DCK Online Store Terms and Conditions (English only)
Packages sent through Express Transportation Company (Chronopost/ SEUR/ CTT) or CTT Registered Mail (Portugal Mail).
All orders done before 11am are issued the same day and delivered, depending on the destination, a minimum of 24 later.
Value and time of delivery:
NOTE: Some countries are experiencing major issues in their post and shipping processes. Shippings to Brazil, Angola &/or others should expect long delays.
Shipping times may vary for reasons outside of DCK's control.
Portugal (Land only): Delivered in 1 to 3 days – 4€
Spain (Land only): Delivered in 2 to 3 days – 4€
France, Germany: Delivered in 4 to 9 days – 6€
Denmark, Italy, Netherlands, UK, Sweden: Delivered in 4 to 9 days – 7€
USA: Delivered in 10 to 25 days – 10€
Rest of the World: Delivered in 4 to 30 days – 10€
INFORMATION: The client is responsible for any costs related to Goods & Customs. You may be charged customs duties and taxes for something purchased online because:
- Duties and taxes are not included in the price of the goods you purchase online, and are not included in the overall shipping costs you pay to the DCK.
- When purchasing goods online, some or all of these goods may not originate in the country you reside in, therefore are subject to a customs duty, which is a tariff or tax imposed on goods when transported across international borders.
- When goods are not shipped domestically (within your country) or within a single customs union, such as the European Union, you are liable to pay any inbound duties and taxes which your local customs authority deems appropriate.
- What is payable, if anything, depends on where the goods are sent to (all DCK orders come from the European Union - Portugal)
General Data Protection Regulation:
DCK is working towards a Safe & Transparent GDPR compliance.
All information provided by the Customer is used only for Shipping and Billing processing.
Only if the Customer opts-in, his or her information may be used for Marketing Communication.
At any time, if the customer requires that his or her information is deleted, DCK will comply within 30 days.
All personal data will only be used by DCK or entities explored by DCK.
If we are attacked, we will inform the customer immediately.
DCK's Online Store is ran by the e-commerce platform for online stores and retail point-of-sales systems named SHOPIFY.
All information and processes ran at DCK's Online Store are protected by Shopify's General Data Protection Regulation policy, which can be fully read at the end of these Terms & Conditions.
All data is secured and encrypted through Shopify.
DCK accepts exchanges in the 15 (fifteen) consecutive days following the day that the order is received, as long as the product stays intact.
In case the wanted product is not available, a Voucher of equivalent value can exchange the one initially ordered.
DCK must be previously informed about the exchange by e-mail at firstname.lastname@example.org
The package must be returned complete, as delivered and together with all documentation received, specifically the following documents: Invoice and Transportation Company proof of delivery.
The tag cannot have been removed and the product cannot have been worn. Otherwise, the exchange will be canceled. The package and named documents should be sent to the following address:
DCK – Exchange
Rua D. Joao V, 2C
1250-090 Lisboa, Portugal
DCK will analyse and evaluate whether the product is intact and suitable for exchange or refund.
Payment is done by Credit Card; by PayPal; or by Entity + Reference (when available) and processed either by Shopify's partners or by the partner company Easypay – Instituição de Pagamento, Lda.
These Terms and Conditions are strictly applicable to DCK and protected by Copyright.
Copy or reproduction to any Store or Service not authorized by DCK is subject to judicial evaluation and consequent actions.
1. Scope and Object of the Online Store General Condition
The following General Conditions are meant, along with the Order Form and other elements mentioned, to regulate the terms and conditions that the DCK Online Store will respond to.
DCK Kompany, Lda, with the fiscal address on Rua D. João V, 2C, 1250-090 Lisbon, Portugal with the Fiscal Identification Number 510 691 064 (Portugal) and with the Share Capital of €500, from now on mentioned “DCK”.
The Service consists on providing, through the website www.dck.pt, access to the online store that includes information regarding a number of products that, electronically, can be ordered within the Terms and Conditions hereby displayed.
