Docs / Legal / Merchant Terms of Service and Data Processing Addendum

Merchant Terms of Service and Data Processing Addendum

Last updated: 9 July 2026

Part A. Terms of Service (summary)

  1. The service. Stravax Engage is a WhatsApp engagement platform operated by Stravax Group LLC, a limited liability company licensed by Sharjah Media City Free Zone Authority (Shams), Sharjah, United Arab Emirates (Licence No. 2537844.01), registered at Sharjah Media City (Shams), Al Messaned, Al Bataeh, Sharjah, UAE. The Shopify app sends WhatsApp abandoned-cart and order-recovery messages to your customers, on your instruction, and reports whether they led to a completed order.

  2. Your account. You are responsible for the accuracy of your account details, for keeping your login credentials secure, and for the actions of the users you invite.

  3. Your responsibilities as the merchant. You are the controller of your customers' data. You are responsible for having a lawful basis and the consent required to message your customers on WhatsApp, and for complying with WhatsApp's and Meta's messaging policies. The app respects the marketing-consent flag on each Shopify checkout, but obtaining valid consent remains yours.

  4. Fees. Cart recovery is billed through Shopify's managed pricing at the plan price shown in the app. WhatsApp message costs are metered and drawn from your prepaid wallet balance.

  5. Acceptable use. You will not use the service to send unlawful, deceptive, or unsolicited messages, or to message customers who have not consented.

  6. Availability and liability. The service is provided on a commercially reasonable-efforts basis. Nothing here excludes liability that cannot be excluded under UAE law.

  7. Termination. You may uninstall the app at any time. On uninstall we stop all recovery messaging, delete the stored access token, and delete the customer data we hold for your store as described in Part B, section 7.


Part B. Data Processing Addendum (DPA)

1. Roles

For the customer personal data processed through the Shopify integration:

Installing the app and enabling cart recovery is your instruction to process this data for the purpose in section 3.

2. Categories of data and data subjects

3. Purpose and scope of processing

We process the data solely to:

We do not use the data for our own purposes, do not sell it, and do not share it except with the sub-processors in section 5. We do not combine your customers' data with any other merchant's.

4. Confidentiality and security

We apply the following technical and organisational measures:

5. Sub-processors

You authorise the following sub-processors:

Sub-processor Role Receives customer name + phone?
Cloudflare Hosting, database, object storage, queues, security Yes (storage and processing infrastructure)
Meta / WhatsApp (WhatsApp Business Platform) Message delivery (name as a template parameter, phone as the recipient) Yes (delivery)
Stripe Merchant billing and wallet top-up No
Google Ads / Meta Ads Conversion-event receipt (only if you enable Ad Sync) No
Anthropic Optional AI conversation qualifier (WhatsApp message text only, if you enable it) No

The Anthropic AI qualifier is a separate opt-in feature. It processes WhatsApp conversation message content for merchants who turn it on; it does not receive the Shopify-sourced customer name or phone number. If you do not enable it, no data reaches Anthropic.

We will give you notice of any new sub-processor that would process the customer name or phone before it takes effect.

6. Personal data breach notification

If we become aware of a personal data breach affecting your customers' data, we will notify you without undue delay, and no later than 72 hours after becoming aware, with the information you reasonably need to meet your own notification obligations: the nature of the breach, the data and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take. Our incident-handling process is described in the Incident Response Policy.

7. Deletion and return of data

8. Audits and assistance

We will provide reasonable information to help you demonstrate compliance and to respond to data subject requests, taking into account the nature of the processing and the information available to us.

9. Governing terms

This DPA supplements and is governed by the Terms of Service in Part A. In case of conflict on data-protection matters, this DPA prevails.


Acceptance: By clicking to connect your store, or by enabling cart recovery, you accept these Terms of Service and this Data Processing Addendum on behalf of your business.

Stravax Group LLC, Sharjah, UAE · Data protection contact: privacy@stravax.ai