E-commerce

GDPR-Compliant Privacy Notice for E-commerce Websites

Information: This Model Notice is for e-commerce websites that collect personal and financial data to process orders and provide customer support. It explains what data is collected, why, and how users' rights are protected. This policy is designed to be used in conjunction with a Consent Management Platform (CMP) - see our note at the end of this page.

Last Updated: September 28, 2025

1. Summary: Core Principles

We process your personal data to manage and fulfill your orders, provide customer support, and comply with legal obligations. We use secure third-party services to process your payments and do not store your full financial details ourselves. We are committed to processing your data transparently and in accordance with the law.

2. Types of Personal Data We Collect

To process your orders and provide customer support, we collect and process the following categories of personal data:

• Identity and Contact Data: Your name, billing address, shipping address, email address, and phone number.

• Transaction Data: Details about payments to and from you, and other details of products and services you have purchased from us.

• Profile Data: Your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.

• Technical Data: Internet Protocol (IP) address, login data, browser type and version, and other technology on the devices you use to access our website.

3. Purposes and Legal Basis for Processing

We process your personal data for the following specific purposes and based on the following legal grounds:

• To process and fulfill your orders, including managing payments, shipping products, and providing related customer support. The legal basis for this processing is the performance of a contract with you.

• To manage our relationship with you, including notifying you of changes to our terms or privacy policy. The legal basis for this is a mix of performance of a contract, compliance with a legal obligation, and our legitimate interests (e.g., keeping our records updated).

• To comply with legal obligations for tax, accounting, and anti-fraud purposes. The legal basis for this is compliance with a legal obligation.

• To improve our website, products, and services, including using data analytics to understand user behavior. The legal basis for this is our legitimate interests in improving our business operations.

4. Recipients of Your Personal Data

We may share your personal data with various third parties to fulfill our services and business operations. These include:

• Payment Processors: To handle secure payment transactions (e.g., Stripe, PayPal).

• Shipping Partners: To deliver your orders (e.g., DHL, FedEx).

• IT and Systems Administration Service Providers: For website hosting and data storage.

• Professional Advisers: Including lawyers, auditors, and insurers who provide professional services.

• Tax and Regulatory Authorities: As required by law.

If we transfer your data to a country outside of the EU/EEA, we will ensure that it is done using appropriate data protection safeguards, such as Standard Contractual Clauses (SCCs), to ensure an adequate level of data protection.

5. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Typically, we retain transaction data for a period of (please refer to our Data Protection Clause) to meet tax and accounting obligations.

6. Your Rights

Under the GDPR, you have the right to:

• Access your personal data.

• Rectify inaccurate or incomplete data.

• Erase your data (the "right to be forgotten").

• Restrict or object to processing.

• Data portability (the right to receive your data in a structured, commonly used, and machine-readable format).

We do not use any automated decision-making, including profiling, that produces a legal or similarly significant effect on you. To exercise these rights, please contact us using the details provided below. We may need to verify your identity to process your request.

7. Changes and updates to this policy

This GDPR-compliant Model Privacy Policy Notice is regularly reviewed. Only the latest version, which is currently applicable, is published on the SME Privacy website (www.smeprivacy.org). We will also notify you of any significant changes via email or a prominent notice on our website.

8. Contact Information and Supervisory Authority

For any questions or concerns regarding this Notice or our data processing activities, you can contact us at the email address provided below. You also have the right to lodge a complaint with a Data Protection Authority. A list of European Data Protection Authorities can be found on the European Data Protection Board's website (https://www.edpb.europa.eu/about-edpb/about-edpb/members_en).

—

SME Privacy’s Recommended Data Protection Clause to be Embedded on your Website:

"Data Protection: we use a Privacy Policy for E-commerce Websites developed by SME Privacy. You can read it at https://www.smeprivacy.org/notice/e-commerce. This policy, along with the details below, explains how we process your personal data.

Specifics of Processing: We collect and process your personal data for order fulfillment, which includes billing, shipping, and customer support. Our legal basis for this is the fulfillment of a contract with you.

Third-Party Processors: We share your personal data with [Payment Processor, e.g., Stripe] for payment processing and [Shipping Partner, e.g., DHL] for shipping purposes.

Data Retention: We retain your data for [Retention Period, e.g., 7 years] to meet our legal obligations for tax and accounting purposes.

Controller: For all enquiries regarding your personal data, please contact [FULL NAME (sole proprietor) or COMPANY NAME (registered company)] at [EMAIL ADDRESS]."

Optional Clauses to be Included as Applicable:

• EU Representative: If you are based outside of the EU/EEA, please also mention the identity and contact details of the controller's EU Representative.

• Data Protection Officer: Where applicable, please also mention the identity and contact details of the controller's Data Protection Officer.

—

Note: A Word on Consent Management

For websites that use analytics, advertising, or social media plugins, having a privacy notice alone isn't enough. The GDPR requires you to prove you have a user's explicit consent before processing their data for these purposes. This is where a Consent Management Platform (CMP) comes in. A CMP is a tool that allows you to easily display a cookie banner, collect valid consent, and give users a simple way to change their mind at any time. We highly recommend implementing a reputable CMP to ensure you are fully compliant and to protect your business.