Avada Backups & Restore
Settings
GDPR & privacy

GDPR & privacy

Avada Backups & Restore processes Shopify store data on your behalf, which makes you the data controller and Avada the data processor under GDPR and similar privacy laws. This page explains how to handle the obligations that flow from that relationship.

Data Processing Agreement

A Data Processing Agreement (DPA) is required if your store serves customers in the EU/UK. The standard Avada DPA is built into the Shopify install flow — by installing the app, you've already accepted it.

To download a signed copy for your records, click Download DPA on this page.

For a custom DPA (e.g. with your own redlines), contact [email protected].

Customer data deletion requests

When a Shopify customer asks to be forgotten, Shopify forwards the request to all installed apps via the customers/redact webhook. Avada Backups & Restore honors these automatically:

  1. The customer record is removed from any future backup taken after the request lands.
  2. Existing backups still contain the customer record (because removing selectively from a snapshot would corrupt it).
  3. After your retention window expires (default 30 days), all backups containing the record are deleted as part of normal retention rotation.

If you need faster deletion across all snapshots, click Force delete customer on this page and enter the customer email or ID. This rewrites every backup to omit the customer's data. Rewriting can take up to 24 hours depending on backup size.

Shop data redaction

When you uninstall Avada Backups & Restore, Shopify sends a shop/redact webhook 48 hours later. On receipt, Avada Backups & Restore:

  1. Stops all access to your data.
  2. Begins the 30-day deletion countdown.
  3. After 30 days, permanently deletes all backups, settings, audit logs, and metadata associated with your store.

You can request immediate deletion (skipping the 30-day grace period) by emailing [email protected] from the email on file.

Data residency

By default, backups are stored in:

  • US merchants: us-central1 (Google Cloud Storage)
  • EU merchants: europe-west1 (GCS, Belgium)
  • APAC merchants: asia-southeast1 (GCS, Singapore)

Region is determined by the country in your Shopify store address. To force a specific region (e.g. for compliance), use Bring your own storage on the Enterprise plan.

Subprocessors

Avada Backups & Restore uses a small set of subprocessors. The current list is at avada.io/subprocessors (opens in a new tab) and includes:

  • Google Cloud Platform (compute, storage, networking)
  • Firebase / Firestore (auth, metadata)
  • Sentry (error monitoring; PII scrubbed)
  • Loops / Resend (email notifications)

You can subscribe to subprocessor change notifications from the same page — we send 30 days notice before adding any new subprocessor.

Data export

To export your account's data (account profile, store list, audit logs) under GDPR Article 15, click Export my data. You'll receive a download link by email within 24 hours.

To export raw backup files, use the Download button on any individual backup in the Backups list — backups are already exportable as encrypted archives at any time.

Audit log

Every action affecting privacy-sensitive data is logged: access requests, deletions, exports, DPA downloads, region changes, and login events. The log is retained for 2 years and can be downloaded as CSV.

Bring your own storageFAQ
Products
Avada SEO SuiteAvada AEO OptimizerAvada AI Blog BuilderAvada Product CopyAvada Speed OptimizerAvada Shipping LabelsAvada Backups & Restore
Resources
DocumentationSEO Suite DocsBlog DocsSpeed DocsShipping Labels DocsBackups & Restore Docs
Company
Avada GroupPrivacy Policy
© 2026 Avada Group. All rights reserved.