New

Turn one-time shoppers into subscribers 🔁 Get started with Bold Subscriptions for Shopify Checkout + Bold Upsell

Background gradient
Headless CheckoutApps for Shopify
Watch a DemoLet's talk
Migrate to Bold SubscriptionsLet's talk

GDPR Compliance

Bold Commerce Image

Protecting your privacy is important to Bold Innovation Group LTD.

At Bold Commerce, we take the protection and handling of personal information very seriously.

We do this not only because of legal requirements, but because we hold integrity as one of our core company values.

Making sure that Merchants (and their Customers) can trust that our team will keep their personal and financial information safe is vital, and frankly, something we obsess over each and every day.

What is GDPR?

The General Data Protection Regulation (GDPR) creates a new set of legal requirements that aim to better protect the personal data of residents of the European Economic Area (i.e. the member states of the European Union plus Norway, Iceland and Lichtenstein). This includes more stringent rules on how and where data can be disclosed, stored, and processed.

To help our merchants be confident that Bold takes data security seriously, we’ve compiled a list of things we’ve done that help us meet the high standards set by the GDPR, including:

  • Updating our Privacy Statement
  • Lawful Basis for Processing
  • Data Subject Rights
  • Data Processing Addendum

Privacy Statement

We’ve updated our Privacy Statement to explain how we handle the data of our Merchants and who might access it in plain language, so it’s easy to understand.

This document is important because it explains how we enable and facilitate Rights for Data Subjects, including requests for access, deletion, and modification.

As a Merchant, it’s important for you to familiarize yourself with this document so that you can effectively handle inquiries from your Customers.

Lawful Basis for Processing

The Lawful Basis for Processing represent the six reasons a company may be allowed to process a Data Subject’s personal data.

Bold as Processor

Bold primarily acts as a Processor on behalf of our Merchants (who are Controllers) in relation to data we receive and process from Merchants about their Customers, as described in our updated Privacy Statement. A Processor takes personal data on behalf of a Controller and acts on it as the Controller has requested. In Bold’s case, we process the personal data of our Merchant’s Customers to help facilitate a transaction between the Merchant and Customer. For example, our Recurring Orders app reads Shopify customer and order data to be able to generate and report on purchased subscriptions. Where Bold acts as a Processor, Merchants (as Controllers) are responsible for having a Legal Basis for Processing. Bold only processes personal data in this capacity on the instructions of Merchants.

Bold as Controller

In some limited circumstances, Bold may act as a Controller. For example, where we process a Merchant’s personal data when a Merchant installs one of our apps, submits a form indicating interest in Bold services (such as a quote request for our Professional Services, or a pre-sales support request), or signs up to our email list. Where Bold acts as a Controller, we have implied consent to process a Merchant’s personal data when installing one of our apps, or submitting a form indicating interest in Bold services (such as a quote request for our Professional Services, or a pre-sales support request)

We may also have express consent to process your data. This would happen if you sign up to our email list: we tell you what you’re signing up for in plain English.

Protection of Personal Data

We’ve completed an audit of our physical, technical, and administrative security measures to make sure we have implemented appropriate and reasonable measures to ensure that personal data we’re entrusted with is kept safe.

One important outcome of this audit was the minimization and redaction of information that could potentially be used to identify someone personally. The best way to avoid a data breach is to not have that data in the first place; we’ve instituted policies to ensure that we only keep Customer (or Merchant) information for as long as is reasonable and necessary. At Bold, this means that Customer personal data is redacted after a Merchant uninstalls one of our apps.

A Data Protection Impact Assessment helps us assess the risk that apps, services and features could pose to an Data Subject’s personal data. This process is undertaken as we develop new services and functionality to make sure we’re building with privacy in mind.

We’ve also reviewed processes of teams across the company to make sure we’re handling personal data in a way that meets the high standards set by the GDPR.

One of our biggest undertakings has been to review our relationships with the vendors or subprocessors used by our team that could potentially come in contact with personal data. This includes server hosts, support ticketing software, blog providers, and everything in between. We’ve taken steps to ensure they also meet the requirements set out by the GDPR, appropriate to their role in the chain of processing. For example, we’ve implemented Data Processing Agreements / Addendums with such vendors (where necessary). These Data Processing Agreements/Addendums also incorporate standard contractual clauses approved by the European Commission to ensure any onward transfer of this data to countries without adequate privacy laws (as determined by the European Commission) is done safely.

Training sessions have also been held with members of our staff to ensure that they are educated on their legal obligations as it pertains to personal data, and to ensure their commitment to the ideals of privacy and respect for personal data being at the core of working alongside Merchants.

Data Subject Rights

One of the most relevant components of the GDPR is the rights of Data Subjects. A set of rights granting people the ability to exercise control over their personal data. The three most relevant ones to you as an eCommerce entrepreneur are likely the right of access, the right to rectification, and the right of erasure.

Right of Access

The right of access allows a Data Subject (i.e. the person about whom data has been collected or stored) to request from a Data Controller any data they have collected relating to that person, along with information on if and how it has been processed. In plain language, this is a “Give me everything you have on me” type of request. The Data Controller (in many cases, the Merchant) is responsible for providing the data from their systems, including any which may be held/stored by their third-party Processors. If a Merchant receives a request relating to the right of access for data that may be held by Bold, they should contact [email protected] for assistance.

Right to Rectification

The right to rectification allows Data Subjects to request their personal data be modified or corrected. As a Merchant, this may simply mean you make the change as requested in your eCommerce platform. If you have a concern relating to a rectification request as it exists in a Bold app or service, contact [email protected].

Right to Erasure

The right to erasure, commonly referred to as the “Right to be forgotten” means Data Subjects have the right to ask for all of their personal data be deleted by a Controller. This means, as with each of the other rights, the Controller is responsible for their own records, and must ensure Processors with whom they work also delete this person’s data. Fulfilling requests for erasure and deletion are handled through an email to [email protected].

Data Processing Addendum

For Merchants which require GDPR compliance, we offer a Data Processing Addendum to cover Bold’s processing obligations in relation to Merchant personal data and the transfer of personal data to Bold outside of the EEA (European Economic Area) the UK (United Kingdom) or Switzerland including Standard Contractual Clauses.

i. To facilitate this process, we have (to the extent that is practicable) pre-populated three different sets of our DPA outlining the most common scenarios of the Standard Contractual Clauses (module two, transfer controller to processor). If none of the scenarios foreseen below describes your situation accurately, please contact us at [email protected] so we can assess your case individually;

ii. To complete and execute our Data Processing Addendum, please complete the information in the signature box and sign on Pages 8, 21, 49, 60, 61 and 62 complete the information as the data exporter on Page 20, complete the information required in Pages 24, 27, 28, 43, 49, and 50 and send the completed and signed Addendum to Bold Commerce by email to [email protected]; and Upon receipt of the validly completed Addendum by Bold Commerce at this email address, our Data Processing Addendum will become legally binding.

If you are a merchant with a presence in the EEA please download and complete this file.
Download document

If you are a merchant without a presence in the EEA, AND have a representative in the EEA please download and complete this file.
Download document

If you are a merchant without a presence in the EEA, AND do not have a representative in the EEA please download and complete this file.
Download document

If you want to learn more, read our last post on GDPR: What is it, why it matters, and how it will affect your store or send us an email to [email protected].

Legal

Trust and Security

Privacy and security are critical for your business. That’s why we put them at the forefront of how we design and host our services.