GDPR & Data Privacy
Understand how DemandLoop protects customer data, complies with GDPR, and handles privacy requirements
Contents
Show all sections (55)
- GDPR Compliance Overview
- What Is GDPR?
- Legal Basis for Processing
- Data We Collect
- Customer Data (Shopify Customers)
- Merchant Data (Store Owners)
- Click Tracking (Growth Plan Only)
- Data Security Measures
- Technical Safeguards
- Organizational Safeguards
- Customer Rights Under GDPR
- Right to Access (Art. 15)
- Right to Rectification (Art. 16)
- Right to Erasure / "Right to Be Forgotten" (Art. 17)
- Right to Data Portability (Art. 20)
- Right to Object (Art. 21)
- Right to Restrict Processing (Art. 18)
- Merchant Obligations
- As Data Controller
- As Data Processor (DemandLoop's Role)
- Subprocessors & Data Transfers
- Our Subprocessors
- International Data Transfers
- Data Retention & Deletion
- Automatic Retention Policies
- App Uninstallation
- Cookies & Tracking
- Cookies Used by DemandLoop
- Cookie Consent Requirements
- Privacy Best Practices for Merchants
- 1. Transparent Communication
- 2. Regular Data Audits
- 3. Staff Training
- 4. Incident Response
- Customer FAQs (For Merchants to Share)
- "How do you use my email?"
- "Can I see what data you have about me?"
- "Can you delete my data?"
- "Do you share my data with anyone?"
- "Is my data secure?"
- Compliance Resources
- Documentation
- Contact for Privacy Matters
- Regional Compliance
- GDPR (EU)
- CCPA (California)
- LGPD (Brazil)
- PIPEDA (Canada)
- Summary Checklist
- Verify
- FAQ
- Need Help?
DemandLoop is built with privacy-first principles and full GDPR compliance. This guide explains how we handle customer data, what rights customers have, and how merchants can ensure compliance.
What you'll accomplish
- Understand what data DemandLoop collects and why
- Know your obligations as a data controller under GDPR
- Handle customer data access, rectification, and deletion requests
- Ensure your store's privacy policy and cookie banner are compliant
Requirements
- DemandLoop app installed on your Shopify store
- A published privacy policy on your storefront
- Cookie consent banner if serving EU customers (for attribution tracking)
Quick Summary
What DemandLoop collects:
- Customer email addresses (subscriptions)
- Product preferences (variant subscriptions)
- Click activity (attribution tracking on Growth plan)
- Web push tokens (if customer opts in)
What DemandLoop does NOT collect:
- Payment information (never stored)
- Personal identification numbers
- Browsing history outside back-in-stock flows
- Social media profiles or connections
Data processing basis:
- Legitimate interest for back-in-stock service
- Explicit consent for web push notifications
- Contract fulfillment for merchant dashboard features
GDPR Compliance Overview
What Is GDPR?
General Data Protection Regulation (GDPR) is EU law protecting personal data and privacy.
Applies to:
- Stores with EU customers
- Stores operated from EU
- Any processing of EU residents' data
Key principles:
- Lawfulness - Legal basis for processing
- Transparency - Clear about data usage
- Purpose limitation - Use only for stated purpose
- Data minimization - Collect only what's needed
- Accuracy - Keep data correct and current
- Storage limitation - Don't keep longer than necessary
- Integrity & confidentiality - Protect data security
DemandLoop complies with all seven principles.
Legal Basis for Processing
1. Email subscriptions: Legitimate interest
Customer wants: Product availability notification
Our interest: Provide back-in-stock service
Balance: Transparent, minimal data, easy opt-out
2. Web push: Explicit consent
Customer action: Checks "Send me push notifications"
Browser prompt: "Allow notifications from this site?"
