PrestaShop SA (here in after referred to as “PrestaShop”), a public limited company with capital of €339,227.10, entered in the Paris company & trade register under no. 497 916 635 and having its registered office at 12 rue d’Amsterdam, 75009 Paris, France, is the designer and publisher of an open source software solution of the same name (hereinafter the “Solution”), distributed under an open source licence enabling anyone acting as a professional to quickly and simply create e-commerce websites.
However, in the event of inconsistencies or contradictions between the French version and translations of this document, the French version will prevail.
- Back Office: the interface through which Users can administer and configure their Merchant Websites;
- Connector: software developed by PrestaShop in conjunction with its partners which permits to access to Third Party Services;
- Customer: any person making a purchase on a User’s Merchant Website;
- Major Update: an update which may add new functionalities, improve interfaces or optimize performance by partially or fully rewriting a Connector’s or a module’s code;
- Merchant Website: an e-commerce website based on the Solution and operated by a User for the purposes of the User’s online sales activities;
- Minor Update: an update whose purpose is to correct technical faults and/or generic security flaws or to make the Connector or the module compatible with future minor versions of the Solution. Minor Updates offered by PrestaShop may include added features.
- Partner: PayPal, the business partner that developed the PrestaShop Checkout Service in partnership with PrestaShop;
- Party(-ies): PrestaShop and/or the User, referred to individually or collectively;
- Prestashop Checkout Connector: the Connector which is available for download from the Back Office and/or the Addons Marketplace and which allows Users to access to PrestaShop Checkout Service and Paypal Third Party Services.
- PrestaShop Checkout Service: refers to the service to which the User has access after downloading the PrestaShop Checkout Connector allowing access to the Third Party Service;
- PrestaShop Checkout Support: the specific support service enjoyed by Users who have downloaded the PrestaShop Checkout Connector;
- Third Party Service: the payment service offered by Paypal Partner, accessible via PrestaShop Checkout Connector developed by PrestaShop in partnership with Paypal, and which allows the User to manage a broad range of payment options from his Merchant Site and for his Customers;
- User: any natural person or legal entity acting on a professional basis, from the time they register for the PrestaShop Checkout Service.
2. ACCEPTANCE OF THE GTU
A User who does not tick that box will not be able to access or use the PrestaShop Checkout Service.
3. ACCESS TO PRESTASHOP CHECKOUT SERVICE, INCLUDING A THIRD PARTY SERVICE
3.1 Creation of a PrestaShop Checkout account
Before using the PrestaShop Checkout Service, a PrestaShop Checkout account must first be created.
The fields marked as required must be completed. Incomplete registration will prevent the creation of an account and therefore access to the PrestaShop Checkout Service.
A User’s complete registration will automatically open an account in their name, enabling to access to the Third Party Services, on condition of having created a PayPal account.
The information entered by the User will be considered binding upon submission.
The User warrants that all the information provided during registration is accurate, true and up to date. The User undertakes to modify that information as necessary to ensure it continues to meet the aforementioned criteria.
The User may begin to use the PrestaShop Checkout Service upon acceptance of the GTU, on condition of having an existing PayPal account, and may continue to use them so long as that use is in compliance herewith.
3.2 Creation of a PayPal account
The User is hereby informed that use of the PrestaShop Checkout Service requires an existing PayPal account. Consequently, if the User does not have one at the time of installation of the Connector, one will need to be created.
That account with the Partner is only binding upon the User in respect of the Partner. To create a PayPal account, the User will be redirected to a website managed by servers not belonging to PrestaShop, by people or organizations over which PrestaShop has no control.
3.3 Access codes
The User will protect the secrecy of their username and password used to access the PrestaShop Checkout Service.
4. PRESTASHOP CHECKOUT CONNECTOR UPDATES AND SUPPORT
The User will receive free updates to the PrestaShop Checkout Connector (hereinafter the “Updates”), including Major and Minor Updates and maintenance. The Updates are not custom developments, personalized and tailor-made by request for the User’s Merchant Website.
Only Minor Updates to the PrestaShop Checkout Connector which are available on or after the date of acquisition of the Connector, will be provided to the User by PrestaShop for free and with no time limitations.
This excludes Updates created for the purpose of ensuring the Connector’s compatibility with a new version of the Solution after a major update to the latter.
A Support service is provided for free, beginning with installation of the PrestaShop Checkout Connector.
It will assist the User with any questions about installation of the PrestaShop Checkout Connector and its Updates. The Support service is also available in the event of any malfunctions in the Connector. Outside of these scenarios, no free Support services are offered.
It is understood that the Support provided is only technical in nature and does not cover the Third Party Services which are accessible via the Connector or for which it plays an intermediary role with the Partner.
