Effective date: July 6, 2026 Last updated: July 6, 2026
These Terms of Service and the attached Data Processing Addendum (together, the "Agreement") govern your use of the Professional Form Manager application (the "App") provided by Digital Project Design ("DPD", "we", "us", "our"). The App lets a merchant build storefront forms, collect submissions and file attachments, optionally render submissions into PDFs, and deliver them by email to chosen recipients.
Contents
Part A — Terms of Service
1. Acceptance
By installing, accessing, or using the App, you ("Merchant", "you") agree to this Agreement. If you are accepting on behalf of a company, you represent that you are authorized to bind that company. If you do not agree, do not install or use the App.
2. The service and license
Subject to this Agreement, we grant you a non-exclusive, non-transferable, revocable license to use the App on your Shopify store(s) for your internal business purposes for as long as the App is installed and your fees are current.
3. Your responsibilities
You are the controller of the data your forms collect, and you agree to:
- use the App in compliance with applicable laws and the Shopify Terms of Service and API/Partner terms;
- decide what personal data your forms collect and ensure you have a lawful basis to collect, store, email, and retain it; maintain your own privacy notice to Respondents; and obtain any consents you are legally required to obtain;
- configure your form fields, recipients, retention windows, and any minimum-retention floor appropriately, and be responsible for the accuracy of your configuration and for the actions of your staff and authorized users within the App;
- ensure the recipients you configure are entitled to receive the submissions you route to them;
- not use the App to collect data unlawfully, to send spam, or to upload malicious content, and not misuse the App, circumvent its access controls or billing, or reverse engineer it.
4. Fees and billing
The App is offered on the pricing described on its Shopify App Store listing, including any free tier or trial. All fees are billed through Shopify's billing system under your Shopify account; we do not separately collect payment card details. Fees are charged in advance on a recurring basis and are non-refundable except as required by law or as expressly stated on the listing. We may change pricing prospectively; changes apply on your next billing cycle and are subject to Shopify's approval/notification requirements. Plan limits (such as form count, submission volume, recipients, and retention length) apply as described on the listing.
5. Term and termination
This Agreement is effective while the App is installed. Either party may terminate at any time: you by uninstalling the App; we by discontinuing the App or for your breach of this Agreement. On termination, your license ends and we delete your data as described in the Data Processing Addendum and our Privacy Policy. Sections that by their nature should survive termination (e.g., disclaimers, limitation of liability, governing law) survive.
6. Intellectual property
The App, including all software, design, and content we provide, is owned by DPD and its licensors. This Agreement grants no rights other than the limited license in Section 2. Data you and your Respondents create in the App ("Merchant Data") remains yours.
7. Disclaimers
The App is provided "as is" and "as available" without warranties of any kind, express or implied, including merchantability, fitness for a particular purpose, and non-infringement. We do not warrant that the App will be uninterrupted, error-free, or that it will meet your requirements. The App depends on the Shopify platform and other third-party services (including Cloudflare and Resend) that are outside our control.
Signature fields. A signature field in the App records a typed name, an agreement checkbox, and a timestamp. It is a lightweight record of assent for your own business purposes — it is not a qualified or certified electronic-signature service, provides no identity verification or cryptographic signing, and carries no independent legal backing from DPD. You are solely responsible for determining whether it is sufficient for your purpose and for the legal validity and enforceability of anything a Respondent "signs" this way.
Generated PDFs. Where the App renders a submission into a PDF, that PDF is a presentation convenience — a formatted copy of the data the Respondent submitted. It is not an official, certified, or legally-authoritative document, and DPD makes no representation about its legal effect. You are responsible for how you use it.
8. Limitation of liability
To the maximum extent permitted by law, DPD will not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data, or goodwill. Our total aggregate liability arising out of or relating to this Agreement will not exceed the greater of (a) the fees you paid for the App in the twelve (12) months preceding the event giving rise to the claim, or (b) USD 100.
9. Indemnification
You will indemnify and hold DPD harmless from claims arising out of your use of the App in violation of this Agreement or applicable law, including your collection and handling of Respondent data, the content of the forms you publish, and your delivery of submissions to recipients.
10. Changes to this Agreement
We may update this Agreement from time to time. We will revise the "Last updated" date and post the new version at the published URL. Your continued use of the App after changes take effect constitutes acceptance.
11. Governing law
This Agreement is governed by the laws of the State of California, United States, without regard to its conflict-of-laws rules. The parties submit to the courts located in Los Angeles County, California for any disputes, except that either party may seek injunctive relief in any court of competent jurisdiction.