Consent: Two-step, explicit, revocable anytime
3. Click tracking: Legitimate interest (Growth plan)
Merchant needs: Attribution for performance measurement
Processing: Anonymized where possible, 7-day window
Balance: Business need vs minimal privacy impact
Data We Collect
Customer Data (Shopify Customers)
1. Email addresses
Purpose: Send back-in-stock notifications
Collected: When customer subscribes via widget
Stored: Encrypted in database
Retention: Until subscription completed/cancelled/expired
2. Product preferences
Purpose: Know which products customer wants
Collected: Product ID + Variant ID from subscription
Stored: Database records, non-personal
Retention: With subscription record
3. Subscription metadata
Purpose: System operation and troubleshooting
Collected: Subscription date, status, notification history
Stored: Database logs
Retention: 90 days after subscription closes
4. Web push tokens (optional)
Purpose: Deliver instant push notifications
Collected: Only if customer opts in via checkbox
Stored: Browser-generated token, not personally identifiable
Retention: Until customer unsubscribes or token expires
Merchant Data (Store Owners)
1. Shop information
Purpose: App installation and billing
Collected: Shop domain, owner email, Shopify plan
Stored: Application database
Retention: Duration of app installation + 30 days
2. Product catalog
Purpose: Display correct products in widget
Collected: Product titles, prices, images, inventory
Stored: Cached for performance
Retention: Refreshed daily, purged on uninstall
3. Analytics & usage
Purpose: Service improvement and billing
Collected: Subscription counts, email metrics, attribution data
Stored: Aggregated where possible
Retention: 12 months for reporting, then anonymized
Click Tracking (Growth Plan Only)
1. Attribution tokens
Purpose: Track which emails drive sales
Collected: Signed token with subscription ID + timestamp
Stored: In URL parameter, then cart attributes
Retention: 7-day attribution window, then deleted
2. Click events
Purpose: Calculate CTR and attribution rates
Collected: Click timestamp, email ID, success/failure
Stored: Event logs
Retention: 90 days for analytics, then anonymized
Important: Attribution tracking uses subscription IDs, not customer PII directly. Email addresses never appear in URLs.
Data Security Measures
Technical Safeguards
1. Encryption at rest
Database: AES-256 encryption
Backups: Encrypted with separate keys
Email addresses: Hashed for certain operations
2. Encryption in transit
All connections: TLS 1.3
API endpoints: HTTPS only
Webhooks: Signed and verified
3. Access controls
Staff access: Role-based, minimal privilege
Logs: All data access logged
Authentication: Multi-factor required
API keys: Rotated regularly
4. Infrastructure security
Hosting: SOC 2 certified data centers (Hetzner)
Monitoring: 24/7 intrusion detection
Patches: Automated security updates
Backups: Daily, encrypted, off-site
Organizational Safeguards
1. Privacy by design
- Minimal data collection from start
- Clear purpose for every data point
- Regular privacy impact assessments
- Data protection in all features
2. Staff training
- GDPR compliance training for all staff
- Secure data handling procedures
- Incident response protocols
- Regular privacy audits
3. Data processing agreements
- Signed DPA with all subprocessors
- GDPR-compliant service agreements
- Regular vendor audits
- EU-based alternatives preferred
Customer Rights Under GDPR
Right to Access (Art. 15)
Customers can request:
- What personal data we hold
- Why we're processing it
- Who we've shared it with
- How long we'll keep it
How to fulfill:
Customer emails: [email protected]
Request type: "Data access request"
Response time: Within 30 days
Format: Machine-readable (JSON/CSV)
Merchants can help:
Dashboard → Subscriptions → Search by email
→ Shows all customer subscriptions
→ Export as CSV for customer
Right to Rectification (Art. 16)
Customers can request:
- Correction of incorrect data
- Update of outdated information
How it works:
Customer resubscribes with correct email
→ System creates new subscription
