Gallery Midnight - Data Processing Addendum (DPA)

Last updated: 11th February 2026

This Data Processing Addendum (“DPA”) forms part of the Privacy Policy for Gallery Midnight (“we”, “us”, “our”) and applies to the processing of personal data relating to individuals located in the United Kingdom or the European Economic Area (EEA).

This DPA explains how we comply with the UK General Data Protection Regulation (UK GDPR) and the EU GDPR when processing personal data through our third‑party service providers, including Shopify and Mailchimp.


1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable individual.
  • “Processing” means any operation performed on personal data, such as collection, storage, use, or deletion.
  • “Data Controller” means Gallery Midnight, which determines the purposes and means of processing personal data.
  • “Data Processor” means a third party that processes personal data on our behalf.
    “Sub‑processor” means any processor engaged by a Data Processor.

2. Roles and Responsibilities

Gallery Midnight as Data Controller

We determine:

  • What personal data is collected
  • Why it is collected
  • How it is used
  • Which third parties process it

Third‑Party Providers as Data Processors

We use trusted providers to support our business operations, including:

  • Shopify (e‑commerce platform, order processing, analytics
  • Mailchimp (email marketing and subscriber management)
  • Payment processors (Shopify Payments, PayPal, etc.)
  • Shipping carriers (Royal Mail, couriers)

Each provider processes personal data strictly according to our instructions and their own GDPR‑compliant terms.


3. Types of Data Processed

Depending on your interaction with our website, the following data may be processed:

  • Name
  • Email address
  • Postal address
  • Payment and transaction details
  • Order history
  • IP address and device information
  • Email engagement data (opens, clicks)
  • Website usage analytics

We do not store or process full payment card details.


4. Purpose of Processing

Our processors handle personal data only for the following purposes:

  • Fulfilling orders and delivering products
  • Managing customer accounts
  • Sending marketing communications (with consent)
  • Providing customer support
  • Improving website performance and security
  • Complying with legal obligations

Processors are prohibited from using personal data for their own purposes.


5. Shopify as Data Processor

Our online store is hosted on Shopify. Shopify processes personal data to:

  • Host and operate our website
  • Manage checkout and payments
  • Provide analytics and fraud prevention
  • Store order and customer information

Shopify’s GDPR compliance and data protection terms are available in their Data Processing Addendum.

Shopify may store data in Canada, the United States, or other regions depending on infrastructure, using appropriate safeguards such as Standard Contractual Clauses (SCCs).


6. Mailchimp as Data Processor

If you subscribe to our newsletter, your data is processed by Mailchimp. Mailchimp:

  • Stores subscriber information
  • Sends marketing emails
  • Tracks email engagement (opens, clicks)
  • Provides analytics to improve our communications

Mailchimp is GDPR‑compliant and uses Standard Contractual Clauses for international data transfers.

You may unsubscribe at any time.


7. Sub‑processors

Our processors may engage sub‑processors to support their services (e.g., cloud hosting providers). They must:

  • Maintain GDPR‑level security
  • Process data only for the agreed purposes
  • Be bound by written contracts

We review our processors’ sub‑processor lists regularly.


8. International Data Transfers

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)
  • UK Addendum to SCCs
  • Adequacy decisions where applicable

These measures ensure your data remains protected regardless of location.


9. Data Security

We and our processors implement appropriate technical and organisational measures, including:

  • Encryption
  • Secure servers
  • Access controls
  • Regular security assessments
  • Data minimisation practices

We only retain personal data for as long as necessary for the purposes described in our Privacy Policy.


10. Data Subject Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Request correction or deletion
  • Object to processing
  • Withdraw consent
  • Request data portability

To exercise your rights, contact us at: [Insert contact email]

We will work with our processors to fulfil your request.


11. Data Breach Notification

If a data breach occurs that may pose a risk to your rights and freedoms, we will:

  • Notify you without undue delay
  • Provide relevant information about the breach
  • Cooperate with regulators as required

Our processors are contractually required to notify us promptly of any breach.


12. Updates to This DPA

We may update this DPA from time to time to reflect changes in law or our processing practices. The latest version will always be available on our website.