The following in particular are excluded from this Support service: certain services offered, such as training and, more generally, any work performed on the User’s Merchant Website.
If the User does make use of this Support, they will be bound to PrestaShop under the data outsourcing Agreement appended hereto.
5. FINANCIAL TERMS
The PrestaShop Checkout Connector is available to download for free.
Use of the PrestaShop Checkout Service will generate costs for the User, as shown on the PrestaShop Checkout Service pricing page. All listed prices are to be understood as exclusive of VAT.
6. USER OBLIGATIONS AND RESPONSIBILITIES
6.1 User obligations
Without prejudice to the other obligations set out herein, the User agrees to use the PrestaShop Checkout Service in a way that does not constitute disorderly conduct or offensive material. In that respect, the User will use the Services in accordance with current legislation and regulation and will refrain from any other use.
6.2 User responsibilities
The User may download and configure the PrestaShop Checkout Connector and use the PrestaShop Checkout Service at their own risk.
The User is bound to comply with all current legal and regulatory provisions. To that end, the User must in particular ensure that they do not commit any (i) violation of any third party intellectual property rights, (ii) injury to a person or violation of their right to privacy, or (iii) disorderly conduct or offensive action, within the context of using the PrestaShop Checkout Service. Failing that, access to the Merchant Website may be temporarily suspended or terminated, as soon as PrestaShop is informed of this breach, in accordance with the provisions set out in Article 9 below.
7. PRESTASHOP RESPONSIBILITIES
In principle, the PrestaShop Checkout Service are available 24/7, unless there is a scheduled or unscheduled interruption for maintenance of the Connector or due to a force majeure event.
However, given the object of the PrestaShop Checkout Connector, PrestaShop cannot guarantee that they will be provided in an uninterrupted manner with no errors, anomalies, viruses, bugs or security breaches. PrestaShop accepts no performance obligations in terms of service levels, whether in terms of response time or resolve time. In this regard, PrestaShop accepts only a best efforts obligation.
The User is hereby informed that PrestaShop shall not be held liable for any direct or indirect damage caused to the User which is the exclusive result of the Third Party Service offered by the Partner.
In any case, PrestaShop cannot be held liable for indirect damage including, but not limited to: loss in revenue or turnover, loss or theft of data, drop in traffic, loss of customers, damage to image or reputation, etc.
9.1 Suspension or termination of the PrestaShop Checkout Service by the User
A User that no longer wishes to use the PrestaShop Checkout Service may request that their account be deleted by writing to the teams at PrestaShop (firstname.lastname@example.org).
The User’s deletion of their PrestaShop Checkout account will not terminate any other PrestaShop services or Third Party Service to which the User may have subscribed with the Partner.
9.2 Termination for convenience
PrestaShop reserves the right to suspend or terminate the PrestaShop Checkout Service at any time, with no explanation or compensation.
If the termination is PrestaShop’s decision, the User will be notified by email. That termination will take effect thirty (30) calendar days from the date of notification.
9.3 Suspension and/or termination due to a breach by the User
PrestaShop may suspend or terminate the PrestaShop Checkout Service, namely in the following situations:
- the User’s non-acceptance of new GTU and/or new pricing conditions;
- use of the Service that is unlawful or unfair or that violates current laws and regulations;
- behaviour likely to harm PrestaShop’s image;
- simple suspicion of payment fraud;
10. INTELLECTUAL PROPERTY
PrestaShop has a user licence for the PrestaShop Checkout Connector, granted to it by PayPal, its Partner. Any full or partial depiction and/or reproduction and/or exploitation of the Connector, by any means whatsoever, is strictly prohibited and could constitute an infringement as defined by Articles L335-2 et seq. of the French Intellectual Property Code.
11. PERSONAL DATA
Detailed information about PrestaShop’s collection and processing of personal data is provided in the Appendix hereto and in our Personal Data Protection Policy.
As concerns the use of the Third Party Services offered by the Partner, the User is informed that the data input when creating a PayPal account are stored on that Partner’s servers.
As such, PrestaShop cannot under any circumstances be held liable for how the User’s data are stored or used on those servers.
PrestaShop recommends that the User should review PayPal’s applicable personal data protection policy in order to understand the User’s rights and obligations and how the data will be utilized.
12. FORCE MAJEURE
Any event constituting a force majeure event as defined by case law will suspend the Parties’ rights and obligations.
13. APPLICABLE LAW AND JURISDICTION
14. PARTIAL INVALIDITY
If some or all of the GTU should be voided for any reason whatsoever, the other provisions will retain their full effect, unless the voided clause involves an obligation that is key to the agreement.
