General Data Protection Regulation (GDPR)


Last updated on Aug 25, 2020

On May 25th, 2018 the General Data Protection Regulation (GDPR) took effect. The GDPR is the European Union’s new data privacy law which impacts how all companies (big and small) collect and handle personal data about their European customers.

We support the GDPR and will ensure all Boost Commerce apps and services comply with its provisions by May 25, 2018. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection, security, and compliance in the industry.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.

Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.

We have taken steps to ensure that we will be compliant with the GDPR by May 25, 2018.

Who does the GDPR apply to?

The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).

What has Boost Commerce already done to prepare for the GDPR?

We’ve been hard at work preparing for the GDPR for a while. So far, we have:

  • Trained our managers and employees for our Privacy Policy, Terms of Service, Code of Conduct and GDPR
  • Reviewed the collected data of Boost Commerce Apps and Services and identified the Personal Information related data
  • Developed Data Breach Policy and Action Plan
  • Reviewed our system infrastructure, application securities and data access on Amazon Web Services
  • Removed unnecessary store owner data and only kept the store owner personal data to Email (encrypted in the database) and State/Country for communication and application analysis
  • Encrypted all personal-related data (if storing) in our database to prevent personal data leakage
  • Implemented the Role-Based-Access-Control (RBAC) for staffs interacting with store’s owners
  • Reviewed our app permissions and workflow to comply with the GDPR requirements from Shopify
  • Updated our Privacy Policy to make sure we provide information around the rights individuals have under the GDPR and more details around our processing of personal data
  • Updated our Cookie Policy to include specific information about the cookies that we place through your storefront
  • Conducted Privacy Impact Assessment (PIA) - Updated on Aug 25, 2020

    What are the permissions we need for "Product Filter & Search" app?

    Read_Products

    This includes products and collections. We need this permission to sync the product, collection data between your Shopify store and our app for filtering and searching features.

    Read_Orders

    This includes full details of placed orders (*). We need this permission to support the Analytics feature of calculating Order Revenue from our app. The merchant also has a setting to disable this feature.

    (*) Customer personal information in orders is removed immediately as soon as the app receives the order hooks. No store customer’s personal data are stored in our app.

    Read_Content

    We need this permission to sync and index the content (pages, blogs) for searching feature.

    Read_Themes, Write_Themes

    This permission allows us to read store’s themes information for the auto theme setup process.

    Read_Script_Tags, Write_Script_Tags

    This permission allows us to insert a filter/search script to your theme for filtering and searching features.

    What are the personal data we collect and how do we make sure they comply with GDPR?

    Based on the definitions in Art. 4 GDPR, we consider the following collected data are personal data that the App interacts with:

    Store’s Owner Information

    We store this data to communicate with the store’s owner regarding Boost Commerce apps and services. Our app minimizes the personal data of store’s owner as we only store Email Address (encrypted in the database) and State/Country of the owner.

    This information is kept as long as the store owner continues using the app. When the store owner uninstalls the app, the data is deleted.

    We also have cookies set by Google Analytics, MixPanel and Hotjar in our app’s admin pages. These cookies help us to adjust and improve experiences with our app.

    Order Hook Information

    We do not store any personal information from order hooks in our application or other databases.

    UUID of Frontend API

    We place an anonymous unique identifier on the device or computer of individuals that accesses the storefront. This identifier helps us to analyze how our app influences customer experiences.

    This UUID is not personal information as it cannot be reversed to identify any personal information if this data is breached or accessed by other third parties.

    Application Logs

    We keep application logs for system performance monitoring and security audits.
    The application logs are kept permanently for security reasons.

    What about third parties? How do we control the information shared with them?

    We do not and will never share, disclose, sell, rent, or otherwise provide personal information to other third parties or companies (other than to specific Shopify merchants you are interacting with, or to third-party apps or service providers being used by the merchants you are interacting with) for the marketing of their own products or services.

    Still, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful requests for information we receive, or to otherwise protect our rights.

    Final Words

    What we went through together should give you an idea of GDPR and what have we done to prepare for GDPR.

    As for Boost Commerce, we are ready with our updated terms and training even, to assist you with questions at any time. For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by sending the request to Boost Commerce at:

    https://boostcommerce.net/pages/contact-us

    Or sending an email to:

    support@boostcommerce.net