Last Updated: May 23, 2018

In 2016, The European Commission approved the new General Data Protection Regulation, which will replace the 1995 Data Protection Directive.

We can confirm that inc complies with GDPR from May 25th, 2018 and is fully compliant with Shopify requirements on Processing GDPR data requests.

To help our merchants be confident that inc takes data security seriously, we’ve compiled a list of things we’ve done that help us meet the high standards set by the GDPR.

  1. Updated Privacy Policy

    We’ve updated our Privacy Policy to explain how we handle your data and who might access it.

    This document is important because it explains how we enable and facilitate Rights for Data Subjects, including requests for access, deletion, and modification. As a Merchant, it’s important for you to familiarize yourself with this document so that you can effectively handle inquiries from your customers.

  2. Consent and Lawful Basis for Processing

    The Lawful Basis for Processing represent the six reasons a company may be allowed to process a user’s personal data. inc acts as both a Data Controller and Processor in some circumstances, as defined under the GDPR.

    We have implied consent to process a Merchant’s personal data when installing one of our apps, or submitting a form indicating interest in inc services.

    We also act as a Data Processor when you install one of our apps. A Processor takes personal data on behalf of a Controller and acts on it as the Controller has requested. In inc's case, we process the personal data of our Merchant’s Customers to provide an overall better experience while shopping on Merchant's store. For example, our Visely Product Recommendations app reads Shopify order data to be able to generate relevant product recommendations based on Customers' past purchases.

  3. Protection of Personal Data inc undertakes not to disclose or otherwise make personal data processed under this DPA available to any third party without the Customer’s prior written consent.

    You shall always feel safe when providing us with your personal data. Therefore, inc has implemented appropriate security measures to protect your personal data against unauthorised access, alteration and erasure. In the case of a security breach that may significantly affect you or your personal data, e.g. when there is a risk of fraud or identity theft, we will contact you and inform you of what you can do to reduce this risk. inc may disclose Personal Data about you in connection with legal requirements, such as in response to an authorized subpoena, governmental request or investigation, or as otherwise permitted by applicable law (including, without limitation, to prevent fraud or abuse, or to protect inc's legal rights, property, or the safety of inc, its employees, users or others).

  4. Our Responsibility for Your Rights

    One of the most relevant components of the GDPR to citizens is the Data Subject’s Rights. A set of rights granting people the ability to exercise control over their personal data.

    The three most relevant ones to you as a Merchant are the right of access, the right to rectification, and the right of erasure.

    • Access to Your Personal Data

      The right of access allows a Data Subject (person whom’s data has been collected or stored) to request from a Data Controller any data they have collected relating to that person, along with information on if and how it has been processed. The Data Controller (in many cases, the Merchant) is responsible for providing the data from their systems, any which has been provided to third-party Processors. As Merchant, you can issue the request on behalf of your Customer through your eCommerce platform.

    • Rectification of Your Personal Data

      The right to rectification allows Data Subjects to request their personal data be modified or corrected. As a Merchant, this may simply mean you make the change as requested in your eCommerce platform.

    • Erasure of Your Personal Data

      The right to erasure, commonly referred to as the "Right to be forgotten" means Data Subjects have the right to ask for all of their personal data be deleted by a Controller. This means, as with each of the other rights, the Controller is responsible for their own records, and must ensure Processors with whom they work also delete this person’s data. As Merchant, you can issue the request on behalf of your Customer through your eCommerce platform.

  5. Data Processing Addendum

    You can download our Data Processing Addendum here.