Skip to main content

    GDPR and LimeSpot

    Last Updated: May 10, 2024

    The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how organizations collect, process, and protect personal data of individuals in the European Union. LimeSpot is committed to helping our clients comply with GDPR requirements while delivering powerful personalization experiences.

    LimeSpot's Role Under GDPR

    Under GDPR, LimeSpot acts as a Data Processor on behalf of our clients (merchants), who are the Data Controllers. This means:

    • Our clients determine what data is collected and how it is used
    • LimeSpot processes data only according to our clients' instructions
    • We implement appropriate security measures to protect personal data
    • We assist clients in fulfilling their GDPR obligations

    Client Responsibilities

    As a Data Controller, you are responsible for:

    • Privacy Policy: Updating your privacy policy to disclose that LimeSpot processes shopper data for personalization purposes
    • Consent: Obtaining appropriate consent from shoppers for data collection and processing, particularly for cookies and tracking
    • Cookie Notice: Implementing a cookie consent banner that informs users about LimeSpot's use of cookies for personalization
    • Data Subject Requests: Responding to shopper requests for access, rectification, or deletion of their personal data

    How LimeSpot Supports GDPR Compliance

    LimeSpot provides several features and practices to help you comply with GDPR:

    • Data Processing Agreement: We offer a Data Processing Agreement (DPA) that outlines our obligations as a data processor
    • Data Minimization: We collect only the data necessary to provide personalization services
    • Data Deletion: We can delete shopper data upon request from merchants
    • Security Measures: We implement encryption, access controls, and regular security assessments
    • Shopper Rights Portal: Shoppers can request access to or deletion of their data through our Data Protection Officer

    Data We Process

    LimeSpot processes the following types of data for personalization:

    • Browsing behavior (pages visited, products viewed)
    • Purchase history and cart contents
    • Device and browser information
    • Geographic location (country/region level)
    • Email address (when provided for personalized recommendations)

    We do not sell personal data or use it for purposes other than providing personalization services to our clients.

    Data Transfer and Storage

    Personal data may be transferred to and processed in Canada, the United States, or Europe. LimeSpot uses Microsoft Azure data centers, which maintain appropriate security certifications. For transfers outside the EEA, we rely on Standard Contractual Clauses and other appropriate safeguards.

    Data Protection Officer

    LimeSpot has appointed a Data Protection Officer (DPO) who can be contacted for any GDPR-related inquiries:

    Email: [email protected]

    The DPO can assist with questions about data processing, facilitate data subject requests, and address any privacy concerns.

    Breach Notification

    In the event of a data breach affecting personal data, LimeSpot will notify affected clients without undue delay (and within 72 hours where feasible). We will provide details about:

    • The nature of the breach
    • Categories of data affected
    • Approximate number of data subjects affected
    • Measures taken to address the breach
    • Recommended steps for affected individuals

    Getting Started with GDPR Compliance

    To ensure GDPR compliance when using LimeSpot, we recommend reviewing our GDPR Requirements page, which outlines the specific steps you should take.

    Related Documents: Privacy Policy | Data Processing Agreement | GDPR Requirements