→ Old one can be cancelled
Or customer contacts support
→ We update on their behalf
→ Verify identity first
Right to Erasure / "Right to Be Forgotten" (Art. 17)
Customers can request:
- Complete deletion of their data
How it works:
Method 1: Self-service unsubscribe
→ Customer clicks unsubscribe link in email
→ All subscriptions cancelled
→ Data deleted after 30 days
Method 2: Support request
→ Customer emails [email protected]
→ We verify identity
→ Manual data deletion
→ Confirmation sent within 48 hours
What gets deleted:
Email address
All subscriptions
Web push tokens
Click history
Preferences
What's retained (legal requirements):
Anonymized analytics (subscription counts)
Billing records (attributed orders, no PII)
Audit logs (compliance, security)
Right to Data Portability (Art. 20)
Customers can request:
- Their data in machine-readable format
- Transfer to another service
How to fulfill:
Dashboard → Subscriptions → Export
→ Filtered by customer email
→ Download CSV with:
- Email address
- Subscribed products
- Subscription dates
- Notification history
Format:
email,product,variant,subscribed_at,status
[email protected],Nike Shoes,Size 10,2025-01-13,active
Right to Object (Art. 21)
Customers can object to:
- Processing based on legitimate interest
- Direct marketing
How it works:
Automatically honored via unsubscribe link
→ No further emails sent
→ Processing stopped immediately
→ Data deleted after 30 days
Right to Restrict Processing (Art. 18)
Customers can request:
- Pause processing while dispute resolved
- Keep data but don't use it
Rare in our context, but supported:
Customer requests restriction
→ Subscription marked "restricted"
→ No emails sent
→ Data preserved but not processed
→ Lifted when resolved
Merchant Obligations
As Data Controller
Merchants are responsible for:
1. Customer consent management
Widget includes:
Clear subscription purpose
Easy unsubscribe mechanism
Link to privacy policy
Transparent about data use
2. Privacy policy compliance
Your privacy policy should mention:
- Back-in-stock subscription service
- Email collection and notification use
- Third-party processor (DemandLoop)
- Customer rights (access, deletion, etc.)
- Retention period (90 days)
Sample privacy policy language:
"When you sign up for back-in-stock notifications, we collect your
email address and product preferences. We use DemandLoop, a
third-party service, to send notifications when products restock.
You can unsubscribe anytime via the link in notification emails.
Your data is deleted 90 days after subscription ends."
3. Responding to customer requests
Customer rights requests should be forwarded to:
- Email: [email protected]
- Include: Customer email, request type
- We'll handle within GDPR timelines
As Data Processor (DemandLoop's Role)
We handle data on your behalf:
1. Follow your instructions
- Process only for back-in-stock service
- Don't use data for other purposes
- Delete on your instruction
- Assist with rights requests
2. Data Processing Agreement (DPA)
Automatically in place when you install DemandLoop
Covers:
- Processing purposes
- Security measures
- Subprocessor list
- Data deletion terms
- Liability and indemnification
View DPA:
Dashboard → Settings → Legal → Data Processing Agreement
Subprocessors & Data Transfers
Our Subprocessors
1. Resend (Email delivery)
Purpose: Send notification emails
Data shared: Email addresses, email content
Location: USA (Standard Contractual Clauses)
DPA: In place
Certification: SOC 2 Type II
2. Hetzner (Infrastructure hosting)
Purpose: Database and application hosting
Data shared: All application data
Location: EU (Germany)
DPA: In place
Certification: ISO 27001
3. Shopify (E-commerce platform)
Purpose: Product sync, billing, webhooks
Data shared: Shop data, product catalog
Location: USA/Canada (Standard Contractual Clauses)
DPA: In place (via Shopify app terms)
International Data Transfers
Transfers outside EU:
Resend (USA) - Email service
Shopify (USA/Canada) - Platform provider
Safeguards in place:
Standard Contractual Clauses (SCCs)
Additional security measures
Right to object to transfers