12. Contact
Digital Project Design (DPD) — Digital Project Design LLC, 10441 Chaney Ave, Downey, CA 90241, USA — pfm@digitalprojectdesign.com — https://www.digitalprojectdesign.com
Part B — Data Processing Addendum (DPA)
This DPA forms part of the Agreement and applies where DPD processes personal data of your Respondents ("Respondent Personal Data") on your behalf in connection with the App. In the event of a conflict between this DPA and Part A regarding the processing of Respondent Personal Data, this DPA controls.
B.1 Roles
For Respondent Personal Data processed through the App, you (the Merchant) are the data controller and DPD is the data processor. You are responsible for the lawfulness of the data you collect and the instructions you provide, including the fields you define and the recipients you configure.
B.2 Scope and instructions
We will process Respondent Personal Data only:
- to provide, maintain, and secure the App as described in the Agreement and our Privacy Policy;
- in accordance with your documented instructions, which include your form configuration, your chosen recipients, your retention settings, and your use of the App's admin tools; and
- as required by applicable law (in which case we will inform you unless legally prohibited).
We will not use Respondent Personal Data for our own purposes, will not sell it, and will not use it for advertising or profiling.
B.3 Details of processing
- Subject matter: provision of the App's form-collection, PDF-rendering, and email-delivery functionality.
- Duration: for as long as the App is installed, subject to the retention windows and deletion windows in Section B.7.
- Nature and purpose: rendering storefront forms; receiving and storing submissions and file attachments; optionally generating PDFs; and delivering submissions by email to the recipients the Merchant configures.
- Types of Respondent Personal Data: as configured by the Merchant. The Merchant defines the form fields, so the data may include name, email address, postal address, phone number, company, free-text and selection responses, a typed-name signature with agreement and timestamp, and any files a Respondent uploads, together with submission metadata (timestamp, form version). The App does not access Shopify "Protected customer data"; Respondent data is collected first-party through the form.
- Categories of data subjects: the Respondents who submit the Merchant's forms (e.g. applicants, prospects, or customers), and the Merchant's staff users who operate the App.
B.4 Security
We implement appropriate technical and organizational measures to protect Respondent Personal Data, including encryption in transit (TLS) and at rest (Cloudflare D1 and R2), per-Merchant database isolation, two-gate file-upload validation over an executable denylist, signed and expiring file-download links, sensitive-field masking with an append-only audit log, and least-privilege access (no Shopify Admin scopes). These measures are described in Section 6 of our Privacy Policy and our Security Incident Response Policy.
B.5 Confidentiality
We ensure that personnel authorized to process Respondent Personal Data are bound by appropriate confidentiality obligations.
B.6 Sub-processors
You authorize us to engage the following sub-processors, who are bound by data-protection obligations consistent with this DPA:
| Sub-processor | Purpose |
|---|---|
| Shopify Inc. | The platform the App runs on; billing; shop/staff session data |
| Cloudflare, Inc. | Application hosting (Workers), database storage (D1), file storage (R2), and bot protection (Turnstile) |
| Resend | Transactional email delivery |
We will inform you of any intended changes to sub-processors and give you an opportunity to object on reasonable data-protection grounds. Note that the recipients you configure to receive submissions are not our sub-processors — they are third parties you direct the data to, and you are responsible for them.
B.7 Assistance, data-subject requests, and deletion
Taking into account the nature of the processing, we will assist you in meeting your obligations:
-
Data-subject access requests. On a Shopify
customers/data_request, the App compiles the submission data it holds matching the Respondent's email so you can respond. You can also review and export submission data at any time using the App's admin tools. -
Erasure requests. The primary route is a direct request to you, handled with the App's in-admin delete/erasure tools. The App also processes Shopify's
customers/redact, matching submissions by Respondent email and erasing them. A record under an active statutory minimum-retention floor you have set is restricted (hidden, use-blocked) with automatic deletion queued for floor expiry, rather than refused (GDPR Art. 17(3)(b)). The lawful basis for any floor is owned by you. -
Deletion on termination. When the App is uninstalled, Shopify issues a
shop/redactrequest (approximately 48 hours later), upon which we delete that store's entire dedicated database and its file attachments in R2. We do not retain Respondent Personal Data after this beyond what law requires. - Records and demonstrating compliance. We will make available to you the information reasonably necessary to demonstrate compliance with this DPA.
B.8 Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting Respondent Personal Data, and provide information reasonably available to us to help you meet your notification obligations. Our process is described in our Security Incident Response Policy.
B.9 International transfers
Respondent Personal Data may be processed on Shopify's and Cloudflare's global infrastructure and delivered via Resend. We rely on our sub-processors' transfer safeguards for cross-border processing.
B.10 Liability
Each party's liability under this DPA is subject to the limitations of liability set out in Part A, Section 8.