General Data Protection Regulation (GDPR) - BIK

The GDPR imposes new obligations and responsibilities on controllers and processors of data. As a merchant, you are generally the controller of your customers’ data.

The European Union's General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR imposes new obligations and responsibilities on controllers and processors of data. As a merchant, you are generally the controller of your customers’ data. This means that you collect your customers’ data and choose how it is handled. Additionally, though it is a European regulation, the GDPR might apply to your business if you make goods and services available in Europe, even if you or your business are not located in Europe. As a processor for your customers’ data, Company follows your instructions on how to handle that data. For information about the Company's obligations as a data processor for your customer data, see the Data Processing Addendum. Company believes strongly in protecting your customers’ personal data as well as your own, and understands that doing so is critical to help you preserve the trust and confidence of your customers. Company has designed its platform to allow merchants to operate anywhere in the world. GDPR-compliant features are built into Company's platform, including features to enable you to offer your customers transparency into and control over their personal data, and technical measures to ensure that your customers’ personal data is protected as it crosses borders. Company believes in making it easy for you to use our platform in a manner that complies with privacy and data protection laws like the GDPR. While Company does what it can to set you up for success, there are also steps you will need to take on your own, and ultimately, compliance with the GDPR is the responsibility of each individual merchant. If you have legal questions specific to your obligations under the GDPR, consult with a local lawyer who is familiar with data protection laws.

1. GDPR Overview

The GDPR (General Data Protection Regulation) is the European Union’s data privacy law. The GDPR requires companies to take steps to provide individuals with more visibility into and better control over how their personal data is used. It also requires that companies handle that data securely and responsibly.

Does the GDPR require European personal data to be stored in Europe?

The GDPR doesn't require personal data to be stored in Europe. The GDPR requires only that if the personal data of European residents is transported outside of Europe, then that personal data must be adequately protected.

2. GDPR and Bikayi, Inc.

How does the GDPR affect Bikayi, Inc.?

The General Data Protection Regulation (GDPR) requires Company to make the following changes to its platform and internal privacy program:

Reorganize the privacy team, and document and keep records of certain privacy-related decisions made by the Company so that the Company is accountable for its privacy practices.
Make sure that Company is able to honour the rights of European merchants and customers over their personal data, and that when using Company's services, merchants are able to do the same.
Make certain contractual commitments to merchants and get certain contractual commitments when the Company uses a third-party sub processor to provide services.

What has Company done to prepare for the GDPR?

Company has been preparing for the GDPR in the following ways:

Policies and documentation

Updated Company's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Company processes personal data, as required by Articles 13 and 14 of the GDPR.Added a data processing addendum to Company’s online terms of service, as required by Article 28 of the GDPR.Implemented a procedure to deal with data subject access requests, deletion requests, and government access requests.

Product features

Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.Added functionality to the Company platform so that merchants are able to obtain independent consent for marketing purposes and can choose whether or not to pre-check the consent checkbox depending on their requirements.Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.

App store

Updated Company App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.

Corporate governance

Appointed a Data Protection Officer to oversee Company's data protection program and GDPR implementation plan.
Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.
Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
Documented the sub processors that Company uses to deliver its platform and other services and started to review the contractual arrangements with these sub processors, to make sure that they are required to protect personal data through robust technical and organizational measures.
Began the process of applying for approval of Binding Corporate Rules to support Company's data processing operations.
Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Company products and business plans with privacy in mind.

What else is Company doing to comply with GDPR?

In addition to the preparations listed above, Company is rolling out the following features:

Tool to request all of the information Company holds about a customer on their behalf through the Company admin, in case the merchant receives a subject access request under the GDPR.
Tool to request that Company delete all personal information associated with a particular customer through the Company admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, the Company will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.
More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.
More robust Cookie Policy that includes specific information about the categories of cookies that Company places, not just on its own online properties but also through Company storefronts and mobile apps, to make sure that merchants have the information they need to get effective consent for Company to place the cookies necessary to provide service.
More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.
More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.

Will Company enter into Data Processing Agreements with its merchants?

For merchants who use Company's services subject to the online terms of service, Company has revised its terms to incorporate a data processing addendum.You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Company services. This fulfills the requirement of Article 28(3) of the GDPR. The Company is not able to sign an individual agreement with each merchant.

3. GDPR and you

How does the GDPR affect you?