Alternative EU processor available on request
For EU merchants requiring EU-only processing:
Contact: [email protected]
Subject: "EU-only data processing request"
→ We can configure EU-only email service
→ May involve additional costs
Data Retention & Deletion
Automatic Retention Policies
Active subscriptions:
Retained: While subscription active
Purpose: Fulfill notification service
Deleted: 90 days after completion/cancellation
Completed subscriptions:
Status: Notification sent, subscription fulfilled
Retained: 90 days (for analytics and disputes)
Then: Permanently deleted
Cancelled subscriptions:
Status: Customer unsubscribed
Retained: 30 days (for accidental cancellations)
Then: Permanently deleted
Expired subscriptions:
Status: No restock after 90 days
Retained: 30 days after expiry
Then: Automatically deleted
Attributed orders (Growth plan):
Status: Order attributed to DemandLoop
Retained: 12 months (for financial records)
PII removal: Email addresses anonymized after 90 days
Order ID + revenue kept: For billing transparency
App Uninstallation
When you uninstall DemandLoop:
Immediate actions (Day 0):
Widget disabled on storefront
Webhooks unsubscribed
Notification sending stopped
API access revoked
Grace period (Days 1-30):
Data retained for potential reinstallation
Customer requests still processed
No new data collected
Final deletion (Day 30):
All customer subscriptions deleted
All email addresses purged
All product data removed
All logs anonymized/deleted
Anonymized analytics retained (legal requirement)
Billing records:
Retained: Per tax law (7 years typical)
PII status: Anonymized (no customer emails)
Contains: Order IDs, revenue amounts, dates
Purpose: Legal and accounting compliance
Cookies & Tracking
Cookies Used by DemandLoop
1. Session cookies (Required)
Name: bis_session
Purpose: Widget functionality
Duration: Session only (cleared on browser close)
Contains: No personal data
2. Attribution token (Growth plan)
Name: bis_attribution
Purpose: Track email clicks to sales
Duration: 7 days
Contains: Subscription ID (hashed), timestamp
3. Push notification permission
Name: bis_push_permission
Purpose: Remember permission choice
Duration: 90 days
Contains: Boolean (granted/denied)
Cookie Consent Requirements
For EU merchants:
You must obtain consent via cookie banner:
Sample banner text:
"We use cookies to provide back-in-stock notifications.
By clicking 'Notify Me', you consent to necessary cookies
for this service. [Learn more]"
DemandLoop cookies are:
- Strictly necessary (session cookies)
- Performance (attribution - requires consent in EU)
- Not marketing or advertising cookies
Configuring cookie consent:
Dashboard → Settings → Privacy
→ "Respect cookie consent signals"
→ If enabled: DemandLoop checks for consent before attribution
→ Works with: OneTrust, Cookiebot, etc.
Privacy Best Practices for Merchants
1. Transparent Communication
Do:
- Explain back-in-stock service clearly
- Link to privacy policy in widget
- Use plain language (not legal jargon)
- Make unsubscribe obvious
Don't:
- Hide subscription in checkout flow
- Use pre-checked opt-in boxes
- Collect more data than needed
- Share customer data with others
2. Regular Data Audits
Monthly checklist:
□ Review active subscriptions (any unusual growth?)
□ Check bounce rates (clean invalid emails)
□ Verify unsubscribe link works
□ Test customer data export
□ Confirm privacy policy up-to-date
3. Staff Training
Train your team on:
- What customer data DemandLoop collects
- How to handle customer rights requests
- Who to contact for privacy questions
- When to escalate privacy concerns
4. Incident Response
If data breach suspected:
1. Immediate: Contact [email protected] (priority)
2. Within 24h: Document what happened
3. Within 72h: Notify relevant authorities (GDPR requirement)
4. Inform affected customers if high risk
DemandLoop's breach notification:
- We notify merchants within 24 hours
- Provide incident details and scope
- Assist with customer notifications
- Implement remediation measures
Customer FAQs (For Merchants to Share)
"How do you use my email?"