15. INDEPENDENCE OF THE PARTIES
The Parties will remain independent of one another. No stipulation contained in the present GTU was written with the purpose or the end result of forming a contract establishing a partnership, mandate, representation or hierarchical relationship between the Parties.
16. EFFECTIVE DATE
APPENDIX: AGREEMENT RELATING TO PERSONAL DATA PROCESSING
As part of PrestaShop Checkout Support, the User may need to communicate personal data to PrestaShop. As defined by Article 4, points 7 and 8 of the GDPR, the User is the Controller (hereafter the “Controller”), and PrestaShop is the Processor of the personal data (hereafter the “Processor”).
Within the context of this Agreement, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable since 25 May 2018 ("the GDPR").
Article 1. Object
The purpose of this Agreement is to define the terms and conditions under which the Processor undertakes to perform the Personal Data Processing operations described below in the name and on behalf of the Controller, and ensure their protection and treatment in accordance with applicable regulations.
Article 2. Definitions
For the purposes of this Agreement, wherever the following terms begin with an uppercase letter, they will be understood as having the meanings defined below.
- Breach: a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- Controller: as defined by Article 4(7) of the GDPR. For the purposes hereof, the User is the Controller.
- User: any person who has entered into a contract with the User via the Merchant Website.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- Personal Data: any and all information relating to identified or identifiable natural persons,
An “identifiable natural person” is any individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data are those entrusted by the User to PrestaShop for the purpose of their Processing on behalf of the former under this Agreement. These data are listed in Article 3 below.
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Processor: the natural person, legal entity, public authority, service or other organization processing the Personal Data on behalf of the User. For the purposes hereof, PrestaShop is the Processor.
In the event of any conflict or ambiguity between the provisions of this Agreement and the T&Cs of the PrestaShop Checkout Services, the provisions of this Agreement shall prevail.
Article 3. Description of Processing
3.1 Services rendered
The Processor is authorized to process the Personal Data, in the name and on behalf of the Controller, needed to provide Support services to User.
The Processor is not allowed to process Personal Data for purposes others than these describe under this Agreement and/or without the Controller express authorisation.
3.2 Nature of the operations carried out and Data processed
The Controller determine, under his responsibility, the purposes of the data processing operations entrusted to the Processor and/or its subcontractor, which are as follows: the Support services.
Support entails Processor teams and/or its subcontractor access to the User Website when he requires PrestaShop Checkout Support services. Access to the Merchant Website Back-Office necessarily provides access to the User Personal Data which are the following: Surname, Name, e-mail address, phone, name of the e-shop, URL.
Likewise, the Processor may have access to User’s Customer Personal data. Processor may have access to the following Personal Data: Customer identification data (full name, postal address, email address and telephone number), as well as to personal data about any purchases made on the User’s website.
For the purpose of performance of the services covered by this Agreement, the Controller will provide the Processor with the information required as per the latter’s Personal Data Protection Policy.
This Agreement will take effect upon the User’s subscription of the Support services and will come to an end upon termination of the said Support.
Article 4. Processor’s obligations and liability
4.1. Processor’s obligations
The Processor undertakes to:
- process the Personal Data solely for the purpose(s) of the subcontracting, as defined in Article 3 ;
- process the Personal Data in accordance with the Controller’s documented instructions. If the Processor considers that an instruction violates the GDPR or any other provision of EU law or the laws of the EU Member States as concerns data protection, it will immediately notify the Controller. Further, if it is required to transfer data to a country outside the European Union, it must inform the Controller of that legal obligation prior to Processing, unless the law in question prohibits such notification on important grounds of public interest.
The Controller is hereby informed of the possibility of transmitting written instructions, so long as they are consistent with the Support services;
- represents that it will keep a written register of all categories of processing activities performed on behalf of the Controller. The Processor will provide the necessary documentation to the Controller to demonstrate compliance with all its obligations and to enable the Controller to conduct audits.
- guarantee the confidentiality of the Personal Data processed by virtue of this Agreement. If the Processor should be legally compelled to transmit the Personal Data to an authority, it will first notify the Controller of this, unless the law should prohibit such notification on grounds of public interest;
- ensure that the people authorized to process the Personal Data by virtue of this Agreement:
- undertake to respect the confidentiality of the Personal Data,
- receive the necessary personal data protection training;
- only process the Personal Data for the aforementioned Processing purposes;
- incorporate the principles of data protection by design and data protection by default into its tools, products, applications and services.
4.2. Liability of the Processor
The Processor is responsible for its personnel, employees and subcontractors, and for their compliance with its obligations under this Agreement. To this end, the Processor’s personnel may not access, use or modify Personal Data, except where strictly necessary for the purpose of providing Support services.
