General Data Protection Regulation (GDPR)

Last updated on May 24, 2018

On May 25th, the General Data Protection Regulation (GDPR) will take effect. The GDPR is the European Union’s new data privacy law which impacts how all companies (big and small) collect and handle personal data about their European customers.

We support the GDPR and will ensure all BoostCommerce apps and services comply with its provisions by May 25, 2018. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection, security, and compliance in the industry.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.

Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.

We have taken steps to ensure that we will be compliant with the GDPR by May 25, 2018.

Who does the GDPR apply to?

The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).

What has BoostCommerce already done to prepare for the GDPR?

We’ve been hard at work preparing for the GDPR for a while. So far, we have:

  • Trained our managers and employees for our Privacy Policy, Terms of Service, Code of Conduct and GDPR
  • Reviewed the collected data of BoostCommerce Apps and Services and produced the document of Personal Data Assessment
  • Developed Data Breach Policy and Action Plan
  • Reviewed our system infrastructure, application securities and data access on Amazon Web Services
  • Removed unnecessary store owner data and only kept the store owner personal data to Email (encrypted in the database) and State/Country for communication and application analysis
  • Encrypted all personal-related data (if storing) in our database to prevent personal data leakage
  • Implemented the Role-Based-Access-Control (RBAC) for staffs interacting with store’s owners
  • Translated IP Address to Geolocation information including State/Country for data analysis and removed the IP Address after getting information (We do not store IP Address in our database)
  • Reviewed our app permissions and workflow to comply with the GDPR requirements from Shopify
  • Updated our Privacy Policy to make sure we provide information around the rights individuals have under the GDPR and more details around our processing of personal data
  • Updated our Cookie Policy to include specific information about the cookies that we place through your storefront

What are the permissions we need for "Product Filter & Search" app?


This includes products and collections. We need this permission to sync the product, collection data between your Shopify store and our app for filtering and searching features.


This includes all order details (Customer’s personal data in orders are deleted immediately as soon as the app receives the order hooks. No customer’s personal data are stored in our app). We need this permission to calculate and update the availability of the products in real-time based on the order events.


We need this permission to sync and index the content (pages, blogs) for searching feature.

Read_Themes, Write_Themes

This permission allows us to read store’s themes information for the auto theme setup process.

Read_Script_Tags, Write_Script_Tags

This permission allows us to insert filter script to your theme for filtering and searching features.

What are the personal data we collect and how we make sure they comply with GDPR?

Based on the definitions in Art. 4 GDPR, we consider the following collected data are personal data that the App interacts with:

Store’s Owner Information

We store this data to communicate with the store’s owner regarding BoostCommerce apps and services. Our app minimizes the personal data of store’s owner as we only store Email Address (encrypted in the database) and State/Country of the owner.

This information is kept s long as the store owner continues using the app. When the store owner uninstalls the app, the data is deleted.

Order Hook Information

We need order information to update the availability of related products of the store. The order hook comes to our application from Shopify Webhooks. However, all the personal-related data are deleted as soon as our application receives the hook. Only products-related data are kept for data sync purpose. We do not store any personal data of store’ customers.

Application Logs

We keep application logs for system performance monitoring and security audits. Before storing the log event in our database, the IP Address is translated to Geolocation information including State/Country. As soon as the Geolocation is analyzed, the IP address is removed. We do not store IP addresses in our application log in databases.

The application logs are kept for 3 months.

What about third parties? How do we control the information shared with them?

We do not and will never share, disclose, sell, rent, or otherwise provide personal information to other third parties or companies (other than to specific Shopify merchants you are interacting with, or to third-party apps or service providers being used by the merchants you are interacting with) for the marketing of their own products or services.

Still, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful requests for information we receive, or to otherwise protect our rights.

Final Words

What we went through together should give you an idea of GDPR and what have we done to prepare for GDPR.

As for BoostCommerce, we are ready with our updated terms and training even, to assist you with questions at any time. For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by sending the request to BoostCommerce at:

Or sending an email to: