Last updated: March 20, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller", "Seller") and ShipLulu ("Data Processor", "we", "us") pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
"Personal Data" means any information relating to an identified or identifiable natural person processed by ShipLulu on behalf of the Seller in connection with the Service. This includes end-customer names, shipping addresses, phone numbers, email addresses, and order details.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, and destruction.
ShipLulu processes Personal Data solely for the purpose of providing fulfillment services: receiving orders, picking and packing items, generating shipping labels, transmitting shipment data to carriers, and syncing tracking information back to the Seller's e-commerce platform. We do not process Personal Data for any other purpose, including marketing, profiling, or selling data.
We process Personal Data only on documented instructions from the Seller, unless required by applicable law. The Seller's instructions are defined by the Service configuration (connected store, order processing rules).
All personnel with access to Personal Data are bound by confidentiality obligations. Access is limited to staff who require it for fulfillment operations.
We implement appropriate technical and organizational measures including: encryption of data in transit (TLS 1.2+) and at rest, access controls with role-based permissions, regular security assessments, secure deletion procedures, and physical security at warehouse facilities.
We use the following categories of sub-processors:
We will inform the Seller of any intended changes to sub-processors with 14 days' notice. The Seller may object; if the objection cannot be resolved, the Seller may terminate the Service.
We will assist the Seller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing relevant data or deleting data as instructed, within 10 business days.
In the event of a personal data breach, we will notify the Seller without undue delay and no later than 48 hours after becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate.
We retain end-customer Personal Data for 90 days after order delivery for operational purposes (returns, claims, carrier disputes). After 90 days, Personal Data is anonymized (name and address replaced with hashed identifiers). Upon termination of the Service, we will delete or return all Personal Data within 30 days, unless retention is required by law.
Personal Data is processed in China (warehouse operations) and may transit through cloud infrastructure in other regions. For transfers from the EEA to China, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). A copy of the executed SCCs is available upon request.
The Seller has the right to audit our compliance with this DPA. Audits may be conducted by the Seller or an independent auditor, with 30 days' written notice, during business hours, and no more than once per year. We will provide reasonable cooperation and access to relevant documentation.
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
This DPA remains in effect for the duration of the Service and until all Personal Data has been deleted or returned.
Data Protection contact: privacy@shiplulu.com