Skip to content

GDPR Compliance

How CommerceBase handles personal data under the General Data Protection Regulation.

Our role under GDPR

CommerceBase acts in two capacities depending on the context:

  • Data Controller — for data we collect directly from you as a user: your email address, account credentials, and billing information. We determine how and why this data is processed.
  • Data Processor — for product catalog data and any personal data you upload into the platform on behalf of your business. You (our customer) are the Data Controller for this data; we process it only according to your instructions.

What we do to stay compliant

  • ✓ All data stored on servers in the EU (Frankfurt, Germany — DigitalOcean)
  • ✓ Encrypted connections (TLS 1.2+) for all data in transit
  • ✓ Passwords hashed with bcrypt — never stored in plain text
  • ✓ Access to production data restricted to authorized personnel only
  • ✓ Data deletion within 30 days of account closure
  • ✓ No data sold or shared with third parties for advertising
  • ✓ Sub-processors contractually bound to GDPR-equivalent obligations
  • ✓ Data breach notification within 72 hours as required by Article 33

Your rights as a data subject

Under GDPR you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Portability — export your data in a machine-readable format (JSON or CSV)
  • Restriction — limit how we process your data in certain circumstances
  • Objection — object to processing based on legitimate interests

To exercise any right, email privacy@commercebase.io. We respond within 30 days.

Sub-processors

We use the following sub-processors, each bound by GDPR-compliant data processing agreements:

ProcessorPurposeLocation
DigitalOceanCloud infrastructure & storageEU (Frankfurt)
PaddlePayment processing (Merchant of Record)UK/USA (SCCs applied)
OpenAIAI enrichment (opt-in)USA (SCCs applied)

SCCs = Standard Contractual Clauses (EU-approved mechanism for transfers outside the EEA).

Data Processing Agreement (DPA)

If you use CommerceBase to process personal data on behalf of your customers, a Data Processing Agreement is required under Article 28 of the GDPR.

Request our standard DPA by emailing us — we will send it within 2 business days. For enterprise customers with custom DPA requirements, contact us to discuss.

Contact & supervisory authority

For any GDPR-related questions, contact us at privacy@commercebase.io.

You also have the right to lodge a complaint with your local data protection authority. If you are in Ukraine, the relevant authority is the Commissioner for Human Rights of the Verkhovna Rada of Ukraine. If you are in the EU, contact your country's national DPA.