The General Data Protection Regulation (GDPR) affects any Company merchants who are based in Europe or who serve European customers. While Company is working hard to make sure that it complies and allows its merchants to comply with the GDPR as of May 25, 2018, it is important to note that the GDPR will also require you to take action independently from the Company platform. Company wants to help place merchants in the best possible position to comply with the law. This article includes questions you should consider to help you assess your obligations to make sure that you have set up your store in a way that complies with the law. That said, this is not legal advice. The GDPR is a complicated regulation, and it will apply differently to different merchants. You should consult with a lawyer to figure out what you specifically need to do. For information about processing data requests, see Processing GDPR data requests.

Why can't the Company handle GDPR compliance for merchants?

The GDPR imposes different obligations on controllers and processors of data. As a processor of data, the Company fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider. Company provides merchants with a platform that can be configured to be GDPR compliant, but you must consider how you would like to run your business. For further guidance, the following regulators within the European Union have provided specific guidance on the GDPR:
ICO - Guide to data protection.
Irish Data Protection Commissioner - GDPR
CNIL - Règlement européen: se préparer en 6 étapes.

Collecting personal data

The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data. Examples of personal data include:

Name
Address
Email address
Social media account
Digital identifier such as an IP address or a cookie ID.

Think about the following questions:

Are you collecting personal data from customers in Europe? Most websites are available to residents of Europe and will fall under the GDPR.
If your store uses third-party apps or themes, then do they collect and process data in accordance with the GDPR? To simplify this process, Company is requiring all apps to post a privacy policy detailing their data handling practices, so that you can assess whether you are comfortable with that app’s data practices. Company -developed apps fall under the Data Processing Addendum, and Company is responsible for their compliance.
Do the channels or payment gateways you use collect and process data in accordance with the GDPR? You should follow up with them to make sure.
Do you have a list of all of the types of personal data that you collect from your customers, and all of the ways in which you use this data? Article 30 of the GDPR requires you to maintain a current map of your data practices.

Privacy notice

The GDPR (and particularly Articles 12 to 14) requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy.

Think about the following question:

Do you have a privacy policy on your site that includes all of the information that you are required to provide under the regulation? At minimum, does it include how customers can get in contact with you about privacy questions and how customers can exercise their rights, for example the rights to erasure (deletion) or rectification (modification or correction) of their data and the right to access it?
Does your privacy policy include how Company may use your customers' personal data for automated risk and fraud scoring? The GDPR requires you to disclose when you (or your service providers) use their information in connection with automated decision-making. Company uses your customers’ personal information to block certain transactions that appear to be fraudulent through automated decision-making.

Appointing a Data Protection Officer

A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s core activities include large-scale online tracking, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy. The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. The DPO can be an internal person who has expertise in the GDPR and data protection requirements, but you can also consider working with a consultant or firm to serve as an external DPO.

Think about the following questions:

How many people are affected by tracking technologies on your storefront? These can include behavioural advertising apps, or even retargeting apps. Whether or not the number of people affected is “large scale” is a legal decision, and you should consult with a lawyer depending on your circumstances.
Should you voluntarily appoint a DPO? Even if you are not legally required to appoint a DPO, if your presence in Europe is large enough, you may wish to do so voluntarily to make sure that you adequately protect your customers’ data.

Data processing agreements

As a data controller under the GDPR, Article 28 requires that when you engage a data processor (like Company) to process your customers’ data, you impose strict contractual requirements on how they may use and process that data. This is typically done through a Data Processing Addendum, or DPA. Company has automatically incorporated a Data Processing Agreement into its terms of service, which is designed to address the requirements of Article 28. For some merchants, the Company may enter into negotiated contracts which will govern their relationship with the Company. Merchants who do not sign a Data Processing Addendum will be governed by the Company's online Data Processing Addendum.

Think about the following questions:

Are other data processors that you work with outside of Company contractually committed to protecting your customers’ data? Many third-party apps, channels, payment gateways, or other data processors will also automatically incorporate a Data Processing Agreement into their terms. Have you consulted with each of these third-parties?

If you want to sign a Data Processing Addendum, then reach out to Company Support. They can provide you with the Company's template DPA to sign.

Customer consent

Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. For example, you might need to obtain consent from your customers if you are sending your customers marketing messages, or if you are using online advertising or retargeting apps.

Where you need to obtain consent, the GDPR says that it must be:

Freely given: it must be entirely voluntary, and should not be bundled with other goods or services.
Specific: it must be tied to clearly explained use cases.
Informed: it can only be given if the data subject is provided enough information about the personal data that will be collected and used.
Unambiguous: it must be demonstrated by an affirmative act by the merchant (that is, not simply by continuing to use the services).

This means that the customer needs to be given detailed information about the particular use case, and some affirmative action needs to be taken by the consumer to show consent. Finally, if you offer your customers the opportunity to provide consent, the GDPR also requires that your customers have a way to withdraw consent. This can often be accomplished through an unsubscribe functionality. If you have questions about when and how you should obtain consent for collection of personal data, or the extent to which your customers should be allowed to withdraw their consent, then you should speak with a lawyer familiar with data protection laws. However, consent is only one of many legal bases in the GDPR that can justify processing of personal data. You might also process personal data to fulfill contractual requirements, or if you are required by law to process data. Some European regulators have suggested that if you at first ask for consent and your customer declines or agrees but then withdraws their consent, then you may no longer be able to rely on any other legal basis to process personal data. As a result, you should only rely on consent where you do not intend to (or need to) rely on another legal basis to process personal data.

Think about the following questions:
For each different way that you use or process your customers’ data, what is the legal basis for doing so? Are you processing based on their consent? Are you processing to fulfill a contractual obligation to the customer? Are you processing to further your legitimate business interests? You should record the legal basis as part of your map of your data practices, described in Collecting personal data.

Where you are relying on consent, is the consent you are getting bundled with the goods or services you are offering? For example, statements like by purchasing these goods, you agree to our use of your personal information may no longer be allowed under the GDPR.

Are you providing enough details about how you will be using the personal data at issue to make sure that the customer’s consent is informed?

Is the customer’s consent recorded and stored somewhere?

Do you require consent to send marketing communications to your customers? Even if you do not need consent under the GDPR, local laws may or may not require you to obtain consent to send marketing communications to your customers. Speak with a lawyer about the specific requirements that might apply to your store.

If you believe you require consent to send marketing communications, then is the marketing consent checkbox for your store unchecked by default? Consider setting your storefront up so that the marketing consent checkbox presented to customers is not pre-checked by default to ensure that your customers have to act affirmatively to provide consent.

Parental consent

The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (although this age can be lower in certain countries).

Think about the following question:

Do you need to change how you process customer data to either stop processing the data of those users under the age of 16, or to get parental consent? You might do this by prohibiting users under the age of 16 from accessing your site using an age-gating app from Company's App Store, or by asking visitors to confirm that they are over the age of majority.

Automated decision-making

The GDPR requires you to notify customers if you are using their personal information to engage in any automated decision-making. Automated decision-making means using automatic algorithms to make a decision about whether an individual is eligible for certain services or offers, should be charged a particular price, or is likely interested in certain types of goods or services. If you are using any processes that include fully automated decision-making (that is, without any human intervention) that will have a significant legal effect on the customer, then you need the customer’s consent. In general, Company does not engage in fully automated decision-making with your customers’ personal data. The one exception is Company's risk and fraud screening, where Company might automatically block a payment card number or IP address after a certain number of unsuccessful payment attempts. Company does not believe this has a significant legal effect on customers because the automated blocking lasts only for a short period of time.

Think about the following questions:

Have you included in your privacy policy that Company’s risk and fraud screening might use customers' personal information for automated decision-making? You can read more about the Company's automated decision-making practices in the Privacy Policy. You should also confirm with a lawyer based on your particular circumstances that this service doesn't have a significant legal effect on your customers.
Are you using any third-party apps that might be engaged in automated decision-making? You should pay particular attention to reviewing any third-party risk or fraud services you are using in connection with your storefront, or any types of marketing or advertising apps that might build profiles or that target segments of your customers.
If you use third-party apps engaged in automated decision-making, then do you need to notify your customers or gather consent to use these apps?

Data breach notification

If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies. In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals’ rights and freedoms.

This is likely to be the case if the breached information:

Includes payment details.
Could be used to reveal embarrassing or personal information.
Could be used to access an individual’s accounts or services.

Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach.

Think about the following questions:

Have you spoken with a lawyer to determine what information you collect and process might require you to provide notice if you experience a data breach?
Do you have a data breach response plan for your business so you are prepared for such an incident?
Includes payment details.
Could be used to reveal embarrassing or personal information.
Could be used to access an individual’s accounts or services.

The GDPR imposes requirements on any company that uses third-party vendors and service providers to process the personal data of its users. The Company uses a number of sub processors to process your customers’ data. For more information about Company's sub processors, see Company's sub processors.

Think about the following question:

Have you reviewed the privacy practices of the vendors and service providers that you use, including Company, to make sure that you are comfortable with how they protect your customers’ personal data?

