The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Subliminator
If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Subliminator) are also GDPR compliant. Subliminator is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA).
Subliminator and GDPR (in 12 points)
The GDPR regulation can be reduced to 12 important points. For each point, we explain how Subliminator handles its compliance. If we did not answer your questions in this article, you can still contact us and drop us a chat or email.
Also, please note that all Subliminator data processor providers have been checked to be all GDPR-compliant (Shopify, AWS, Stripe, PaypPa, Linodel).
All Subliminator data is held on servers hosted by AWS (an US-based company, with a subsidiary in the EU subject to EU law).
Certain points of Subliminator GDPR compliance are subject to the law of the Netherlands, where Subliminator is incorporated. Thus, we have to be compliant with the Dutch data protection law, as well as EU GDPR law. GDPR compliance and Dutch law is applied worldwide.
All employees responsible of software development & infrastructure maintenance of Subliminator, are fully aware of the GDPR requirements.
This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Subliminator employee, even if aware of GDPR requirements (this plays as a double human safety check).
2. Information we hold
Subliminator stores data on 2 kinds of parties:
Our customers (ie. the online store owners using Subliminator to create and sell products)
Our customers end-users (ie. the customers of our customers)
Subliminator does not share, or resell, any kind of user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2).
2.1. Information held on our users
Subliminator collects account information for each user (we refer to them as customers in this article), including:
- User first and last name
- User payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe or PayPal)
2.2. Information held on our users' end-users
Information held on our users' end-users include:
- End-user email address (if provided by end-user, thus involving a consent)
- End-user phone number (if provided by end-user, thus involving a consent)
The information help on our users' end-users is solely the responsibility of our users (ie. the individual websites using Subliminator). It is the responsibility of our users to manage the data they hold in their online store, ie. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.). It is our responsibility to secure access to this data (ie. only website operators can access it and have a right to rectification and deletion).
3. Communicating privacy information
Subliminator customers and users privacy terms are clearly communicated in our Privacy information.
Subliminator customers end-users privacy terms are the sole responsibility of Subliminator customers. They should be announced on Subliminator customers website.
4. Individuals’ rights
Subliminator customers rights regarding to GDPR are considered and enforced, including:
- Right to be informed: we clearly inform our users about the use that will be made of their data
- Right of access: our users can access all their data, without restriction, from the Subliminator apps
- Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
- Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
- Right to restrict processing: we don't process the data of our customers (and our customers end-users)
- Right to data portability: our users may contact us anytime if they wish to get an export of their data (this may take time, however, as the data is fragmented amongst multiple isolated data-stores)
- Right to object: we handle all requests on this matter from our users and users' end-users (contact us)
- Right not to be subject to automated decision-making including profiling: we don't do that (and never will)
5. Subject access requests
Subliminator replies to all access requests (positively or negatively) under 2 weeks (the legal limit from GDPR is 1 month).
We offer this free of charge for our customers (paid and free).
6. Lawful basis for processing personal data
Subliminator stores user data involving a consent (ie. an order that was placed by the customer's end-user).
It is the Subliminator customers responsibility to ensure user data is lawfully collected. For instance, if the emails that get collected from the Subliminator orders gets re-used for marketing campaign purposes, the Subliminator customer has to ask for user consent upon collecting this email.
Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data).
Subliminator does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identify it as relevant to control the age of users signing up for services.
Children might still be able to use the Subliminator services, from the website or apps of a Subliminator customer. To this extent, the Subliminator customer is responsible for checking against their own users and activities regarding children regulations.
9. Data breaches
Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services.
Here are a few measures we have in place to prefent Data breaches:
- Aggressive use of firewalls and network isolation in our infrastructure
- No access to our server systems is allowed from the public Internet, trusted administrators from the Subliminator team need to connect via a trusted VPN network
- We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued
- All platform backups are GPG/PGP-encrypted and stored privately, retained for a maximum of 1 week
Subliminator will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.
10. Data Protection by Design and Data Protection Impact Assessments
Whenever Subliminator develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new system, and second goal to protect the user data that's being stored and used by that system.
Subliminator developers are well educated to software and network security, which helped us build a secure by design software over time.
11. Data Protection Officers
Subliminator designated a Data Protection Officer, as required by GDPR:
🙋♂️ Liviu Ungureanu
- Role: Development Lead
- Email: [email protected]
Subliminator may, via its users, processes data from individuals from all over EU member states.
Subliminator main establishment is the Netherlands, thus its supervisory authority is based in the Netherlands.
- ID: 66320216
- Address: Louis Braillelaan 80, 2719EK, Zoetermeer, Netherlands
- Email: [email protected]