organizational measures in place, and the involvement of Sub-processors. The Controller shall reimburse the Processor for any reasonable costs incurred in providing such assistance beyond what is already included in the Services.


7. Audit Rights

7.1 Scope

The Controller (or a qualified, independent third-party auditor appointed by the Controller and bound by confidentiality obligations acceptable to the Processor) shall have the right to audit the Processor's compliance with this DPA. Audits shall be limited to the Processing activities performed by the Processor on behalf of the Controller and shall not extend to the Processor's proprietary systems, trade secrets, or data of other customers.

7.2 Frequency and Notice

The Controller may conduct or commission an audit no more than once per calendar year, unless a Personal Data breach has occurred or the Supervisory Authority requests or orders an additional audit. The Controller shall provide the Processor with at least thirty (30) calendar days' prior written notice of any audit, and both parties shall cooperate in good faith to agree on the scope, timing, and duration of the audit so as to minimize disruption to the Processor's operations.

7.3 Third-Party Reports

The Processor may, at its discretion, satisfy the Controller's audit rights by making available:

  • (a) a current SOC 2 Type II report, ISO 27001 certificate, or equivalent third-party audit report covering the Processing activities; or
  • (b) responses to a reasonable written questionnaire provided by the Controller.

If such reports or responses reasonably address the Controller's audit concerns, the Controller shall consider them in lieu of an on-site inspection. If the Controller reasonably demonstrates that the reports or responses are insufficient to verify compliance, the Controller may proceed with an on-site audit in accordance with Sections 7.1 and 7.2.

7.4 Costs

Each Party shall bear its own costs in connection with audits. However, if an audit reveals a material breach of this DPA by the Processor, the Processor shall bear the reasonable costs of the audit. Conversely, if an audit requested by the Controller (beyond the annual entitlement or exceeding the agreed scope) reveals no material breach, the Controller shall reimburse the Processor for reasonable costs incurred.

7.5 Confidentiality

All information obtained or generated in connection with an audit shall be treated as confidential information of the Processor and shall be used solely for the purpose of verifying compliance with this DPA.


8. Liability

8.1 Limitation of Liability

The liability of each Party under or in connection with this DPA shall be subject to the limitations and exclusions of liability set forth in the Main Agreement, unless otherwise required by mandatory applicable law (including the GDPR).

8.2 Indemnification

Each Party shall indemnify and hold harmless the other Party from and against any losses, damages, costs, and expenses (including reasonable legal fees) arising from or in connection with any breach of this DPA by the indemnifying Party, to the extent that such losses are not otherwise limited or excluded under the Main Agreement.

8.3 Regulatory Fines

Nothing in this DPA shall be construed as limiting or excluding either Party's liability for administrative fines imposed by a Supervisory Authority directly upon that Party for its own violation of the GDPR.


9. Term and Termination

9.1 Term

This DPA is effective from the date you accept the Terms of Service and shall remain in force for as long as the Processor Processes Personal Data on behalf of the Controller, including any post-termination retention period specified in this Section 9.

9.2 Data Return

Upon termination or expiry of the Main Agreement, the Controller may request, within thirty (30) calendar days of the effective date of termination, the return of all Customer Data (including Personal Data) in a structured, commonly used, and machine-readable format. The Processor shall make such data available for export through the Services' standard data export functionality or, where such functionality is not available, via a mutually agreed secure transfer method.

9.3 Data Deletion

Following the expiry of the thirty (30) day return period specified in Section 9.2, the Processor shall delete all Personal Data within ninety (90) calendar days, unless:

  • (a) Union or Member State law requires continued storage of the Personal Data; or
  • (b) the Personal Data has been archived on backup systems, in which case the Processor shall securely isolate such data and delete it in accordance with its standard backup rotation schedule, and in any event within twelve (12) months of termination.

9.4 Certification of Deletion

Upon the Controller's written request, the Processor shall provide a written certification confirming that all Personal Data has been deleted in accordance with this Section 9. Such certification shall be provided within thirty (30) calendar days of the completion of deletion.


10. Governing Law and Jurisdiction

10.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Austria, without regard to its conflict of laws principles.

