GDPR: Some basic information

Chris Roach profile picture
Last updated: 02 Jul 2018
Disclaimer: GDPR is a far more complex beast than we set out in this document. Do not rely on this for the lawful basis of GDPR within your organisation. This is merely a simple guide for our users to help them understand basics.

At Moltin we serve companies all over the world. As such we have to be careful about how we handle data for our users.

GDPR only really applies to our European consumers, and anyone who serves individuals in the EU block. However, we’re rolling the principles of GDPR across our whole organisation as we stand by those principles as the bed-rock of using individuals personal data responsibly.

This post is meant to give you an easier to digest overview of the work we’ve been doing to conform more effectively to the General Data Protection Regulations, and how we use any data we collect on our systems right now.

We hope this helps you understand more about how we value your data and take privacy protection seriously within our organisation.

Our responsibilities

Moltin will always:

  • Work hard to keep your data secure.
  • Always consider security of data when completing any work.
  • Be open and transparent as much as is possible about the information we collect and how we might or might not process it.
  • Work hard to keep our users informed and armed with information and tools they need to keep their users safe and secure.

Data we collect

In order for you to use our platform (Sign up and utilise) we collect the following required things:

  • Email Address
  • First Name
  • Last Name

We also optionally collect the following data:

  • Company Name

Behind the scenes

We store this personal information in secure databases which are only accessible to a small number of individuals and applications.

What We Do:

  • We audit access to this information, so we know when they were accessed and by who.
  • We do use that data to help us understand how to make our platform better.
  • We use that data to contact you when we think we can help you or need to let you know important updates.

What We Don’t Do:

  • We don’t sell any of your personal data to third parties.
  • We don’t transfer that data to other places.
  • We don’t allow everyone in the organisation to see that data.

Data you collect

Moltin gives you the ability to store the following personal information:

  • Names
  • Email Addresses
  • Billing Addresses
  • Shipping Addresses

You could also potentially use other aspects of our API to store personal data which we strongly advise against.

Behind the scenes

We store this personal information in secure databases which are only accessible to a small number of individuals and applications.

What We Do:

  • We audit access to this information, so we know when they were accessed and by who.
  • We might use a Post or Zip Code without the persons name or address for analytics.

What We Don’t Do:

  • We don’t sell any of your personal data to third parties.
  • We don’t transfer that data to other places.
  • We don’t allow anyone in the organisation to see that data.
  • We don’t use personal aspects of that data.
  • We don’t force you to use that data for other services, unless you so wish.

Collecting data safely and lawfully

Its important for us and our users to understand what information you should and should not collect, and where you can store that information on Moltin safely.

1. Only collect what you need

You should only collect the personal information you really need. Its perfectly legitimate to take billing and shipping addresses as they get passed straight to the payment providers you have enabled.

But always consider if you need to store them on our system, and only collect the smallest amount of information you need to operate successfully.

2. Use the correct Moltin API for the information

We ask that you only use the services we’ve built for the manner in which they have been created.

For example:

  • We strongly recommend you only store address information in our addresses API.
  • We strongly recommend you only customer emails or names in our customers API.
  • We strongly recommend you do not store personal information anywhere else in our API. For example as flow data.

3. YOU MUST NEVER

You must never store certain information inside our system. For example:

  • Payment Card details
  • Anything considered offensive, obscene, abusive, libellous, false, deliberately misleading, or otherwise illegal.
  • Any other personal information outside of our API’s required fields. This could include:

You would be breaking the terms of service if you do any of the above. You could also be removed from Moltin and possibly prosecuted.

Right to Access

Individuals have the right to access personal information stored.

Your Users:

Your stores users (Anyone who uses your store) have the right to:

  • Access all the data you store on them in a consumable digital format like CSV or JSON.
  • You must complete the process within a month.
  • You must not charge for access to that data.
  • You can ask for verification from the user to check they are who they say they are.

Our API gives you the ability to easily retrieve information about a user that you have stored on us in a simple digital format (JSON).

Moltin Users:

You can contact us to apply your “Right To Access”.

  • We will ask you for verification to check that you are who you say you are.
  • We will return data we store on you in a consumable digital format like CSV or JSON.
  • We will complete the process within a month.
  • We will not charge you for access to that data.

Right to Rectify

Individuals have the right for their personal information to be kept up to date, or for them to have that data rectified.

Your Users:

Your stores users (Anyone who uses your store) have the right to:

  • Rectify all the data you store on them in.
  • You must complete the process within a month.
  • You must not charge for that process.
  • You can ask for verification from the user to check they are who they say they are.

Our API gives you the ability to easily edit information about a user that you have stored on us. You can also put systems in place so those users can edit their information themselves.

Moltin Users:

You can contact us to apply your “Right To Rectify”.

  • We will ask you for verification to check that you are who you say you are.
  • We will rectify data for you, if you cannot do that yourself.
  • We will complete the process within a month.
  • We will not charge you for rectification of that data.

Right to Remove

Individuals have the right for their personal information to be removed from our systems.

Your Users:

Your stores users (Anyone who uses your store) have the right to:

  • Remove all the data you store on them in.
  • You must complete the process within a month.
  • You must not charge for that process.
  • You can ask for verification from the user to check they are who they say they are.

Our API gives you the ability to easily remove information about a user that you have stored on us. You can also put systems in place so those users can remove their information themselves.

Moltin Users:

You can contact us to apply your “Right To Remove”.

  • We will ask you for verification to check that you are who you say you are.
  • We will rectify data for you, if you cannot do that yourself.
  • We will complete the process within a month.
  • We will not charge you for rectification of that data.

Right to stop processing

Individuals have the right for their personal information to not be used in any form of processing. Processing could mean being used for ad targetting, email campaigns, analytics or so on.

Your Users:

Your stores users (Anyone who uses your store) have the right to:

  • Stop all processing on personal information stored on them.
  • You must complete the process within a month.
  • You must not charge for that process.
  • You can ask for verification from the user to check they are who they say they are.

At Moltin we do not process your users personal information for any of the examples above. If you are using that data for anything you should have systems in place to stop utilising it on their request.

If you cannot stop processing that data without stopping your users from utilising your service you should offer them the option of removing their data even if it stops them from using your platform.

Moltin Users:

You can contact us to apply your “Right To Stop Processing”.

  • We will ask you for verification to check that you are who you say you are.
  • We will stop processing that data, or remove your data if it stops our platform being used effectively by you.
  • We will complete the process within a month.
  • We will not charge you for this process.

Help

For any of the rights you hold above, or questions about data security you can contact our DPO here: dpo@moltin.com

Let's build something amazing with Moltin