huskai

Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Huskai ("Processor", "we", "us") and the Merchant ("Controller", "you") who uses the Haul e-commerce platform. This DPA is entered into in accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

  • "Controller" — the Merchant who determines the purposes and means of processing personal data (i.e. you, the Haul store owner).
  • "Processor" — Huskai, which processes personal data on behalf of the Controller through the Haul platform.
  • "Personal Data" — any information relating to an identified or identifiable natural person, as defined in UK GDPR.
  • "Processing" — any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
  • "Data Subject" — the individual whose personal data is being processed (i.e. your customers).
  • "Sub-processor" — a third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Roles

When you use Haul to run your online store, your customers provide personal data (such as names, email addresses, shipping addresses, and order details) to you. You are the data controller for this data — you decide what data to collect, why, and how it is used.

Huskai is the data processor. We process your customers' personal data solely to provide the Haul platform services to you. We do not use your customers' data for our own purposes.

3. Data We Process

3.1 Categories of Data Subjects

  • Customers of Haul-powered stores
  • Newsletter subscribers managed through Haul
  • Individuals who submit contact forms on Haul-powered stores

3.2 Types of Personal Data

  • Names and email addresses
  • Shipping and billing addresses
  • Order details and purchase history
  • Session and basket data
  • Contact form messages
  • Newsletter subscription status
  • IP addresses and browser information (collected automatically)

We do not process special category data (e.g. health data, biometric data, religious beliefs) as part of the Haul platform.

3.3 Purpose of Processing

Personal data is processed solely for the purpose of providing and operating the Haul e-commerce platform, including:

  • Displaying and managing your online store
  • Processing and fulfilling customer orders
  • Sending transactional emails (order confirmations, shipping updates, etc.)
  • Managing customer accounts and sessions
  • Processing payments via Stripe
  • Providing customer support tools

3.4 Duration of Processing

We process personal data for as long as your Haul account is active. Upon account closure, customer data is deleted within 30 days, except where longer retention is required by law (e.g. order records retained for tax purposes for up to 6 years).

3.5 Geographic Scope

Haul-powered stores may serve customers in the UK, USA, Canada, Australia, and New Zealand. Personal data from customers in all these regions is processed through the Haul platform.

4. Processor Obligations

As the data processor, Huskai shall:

4.1 Lawful Processing

  • Process personal data only on your documented instructions, unless required to do so by law. If we are legally compelled to process data, we will inform you before doing so (unless prohibited by law).
  • Not process personal data for any purpose other than providing the Haul platform services.

4.2 Confidentiality

  • Ensure that all persons authorised to process personal data are bound by confidentiality obligations.
  • Limit access to personal data to those who need it to perform their duties.

4.3 Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest.
  • Tenant isolation: Each Haul store has its own isolated database. One merchant cannot access another merchant's data.
  • Access controls: Role-based access controls and the principle of least privilege.
  • Secure authentication: Passwords are stored using one-way cryptographic hashing. Admin sessions use signed JWT tokens.
  • Infrastructure security: Hosted on Cloudflare's global network with DDoS protection, WAF, and automatic security updates.
  • Session management: Customer basket and session data is stored with automatic 7-day expiry.

4.4 Data Subject Rights

  • We will assist you in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) to the extent technically feasible.
  • If we receive a data subject request directly, we will redirect the individual to you (the Controller) unless instructed otherwise.
  • Haul provides data export functionality to help you fulfil portability and access requests.

4.5 Data Breach Notification

  • We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
  • The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
  • We will cooperate with you in investigating and remediating any breach, and in meeting your obligations to notify the ICO and affected data subjects where required.

4.6 Data Protection Impact Assessments

We will provide reasonable assistance to you in carrying out data protection impact assessments (DPIAs) and prior consultations with the ICO, where required by UK GDPR.

5. Sub-processors

5.1 Authorised Sub-processors

You authorise us to engage the following sub-processors to assist in providing the Haul platform:

Sub-processor Purpose Location
Cloudflare, Inc. Hosting, CDN, edge computing (Pages, Workers, KV, R2), DDoS protection, DNS Global network (headquartered in USA)
Stripe, Inc. Payment processing for merchant subscriptions and customer transactions USA (with EU/UK data processing)
Resend, Inc. Transactional email delivery (order confirmations, shipping updates, password resets) USA
Turso (ChiselStrike, Inc.) Database hosting (libSQL, one database per tenant) Global (primary region configurable)

5.2 Changes to Sub-processors

  • We will notify you at least 30 days before adding or replacing a sub-processor.
  • If you have a reasonable objection to a new sub-processor, you may notify us in writing within 14 days. We will work in good faith to address your concerns, which may include offering an alternative or allowing you to terminate your subscription without penalty.

5.3 Sub-processor Obligations

We ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. We remain liable to you for any sub-processor's failure to fulfil its data protection obligations.

6. International Data Transfers

Some of our sub-processors are based outside the UK. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) — as approved by the European Commission and adopted for UK use.
  • UK International Data Transfer Agreement (IDTA) — where applicable.
  • UK Addendum to the EU SCCs — where required.

Cloudflare, Stripe, and Resend all maintain approved data transfer mechanisms. You can request copies of the relevant transfer documentation by contacting us.

7. Controller Obligations

As the data controller, you are responsible for:

  • Having a lawful basis for processing your customers' personal data.
  • Providing your customers with a clear and accurate privacy policy.
  • Ensuring that any data you upload to Haul has been collected lawfully.
  • Responding to data subject requests from your customers.
  • Reporting personal data breaches to the ICO where required.
  • Complying with all applicable data protection laws in the jurisdictions where you sell.

8. Audit Rights

  • You have the right to verify our compliance with this DPA.
  • We will make available to you all information reasonably necessary to demonstrate compliance with Article 28 of UK GDPR.
  • We will allow and contribute to audits and inspections conducted by you or an independent auditor you appoint, subject to reasonable notice (at least 30 days), confidentiality obligations, and scheduling constraints.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations.

9. Data Deletion and Return

Upon termination of your Haul subscription:

  • We will provide you with the ability to export your data (products, orders, customer information) before account closure.
  • After the 30-day retention period following account closure, we will delete all personal data processed on your behalf, unless retention is required by law.
  • We will confirm deletion in writing upon your request.
  • Data stored in backups will be deleted as the backup rotation cycle completes (typically within 90 days).

10. Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. This does not limit either party's liability for breaches of data protection law to the extent that such liability cannot be limited.

11. Term and Termination

This DPA takes effect when you create a Haul account and remains in effect for as long as we process personal data on your behalf. The DPA survives termination of your subscription to the extent that we continue to hold personal data (for example, during the 30-day post-closure retention period or where legal retention applies).

12. Governing Law

This DPA is governed by the laws of England and Wales, consistent with the Terms of Service. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

For any questions about this DPA or to exercise your rights, contact us at: