GDPR compliance.
Introduction
At GMAppify, we take your privacy seriously and have put in significant effort to safeguard your privacy when you interact with our services, whether directly or indirectly.
In this article, we'll explain how GMAppify complies with the General Data Protection Regulation (GDPR) to protect the rights of all Data Subjects.
What is GDPR?
GDPR is the privacy and security law drafted and passed by the European Union (EU) and implemented into UK law by the Data Protection Act 2018. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people located in the EU (for EU-GDPR) and the UK for the UK implementation of GDPR via the Data Protection Act 2018 (“UK-GDPR”). When we refer to “GDPR” we mean both the EU GDPR and UK-GDPR and when we refer to “Europe” we mean the EU and UK.
GMAppify's role as a Data Processor
Merchants (store owners) are the data controllers for the purposes of GDPR and are obliged to fulfill the Data Subject Rights (DSR) of Data Subjects (buyers/reviewers) that are European residents.
Data Subject Rights specify how Data Subjects can correct, amend, delete, or limit the use of Personal Data that you control.
In terms of personal data received from Merchants, via eCommerce platforms, GMAppify is a data processor.
We will process the personal data of your buyers/reviewers on behalf of the Merchant, the data controller.
As a data processor, we will help you, the Merchant to fulfill the Data Subject Rights and in particular, we will:
- Send all the reviewer data that you have collected and processed upon request of the reviewers (right of access and right to be informed)
- Provide tools for reviewers to edit their display name, display name format, and reviews, as well as let you make minor edits to the review content, with the consent of your reviewers (right to rectification/edit)
- Provide tools for reviewers to delete their reviews, and delete all reviewer data that you have collected and processed upon request of the reviewers (right to be forgotten)
- Provide all personal data in a structured and machine-readable format (right to data portability)
We are referring to users of your store as reviewers, as most of GMAppify's functionalities are dealing with reviews. In a few cases, we will also process data you have provided to us that is not from (potential) reviewers.
GMAppify's role as a Data Controller
When receiving person information, directly from a merchant of an eCommerce store, an influencer or a reviewer, they create an account using our services and otherwise interact directly with our website, GMAppify is the Data Controller.
GMAppify aims to take reasonable steps to allow the data subject the right to correct, amend, delete, or limit the use of your Personal Data, and in certain circumstances, as a data subject, you have the right to:
- To access and receive a copy of the Personal Data we hold about you.
- To rectify any Personal Data held about you that is inaccurate.
- To request the deletion of Personal Data held about you.
The right to data portability for the information you provide to GMAppify Ltd. You can request to get a copy of your Personal Data in a commonly used electronic format so that you can manage and move it.
Data Processing Addendum (DPA)
GMAppify's Data Processing Agreement (DPA) sets out the terms upon which we process personal data on behalf of our customers and transfer and share that data with our Merchants and Sub-Processors.
The DPA incorporates the latest Standard Contractual Clauses (SCC) published by the European Commission as well as the UK's international data transfer addendum, allowing GMAppify to lawfully transfer personal data from the UK to overseas parties pursuant to a set of defined processing particulars, including to parties who may be based in countries where the EU has not issued an adequacy decision based on GDPR-equivalent levels of data protection.
Sub-processors, integration apps, and Google Shopping
Sub-processors
- Sengrid: sending transactional emails, e.g. review request emails
- Amazon Web Services (AWS): Cloud hosting services to host user-generated content that GMAppify collects on the Controller’s behalf.
- Fly io: GMAppify's server infrastructure
- Crisp: Customer support platform to enable GMAppify to support and manage GMAppify's relationship with our customers
Integration apps
If you integrate GMAppify with other Shopify apps, the personal data of you and your reviewers will be processed by these apps.
Google Shopping
We may provide you with a Product Reviews XML Feed for your Google Merchant Center. You can submit this XML file inside your Google Merchant Center. In this case, the personal data of you and your reviewers may be processed by Google Shopping.
Security and location of our servers
We are running on Fly io and Amazon Web Service (AWS) technology.
Amazon conducts recurring assessments to ensure compliance with industry standards. In particular, their data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2 / SSAE 16 / ISAE 3402 (previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Contact us
GMAppify Inc
190 SE 5th Ave
Delray Beach, FL 33483
United States
hello@gmappify.com
Last updated Jun 30, 2024