← Back

GDPR

Last updated: 2026-04-19. Kommercio operates under the UK GDPR and, where merchants or shoppers are in the EU, the EU GDPR. This page summarises our obligations and how to exercise your rights.

Controller vs processor

  • Merchant account data — Kommercio is the controller. We decide why and how we process it (to run the service, bill you, and support you).
  • Shopper data — the merchant is the controller, Kommercio is the processor. We process it on the merchant's behalf, on their documented instructions (the platform configuration).

Lawful bases

  • Contract — to provide the service you signed up for.
  • Legal obligation — tax, anti-fraud, law-enforcement response.
  • Legitimate interests — security, product improvement, fraud prevention.
  • Consent — for optional marketing emails.

Your rights

You have the right to:

  • Access — get a copy of your personal data.
  • Rectification — fix anything inaccurate.
  • Erasure — ask us to delete it (subject to legal retention).
  • Restriction — limit how we process it.
  • Portability — get a machine-readable export.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — at any time, for anything consent-based.

Email privacy@kommercio.io to exercise these. We respond within 30 days and won't charge a fee for reasonable requests.

Shopper rights against merchants

If you're a shopper and want to exercise rights over data a merchant holds about you, contact that merchant directly — they are the controller. We'll help route the request if you're not sure who to email.

Data Processing Addendum (DPA)

Merchants processing EU or UK shopper data should sign a DPA with Kommercio. Email legal@kommercio.io — we countersign by return.

International transfers

Primary compute is in the UK (DigitalOcean London). Some sub-processors are in the US — transfers rely on Standard Contractual Clauses and, where applicable, the UK IDTA or EU-US Data Privacy Framework.

Breach notification

If we detect a personal data breach affecting you, we notify you without undue delay — and within 72 hours of confirmation where required by GDPR — via email to the account owner and a public notice at /status.

Supervisory authorities

You can complain to:

  • UK: the Information Commissioner's Office (ico.org.uk).
  • EU: the Data Protection Authority in your country of residence.

Draft stub for pre-GA. Final policy will be published by counsel alongside a formal DPA template.