The Processor implements organisational and technical measures to ensure that its personnel comply with its obligations, in particular in terms of monitoring who is authorised to access Personal Data, securing access and traceability.
Article 5. Controller’s obligations
The Controller undertakes to:
- collect under its responsibility, in a lawful, fair and transparent manner, the Personal Data provided to the Processor for the performance of its services, and in particular, ensure the legal basis for such collection and the information given to the persons concerned.
- provide the Processor with the Personal Data necessary for the Processing, excluding irrelevant, disproportionate or unnecessary Personal Data and excluding any "specific" Data within the meaning of the GDPR, unless the processing and purposes justify it, it is the responsibility of the Controller to establish these justifications and to take all measures, in particular prior information, collection of consent and security, appropriate for such specific data.
- document all of its instructions in writing concerning Personal Data Processing by the Processor, if specific instructions should be necessary.
- ensure the Processor’s compliance with the obligations laid down in the GDPR, before and throughout the Processing period, supervise the Processing, including the performance of audits and inspections of the Processor’s services.
- report any Personal Data Breach which entails a legal obligation to notify the competent supervisory authority.
Article 6. Collaboration
As far as possible, the Processor will help the Controller to fulfil its obligation of handling requests from its Customers to exercise their rights – of access to, rectification or erasure of their Personal Data, to object to or restrict the Processing thereof, to data portability and to not be the subject of an automated decision (including profiling).
The services are set up so that the Controller can respond to its Customers’ requests.
The Processor undertakes to help the Controller, to the extent possible, so that the latter may fulfil its obligations in respect of the aforementioned Processing, as concerns the conduct of any impact assessments, for the purpose of notification of a data Breach and for the exercise of Customer rights.
Article 7. Subsequent Processing
The Processor may call on another data processor (hereinafter the “subsequent processor”) to carry out specific Processing tasks.
The Controller is hereby informed that the Processor already uses the processors listed below for its Support services.
For the management and provision of Support to Users, PrestaShop uses software from Freshdesk Inc., 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403. That company is an active participant in the Privacy Shield, which guarantee that the level of personal data protection that it offers has been deemed sufficient and adequate.
As part of the PrestaShop Checkout solution, PrestaShop uses the company « Active Contact – 2, rue de Guinée, 1002 Tunis – Tunisie » to provide first-line support for Users. A subcontracting agreement and standard contractual clauses have been signed with them.
PrestaShop also uses “Jira”, software published by Atlassian, 341 George Street, Sydney, NSW 2000, Australia, to provide the ticketing system used to transmit User requests to the Support teams. That software is hosted internally on PrestaShop’s Google server.
In the event of subsequent Processing, the Processor will inform the Controller of any changes involving the addition or replacement of other processors, at least one month prior to the change, so as to give the Controller the chance to share any objections to the said changes.
Whenever the Processor recruits a new processor, PrestaShop undertakes to ensure that the same Personal Data Processing obligations are imposed upon that subsequent processor as those defined herein, such that this sub-processor will also satisfy the requirements of the GDPR.
Article 8. Notification of Personal Data Breaches
The Processor will notify the Controller by email of any Personal Data Breach within seventy-two (72) hours of having become aware of it. This notification will be accompanied by all useful information to enable the Controller to notify the competent data protection authority of the Breach, if necessary.
The Processor will provide the following information, where such is available:
- the nature of the incident;
- the date and time of detection of the incident;
- the affected Personal Data;
- any measures taken directly to limit any additional damage;
- the date and time when the incident came to an end;
- any structural prevention measures going forward.
Article 9. Security measures
The Processor undertakes to implement technical and organizational measures intended to protect the security and confidentiality of the Personal Data against any unauthorized access, alteration, use, modification or disclosure during the performance of the Support services.
To that end, the Processor’s Support staff are subject to an obligation of confidentiality.
Given the state of the art, the cost of implementation and the nature, scope, context and purposes of the Processing, the Parties undertake to implement all appropriate technical and organizational measures to provide a level of security which is commensurate with the risk.
The Controler is responsible for the Website’s security at all times.
Article 10. Fate of Personal Data
At the end of the Support services relating to Personal Data Processing, the Processor undertakes to return all Personal Data to the Controller or to the subcontractor designed by the latter.
That return will include all existing copies in the Processor’s information system and written proof of their destruction, unless the applicable legislation prohibits the destruction of the Personal Data for a certain period of time. In that instance, the Processor undertakes to protect the confidentiality of the Personal Data and to archive them, namely to retain them as proof.
Article 11. Responsibilities
The Parties acknowledge that they share responsibilities to the Customers, pursuant to Article 82 of the GDPR.
The Controller acknowledges that the Processor shall only be held liable for any damage caused by the Processing if the latter has failed to satisfy the obligations specific to processors