Questions? Call or text us (919) 739-2690
Get a demo
Talk to sales (919) 739-2690
Get a demo

Data Processing Addendum (DPA)

Last updated: 11/23/25

This Data Processing Addendum (“DPA”) forms part of the Gunly Terms of Service and applies where Gunly processes personal data on behalf of the Merchant.

1. DEFINITIONS

For purposes of this Data Processing Addendum (“DPA”):

“Gunly” means Platoon LLC dba Gunly.

“Merchant” means the entity that uses the Gunly Platform to operate an ecommerce store and is the data controller for End Customer Data.

“Platform” means Gunly’s managed ecommerce system, including hosting, software, integrations, data feeds, and related services.

“Personal Data” means any information relating to an identified or identifiable individual processed by Gunly on behalf of the Merchant.

“End Customer Data” means Personal Data relating to End Customers of the Merchant that is processed through the Platform.

“Processing” means any operation performed on Personal Data, including storage, transmission, hosting, or organization.

“Data Controller” or “Controller” means the party that determines the purpose and means of processing Personal Data.

“Data Processor” or “Processor” means the party that processes Personal Data on behalf of the Controller.

“Subprocessor” means any third party engaged by Gunly to assist with processing Personal Data.

2. ROLE OF THE PARTIES

2.1 Merchant as Controller The Merchant is the Controller of all End Customer Data and is solely responsible for determining:

  • what Personal Data is collected,
  • how it is used,
  • which laws apply to Merchant operations,
  • the lawful basis for processing under applicable state privacy laws.

2.2 Gunly as Processor Gunly acts as a Processor of End Customer Data only to the extent necessary to provide the Platform and related services as described in the Terms of Service.

2.3 Platform Data Certain Merchant account information collected by Gunly (such as billing information, FFL information, or contact details) is processed by Gunly as a Controller. This DPA applies only to End Customer Data processed on behalf of the Merchant.

3. SCOPE OF PROCESSING

Gunly processes Personal Data solely for the following purposes:

  • providing and maintaining the Platform,
  • hosting Merchant storefronts,
  • enabling ecommerce transactions,
  • providing setup and onboarding services,
  • facilitating integrations chosen by the Merchant,
  • sending system notifications and service communications,
  • providing customer support to the Merchant,
  • ensuring Platform security and preventing fraud.

Gunly does not:

  • determine the purposes or means of processing End Customer Data,
  • sell Personal Data,
  • use End Customer Data for advertising or marketing unrelated to Merchant services,
  • combine End Customer Data from multiple Merchants.

4. MERCHANT RESPONSIBILITIES

The Merchant, as Controller, is solely responsible for:

  • obtaining all necessary consents from End Customers,
  • providing legally compliant privacy notices,
  • complying with firearms, ecommerce, consumer, and privacy laws,
  • implementing age verification or compliance tools when legally required,
  • ensuring that data collected via the Platform is lawful and appropriate.

Gunly is not responsible for the Merchant’s compliance with federal, state, or local privacy, firearms, or ecommerce regulations.

5. GUNLY OBLIGATIONS AS PROCESSOR

Gunly agrees to:

5.1 Process Data Only on Documented Instructions

Gunly will process Personal Data only:

  • as necessary to provide the Platform,
  • as instructed by the Merchant,
  • as required by law.

Gunly will notify the Merchant if an instruction appears unlawful.

5.2 Confidentiality Obligations

Gunly ensures that employees, contractors, and subprocessors who access Personal Data:

  • are subject to confidentiality obligations,
  • receive training related to data protection and security.

5.3 Security Measures

Gunly uses commercially reasonable measures to protect Personal Data, including:

  • secure hosting environments,
  • encrypted transmission of data,
  • access controls and authentication systems,
  • network and intrusion monitoring,
  • firewalls and malware protections.

Gunly does not guarantee absolute security.

5.4 Data Breach Notification

In the event of a confirmed security incident affecting Personal Data, Gunly will notify the Merchant without unreasonable delay after confirming the incident.

Gunly’s notification does not constitute legal advice and does not determine whether the Merchant must notify End Customers.

5.5 Cooperation

Gunly will provide reasonable assistance to help the Merchant respond to:

  • data breach investigations,
  • lawful requests from regulators,
  • Merchant obligations under applicable state privacy laws.

6. SUBPROCESSORS

6.1 Authorized Subprocessors Merchant provides general authorization for Gunly to use the following subprocessors:

  • DigitalOcean (hosting and infrastructure)
  • SendGrid (email delivery)
  • Twilio (SMS delivery)
  • HubSpot (CRM and ticketing)
  • FFL Cockpit (data feed provider)
  • Cloudflare (DNS, CDN, reverse proxy, SSL termination, WAF, bot management, and security filtering)
  • Payment processors selected by the Merchant
  • Other third-party integrations enabled by the Merchant

6.2 Subprocessor Obligations Gunly ensures that subprocessors:

  • are subject to written agreements,
  • provide appropriate data protection safeguards,
  • process Personal Data only for service delivery.

6.3 Changes to Subprocessors Gunly may update its list of subprocessors at any time. Continued use of the Platform after the update constitutes authorization.

7. DATA SUBJECT RIGHTS

Gunly will reasonably assist the Merchant in responding to data subject requests under applicable state privacy laws.

Gunly does not respond directly to End Customer requests unless required by law.

Merchants are responsible for verifying identity, responding to data requests, and honoring deletion or access obligations.

8. INTERNATIONAL DATA TRANSFERS

Gunly may process Personal Data on servers located in the United States or other countries. By using the Platform, Merchant authorizes such transfers.

Gunly does not guarantee that all processing occurs within any specific jurisdiction.

9. DATA RETURN OR DELETION

Upon termination of the Merchant’s account:

  • Merchant may export Client Assets for 30 days,
  • Gunly will delete hosted Personal Data after the retention period,
  • Backups will be overwritten during normal cycles.

Gunly may retain limited Personal Data as required for:

  • fraud prevention,
  • legal compliance,
  • financial or tax obligations.

10. COMPLIANCE WITH STATE PRIVACY LAWS

This DPA is designed to satisfy applicable requirements under:

  • California Consumer Privacy Act (CCPA/CPRA),
  • Colorado Privacy Act (CPA),
  • Virginia Consumer Data Protection Act (VCDPA),
  • Other U.S. state privacy frameworks.

Gunly is not subject to GDPR unless explicitly agreed in writing.

11. LIABILITY LIMITATIONS

Liability for data processing under this DPA is subject to the limitations of liability in the Gunly Terms of Service.

Gunly is not responsible for:

  • Merchant compliance failures,
  • Merchant instructions that violate law,
  • Third-party integrations chosen by the Merchant,
  • Merchant misuse of End Customer Data.

12. TERM AND TERMINATION

This DPA remains in effect while Gunly processes Personal Data for the Merchant.

Termination of the Gunly Services automatically terminates this DPA.

13. CONTACT INFORMATION

For data protection questions or requests:

Platoon LLC dba Gunly
5448 Apex Peakway, Suite 133
Apex, NC 27502
Email: support@gunly.com