"We only use your email to notify you when this specific product
restocks. We won't send marketing emails, and you can unsubscribe
anytime by clicking the link in our notification email."
"Can I see what data you have about me?"
"Yes. Email us at [your-support-email] requesting your data.
We'll send you a complete list of your subscriptions and any
notification history within 30 days."
"Can you delete my data?"
"Absolutely. Click the unsubscribe link in any notification email,
or email us at [your-support-email] requesting deletion. We'll
remove your information within 30 days."
"Do you share my data with anyone?"
"We use DemandLoop, a secure third-party service, to manage
back-in-stock notifications. They don't use your data for any
other purpose and delete it 90 days after your subscription ends."
"Is my data secure?"
"Yes. Your email is encrypted and stored securely. Only authorized
staff can access it, and we use industry-standard security measures
to protect against unauthorized access."
Compliance Resources
Documentation
Available in Dashboard:
Settings → Legal → Documents
- Data Processing Agreement (DPA)
- Privacy Policy
- Subprocessor List
- Security Whitepaper
Contact for Privacy Matters
General privacy questions:
- Email: [email protected]
- Subject: "Privacy Question"
Data Protection Officer (DPO):
- Email: [email protected]
- For formal GDPR matters only
Customer rights requests:
- Email: [email protected]
- Include: Customer email, request type
- Response: Within 30 days
Data breach reporting:
- Email: [email protected]
- Mark: "URGENT - Security Issue"
- Response: Within 24 hours
Regional Compliance
GDPR (EU)
- Full compliance with all GDPR requirements
- DPA available
- EU hosting option available
- Standard Contractual Clauses for transfers
CCPA (California)
- Honors "Do Not Sell" requests
- Provides data access/deletion
- Clear privacy notices
- No sale of personal information
LGPD (Brazil)
- Complies with data protection principles
- Transparent data processing
- Customer rights honored
- Secure data transfers
PIPEDA (Canada)
- Consent-based processing
- Limited data collection
- Secure data handling
- Access and correction rights
Summary Checklist
For merchants to ensure compliance:
□ Privacy policy mentions back-in-stock service
□ Widget includes clear subscription purpose
□ Unsubscribe mechanism tested and working
□ Staff trained on handling privacy requests
□ Cookie banner includes DemandLoop (if EU)
□ Customer rights request process in place
□ Regular data audits scheduled
□ Incident response plan documented
□ DemandLoop DPA reviewed and understood
□ Contact information for privacy matters saved
Verify
After reviewing your privacy setup, confirm:
- Your store's privacy policy mentions DemandLoop as a third-party data processor
- The unsubscribe link in notification emails works correctly
- Cookie consent banner covers DemandLoop attribution cookies (if serving EU customers)
- Your team knows how to handle a customer data access or deletion request
FAQ
Q: Do I need a DPA with DemandLoop? A DPA is automatically in place when you install DemandLoop. You can view it at Dashboard > Settings > Legal > Data Processing Agreement.
Q: What happens to customer data if I uninstall the app? Data is retained for 30 days (grace period for potential reinstallation), then permanently deleted. Anonymized analytics are kept for legal compliance.
Q: Does DemandLoop sell customer data to third parties? No. Customer data is used exclusively to provide the back-in-stock notification service. It is never sold, shared for marketing, or used for any other purpose.
Need Help?
Privacy compliance questions:
- Email: [email protected]
- We'll help ensure your setup is compliant
Legal review needed:
- Consult your legal counsel
- We provide technical documentation
- Cannot provide legal advice
Specific privacy concern:
- Contact our DPO: [email protected]
- Include shop domain and specific issue
Further reading:
DemandLoop takes privacy seriously. We're committed to transparent data handling, robust security, and full compliance with privacy regulations worldwide.
Was this article helpful?
Let us know — your feedback helps us improve our documentation.