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Company, but also any third-party apps that you might use in connection with your Company store. Company has taken action to make it easier for you to understand what personal data the apps you install have access to.

Steps:

From your Company admin, click Apps.
Click View details on the app you want to review permissions for.

You can also review app permissions before you install an app on the install screen in the app store. Additionally, there is a section of the app store for each app to link to a privacy policy that explains in more detail exactly what data app developers are collecting and how they are using it. While Company wants to make it as easy as possible for you to assess the data practices of the apps you choose to install, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR.

Think about the following question:

Based on your location, your customers' locations, your app developers' locations, and your implementation of each app, are you using third-party apps in a way that complies with the GDPR? Consult with a lawyer if you have questions about whether a particular app’s data practices may require additional consideration or work on your part to ensure compliance with the GDPR. International data transfers The GDPR prohibits exporting the personal data of Europeans outside of Europe unless that information will be adequately protected. Company protects personal data according to the requirements of the GDPR as it is transferred to and processed in the United States and Canada. Company has set up its data flows to take care of these requirements for merchants. As described in Company's Privacy Policy, all European personal data is initially received from merchants and processed in India by Company's affiliate Comida Technologies Private Limited. Company then transfers that data onward in compliance with the GDPR.
Have you ensured that other parties you transfer data to will transfer that data across international borders in a way that complies with the GDPR? You can do this by looking at the privacy policies of your third-party apps, channels, payment gateways, or other vendors, and seeing if they explain how they protect European data.

4. Processing GDPR data requests

The GDPR expands on an individual's right to access and control their personal data. This page includes:

A breakdown of those rights.
How you can use the Company’s platform to address requests for each right.
What you may need to do independently from Company if you receive a request for each right.

Understand subject access and portability requests

The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data being processed by a company. The GDPR therefore requires that you be able to provide your customers with a copy of their personal data in a format that is: Common Easily readable Portable This allows customers to use their data with a different service provider. Company allows you to export most data in CSV or Excel formats right from your admin (for example, order, payout, products, and customer information). Generally, you should respond to a request within 30 days. Extensions are allowed if the request is exceptionally difficult to fulfill.

Process subject access and portability requests

If you receive an access or portability request, then you will first need to verify the identity of the requester (so that you do not inadvertently provide someone else your customer’s private personal information).
Steps:

Provide the details of the customer on the email id of privacy@bik.ai and request for the customer data

The customer's information is sent by email to the store owner. The store owner can then provide the information to the customer who made the request.

Article 15 of the GDPR will also require you to provide additional context around how you use the data you are providing, including:

The purposes for which the customer’s data was processed.
The third-parties that received this data.
Any relevant retention periods.
Where the information was collected from (if not directly from the customer).
Whether or not the data was used as part of any automated decision-making.

Additionally, you need to be able to ensure:

The customer’s right to request information be corrected or erased.
The customer’s right to object to how their information was processed.
The customer’s right to complain to a regulator.

Think about the following questions:

Are you able to provide all of the required context around a customer's data if they ask for it? Try to plan for a request in advance by maintaining a map of all of the personal data you (or the service providers you use, like Company) store about your customers.
Have you considered other service providers that you might use who may have access to your customers’ personal data? These could include third-party apps, channels, and payment gateways.
Do you have contact information for all of the third-party services you use that might store your customers’ personal data?

Process erasure requests

The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data."Personal data" means any data that can be used to identify an individual, including:

Name
Address
Email
IP address
Credit card number.

Personal data does not include information that is purely financial and cannot be linked to an individual, such as:

How many times a specific product has sold
How much revenue your store has made

If you receive a request for erasure (sometimes called redaction or deletion), then you should first verify the customer’s identity. You should also make sure there is no reason you need to keep the customer's data (for example, if the customer is also an employee).
Steps:

Provide the details of the customer on the email id of privacy@bik.ai and request for the customer data

After you request an erasure through your admin email, Company will transmit your erasure request to all apps that you have installed at the time you make the request that might have access to that customer’s data. Once you request an erasure within your admin, a 10 day buffer period will begin during which you can cancel the request in case you made the request accidentally. To cancel a pending erasure request, contact Company Support, and include your store information and the relevant customer ID. When you request an erasure, the Company will only redact personal information (such as name and address). Your anonymized order information will remain intact in case you need it for accounting purposes. Once the relevant personal data has been erased, we will send you a confirmation email. By default, the Company will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for erasure is submitted in that time frame, then it will sit pending, and Company will action it once the appropriate time has passed. You do not need to submit another request. If you would like to override this time delay (regardless of the risk of chargeback), contact Company Support.