10.2 Jurisdiction

Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts in Vienna, Austria.

10.3 Supervisory Authority

The lead supervisory authority for the Processor is the Austrian Data Protection Authority (Datenschutzbehoerde, "DSB"), Barichgasse 40-42, 1030 Vienna, Austria ([email protected]).


11. Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA shall prevail to the extent that such conflict or inconsistency relates to the Processing of Personal Data. For all other matters, the Main Agreement shall prevail.


Annex 1: Details of Processing

A1.1 Categories of Data Subjects

The Personal Data Processed under this DPA may concern the following categories of Data Subjects:

CategoryDescription
Customer employees and staffIndividuals employed or engaged by the Controller who access and use the mobile application (Flutter app) and/or the web dashboard to capture product images, manage inventory, create listings, and perform other tasks in connection with the Services.
End consumers and buyersIndividuals whose personal data (such as name, email, phone number, and shipping address) is transmitted through marketplace integrations in connection with order fulfillment and transaction processing.
Vendors and merchantsIndividuals operating as third-party vendors or merchants on the Controller's marketplace, whose account and transaction data is Processed in connection with the Services.

A1.2 Types of Personal Data

The following types of Personal Data may be Processed in connection with the Services:

CategoryData Elements
Account dataFull name, email address, phone number, authentication tokens, password hashes, account preferences, role and permission assignments.
Device dataDevice identifiers (e.g., device ID, advertising ID), Firebase Cloud Messaging (FCM) push tokens, IP addresses, operating system and version, app version.
Image and media dataProduct photographs (which may incidentally contain identifiable information such as faces, handwritten labels, or addresses visible in the background), EXIF metadata (including GPS coordinates, timestamps, camera/device information).
Listing dataProduct titles, descriptions, pricing, categories, condition grades, SKU/barcode data, and marketplace-specific identifiers.
Order and transaction dataBuyer name, buyer email address, buyer phone number, shipping and billing addresses, order identifiers, payment status, transaction amounts.
Telemetry dataApplication usage events, feature interaction data, session duration, navigation paths, crash reports, error logs, performance metrics.
Support dataIntercom conversations (including name, email, message content, attachments), support ticket metadata.

A1.3 Processing Operations

The Processor performs the following Processing operations on behalf of the Controller:

OperationDescription
Storage and hostingPersistent storage of inventory records, product images, user accounts, and associated metadata on EU-hosted infrastructure.
Image processingAutomated background removal, resizing, compression, and format conversion of product photographs.
AI analysisImage classification, product description generation, attribute extraction (e.g., brand, color, size, material), and price suggestion using machine learning models.
Cross-platform listing publicationFormatting, transmitting, and synchronizing product listings to and from third-party marketplaces (eBay, Shopify, Vinted, Discogs).
Search indexingIndexing of listing and inventory data using Typesense to provide search functionality within the Services.
Email notificationsSending transactional and operational email notifications via SendGrid (e.g., order confirmations, listing status updates).
Push notificationsDelivering push notifications to mobile devices via Firebase Cloud Messaging (FCM).
Analytics and crash reportingCollection, aggregation, and analysis of usage telemetry and crash reports to maintain, monitor, and improve the Services.

A1.4 Retention

Personal Data shall be retained for the duration of the Controller's subscription to the Services, plus the deletion window specified in Section 9 of this DPA.


Annex 2: Technical and Organizational Measures

The Processor implements and maintains technical and organizational measures ("TOMs") in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk of Processing.

The current Technical and Organizational Measures are available at:

https://minimist.com/en/legal/toms

or upon written request to [email protected].

The Processor shall review and update its TOMs on a regular basis and shall notify the Controller of any material changes in accordance with Section 3.3 of this DPA.


Annex 3: Sub-processor List

The Processor currently engages the Sub-processors listed below. The Controller has provided general authorization for the engagement of these Sub-processors in accordance with Section 3.4 of this DPA.

The current list of Sub-processors is available at:

https://minimist.com/en/legal/sub-processors

or upon written request to [email protected].

The Processor shall keep the Sub-processor list up to date and shall notify the Controller of any intended changes in accordance with Section 3.4.2 of this DPA.