Think about the following questions:

Are you storing any customer data on your own personal computers or in hard copy?
Are there other third parties, such as channels or payment gateways that you may need to contact to request they erase a customer's personal information?
Are there any local requirements, such as tax laws, that might require you to retain your customers’ personal information even if they request deletion? Consider consulting with a local lawyer familiar with data retention requirements to help answer this question.

5. Company’s sub processors for customer personal data

Third-party subprocessors

The Company might also use third-party sub processors in order to provide our services. Core subproccessors are those that we can't offer our service without. Additional sub processors might apply if additional services are used. Transfers to third-party sub processors are conducted under contract.

List of third party processor	Service Provided	Corporate Headquarters	Data Processed
Google cloud Platform	Cloud hosting	Mountain View, USA	All platform data
Freshworks	Customer support tool	Delaware, USA	Customer support requests, Customer Contact data
Amazon AWS	Cloud hosting	Seattle, USA	Information associated with delivery of website content

Additional third-party subprocessor

List of third party processor	Service Provided	Corporate Headquarters	Data Processed
SalesForce	Sales management tool	San Francisco, CA	Customer contact data
zohobooks	Accounting tool	Chennai,India	Customer financial information
outplay	Marketing tool	Delaware, USA	Customer contact data
moengage	Marketing tool	San Francisco, CA	Customer contact data
sales navigator	Marketing tool	Templeton, CA	Customer contact data
Atlassian-Jira	Productivity Tool	Sydney, Australia	Track of tech tasks; No Customer Data
Slack	Communication Tool	San Francisco, CA	Intra company knowledge exchange; No customer data
Quickbooks	Accounting tool	Mountain View, USA	Customer financial information
Snowflake	Analytics Tool	San Mateo, USA	Product usage data; Customer contact data
Amplitude	Analytics Tool	Burlington, USA	Product usage data; Customer contact data

6. GDPR FAQ

Learn about frequently asked questions related to GDPR. These explanations are for informational purposes only, and do not constitute professional legal advice. Consult independent legal advice for information specific to your country and circumstances. Why does the Company not include an 'Agree to Terms and Conditions and Privacy Policy' checkbox at checkout? Company has thought about the GDPR very carefully and we have designed our platform to provide our merchants with a best-in-class commerce experience that can comply with privacy and data protection laws like the GDPR. Obtaining explicit, affirmative consent from customers to process their data can, when implemented properly, be a helpful way to provide transparency to and gain the trust of the customer. But when not implemented appropriately, checkboxes can be confusing to the customer, can create mismatched expectations, and can even create legal issues for merchants under the GDPR. We have chosen not to modify our checkout workflow to include an "Agree to Terms and Conditions and Privacy Policy" checkbox during checkout because of these concerns. In particular, the GDPR makes clear that merchants can collect and process customer personal data for many reasons, including if the customer has provided their informed consent. But the GDPR recognizes that there may be many circumstances in which personal data might need to be processed separate and apart from the customer's consent, such as:

To perform a contract
To fulfill a legal obligation
TO promote a legitimate interest of a party, balanced with any risks to the customer’s fundamental rights to privacy.

Merchants are likely to rely on many of these legal grounds with respect to the different ways that they might process their customers' data. For example, a merchant might need to use a customer's shipping address to actually fulfill the order and satisfy the merchant's contract with the customer. Similarly, a merchant may be legally required to process personal data to respond to a subpoena or in the context of a tax audit. And a merchant may process personal data for any number of other legitimate interests. At the same time, European regulators have made clear that consent is the most important of these different justifications. In particular, regulators have suggested that, once a merchant asks for consent to process data for a particular purpose, they may no longer be able to rely on the legal grounds above (such as contracts or legitimate interests). Additionally, regulators have cautioned that consent cannot be made a condition to receiving goods or services. Why does all of this matter? Let's think about what would happen if a merchant did add an "Agree to Terms and Conditions and Privacy Policy" checkbox at checkout. If the customer does not choose to consent (or, if the customer consents and then withdraws their consent -- which is a right provided to individuals under the GDPR), then a merchant may no longer be able to rely on the other justifications listed above. So the merchant may be in a position where under the GDPR the merchant cannot legally process the customer's personal data to process or fulfill an order. At the same time, if the merchant modifies checkout so this checkbox was mandatory to complete the transaction, consent would be a precondition to receiving the goods or services and so may not be valid under the GDPR in the first place. This complexity has led a number of regulators to caution against asking for or relying on consent where it may not be appropriate. For example, the UK Information Commissioner's Office has advised: "Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair. If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis. Public authorities, employers and other organizations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given." We want to do our best to support our merchants and help them avoid problematic legal consequences. But at the same time, we understand that merchants ultimately need to feel comfortable that they have the trust of their customers.

Why can't I sign a Data Processing Agreement (DPA) with Company?

The GDPR requires that data processors be bound by a contract in writing (which includes contracts in electronic formats) to each data controller in order to process personal data. These contracts should specify what personal data is being processed, and the obligations and rights of the processor and controller. These contracts are often called Data Processing Agreements (DPA). In essence, a DPA is an agreement that the Company will only process the personal data given to it in the manner that the merchant specifies, because the merchant is the controller of the data. To fulfill this requirement, the Company has added a Data Processing Addendum to our Terms of Service. (It is called an 'Addendum' and not an 'Agreement' because it is added on to the Terms of Service, and isn't an agreement on its own.) As a merchant, you agree to the Terms of Service and, by extension, the Data Processing Addendum, when you sign up for Company's services, and you agree to any updates to the Terms of Service (for example, our update which added the Data Processing Addendum) by continuing to use the services. It is important to note that the Terms of Service are governed by Delaware law, and not the law of the jurisdiction in which you reside. So while other regional laws, like the GDPR, may certainly cover your business and how you process data, and may require you to have a binding contract with your service providers (like Company), those other regional laws do not necessarily dictate whether a contract is binding or not. In the case of your contract with us, that question of whether the DPA is a binding contract is determined by reference to Delaware law. As a result, even if your jurisdiction requires that a contract (like the DPA) be signed, that may not matter with respect to your DPA. Under Delaware law, we believe that by continuing to use our service once our terms are updated, both Company and you are bound by the new, modified Terms of Service. When you continue to use the Company, we believe you have entered into a binding contract with us that includes our Data Processing Addendum, as required by the GDPR.

What do I do if I have more questions about the GDPR or my local privacy laws?

Contact a local lawyer who specializes in privacy or data protection law.

Who can I contact for more information on the Company's practices?

Contact Company Support for more information on Company's practices.

If I use Company to host my store, does my business comply with GDPR?

Not automatically. While Company's operations will comply with the GDPR, and Company will provide tools to help its merchants comply, it is the responsibility of each merchant to ensure that its business is compliant with the laws of the jurisdiction in which it operates. Using Company's platform alone does not guarantee that a company complies with the GDPR.

7. ePrivacy Directive

The ePrivacy Directive is a set of rules for data protection and privacy in the European Union (EU). The directive is separate from the General Data Protection Regulation (GDPR), and contains additional requirements for European privacy protection. It regulates the storing and accessing of information on devices, such as cookies, email marketing, and other aspects of privacy. The ePrivacy Directive requires that a website asks for the users' consent before storing cookies that are not strictly necessary for the basic functioning of the website in their browser. The directive also requires that users are told the general purpose of a cookie before they are asked to provide consent. This applies to both first-party cookies that are generated by your website and typically used for analytics, and third-party cookies that are typically generated by advertisers and used for marketing purposes. Both first- and third-party cookies can be used for analytics and advertising. If you're a Company merchant operating in or with customers from the EU, EEA (European Economic Area, which consists of EU countries plus Iceland, Liechtenstein, and Norway), UK, or Switzerland, then you must ask visitors to your website for their permission to use cookies that are not strictly necessary for the basic functioning of the website. This can be done through a banner that loads when a visitor enters your online store. Merchants must choose between three options for how Company uses cookies to collect and store your visitors' data: Collected before consent, Partially collected before consent, and Collected after consent.

Option	Definition	Impact
Collected before consent	Data is collected before a customer gives consent. This may not meet applicable data protection and privacy laws, but has no impact on analytics and ad campaigns.	No impacts to analytics or marketing data collection.
Partially collected before consent	Analytics data collection is limited to the duration of a user session, and marketing data collection is blocked prior to customer consent.	This option may impact analytics and marketing data, and analytics data collection can be reduced.
Collected after consent (Recommended)	Data is not collected until a customer gives consent. This may be required by applicable data protection and privacy protection laws, but may impact analytics and ad campaigns.	Due to the potential of users declining to give permission to data collection, this option may impact analytics and marketing data. There can be a drop in the number of overall sessions. Other metrics that depend on accurate session counts for their calculation can also be affected, for example, conversion rate.