Users must be 18 (eighteen) or more years of age (younger users can have authorizations of their representatives) to complete a purchase.
Elements and information provided by the User will have full legal effect. Users recognize online purchases, not being able to claim lack of signature to avoid following the obligations assumed when shopping.
2. Information regarding Product and Content
DCK will do its best to provide all information as accurate as possible.
DCK will do its best to send the total amount of products ordered, but it is possible that, in some cases, due to some causes not controlled by DCK such as human error or incidences in the informatics systems, it is not possible to deliver one or more of the products ordered by the User. In case any product is not available after it is ordered, the User will be warned by e-mail or by phone. In that moment, he will have the possibility of canceling the order, with the value being refunded to him.
All information regarding price, products, specifications, promotional campaigns and services can be altered at any moment by DCK.
3.1 All products and Services marketed on the DCK Online Store are according to the Portuguese Law.
3.2 The DCK Online Store has the appropriate security levels. Although, DCK will not be responsible for any losses suffered by the User and/or third party because of delays, interruptions and suspension of communication that origin in causes out of its control, namely scientific or failures caused by the Communication network or Communication services provided by third party entities, by the Computer System, Modems, Connection Software or eventual Virus. If by any reason the access to the DCK Online Store is unavailable or not working properly, DCK will not be responsible for eventual losses.
3.3 All information filled in this service is presumed to be provided by the User. DCK declines any responsibility recurring from abusive of fraudulent use of the information.
3.4 DCK will not be responsible for any losses or damages caused by abusive use of the Services that are not directly attributable to willful misconduct or gross negligence. DCK is not responsible namely for (i) mistakes, omissions or other inaccuracies regarding information displayed on the Service; (ii) damage caused by the User or third party, including violation of intellectual propery; (iii) by not complying or complying wrongfully causing or caused by judicial actions or administrative authority; (iv) by not complying or complying wrongfully causing or caused by force majeure / unpredicted situations, not caused and not controlled by DCK such as fires, energy cuts, explosions, war, riots, civil insurrections, governmental decisions, strikes, earthquakes, floods or other natural cataclysms that block or harm the normal operation of the Service.
3.5 DCK does not guarantee that:
i) The Service is provided in an uninterrupted way, that is safe, without mistakes or errors and works in a perfect way
ii) The quality of any product, service provided or any other material bought or obtained through the Service fulfills any expectation the User has of it
iii) Any material obtained in any way through the Service is used at User’s own risk.
iv) No advice or information, written, said or shown given by the Service and/to the User creates any guarantee that is not clearly stated in this Terms and Conditions.
3.6 The User accepts that DCK cannot in any way be held responsible for any damage, including, but not limited to, damage caused by loss of profit, data, content or any other losses (even if previously warned by the User about the possibility of these damage) occurred by:
i) Impossibility of the User wearing the Product
ii) Difficulty of replacing the Service/Product
iii) Unauthorized access or modification to personal data base
4. Obligations of the Consumer
4.1. The User is obliged to:
i) Supply accurate personal data and address.
ii) Not using fake name or information
4.2. In case any of the data is incorrect or insufficient, and for that reason there is a delay or impossibility of processing the order, or eventual non-delivery, the responsibility is of the User, with DCK declining any responsibility. In case the User violates any of these obligations, DCK has the right to block future buys, blocking the access to the Online Store, cancelling the supply of any other Services available at DCK, and also, not allowing future access to any service available by DCK.
4.3. It is strictly forbidden to use DCK products acquired on the Online store Commercially, namely for Retail.
5. Privacy and Personal Data Protection
5.1 DCK guarantees the confidentiality of all data supplied by the User
5.2 All personal data identified in the Order Form as Mandatory are fundamental to the Supplying of the Service for DCK. Not including or mistakenly providing any of these details are the User’s responsibility and can lead to refusal of Service by DCK.
5.3 The User’s personal data is processed and kept in DCK’s database and are destined to be used by DCK regarding contractual and/or commercial relation with the User and, in case DCK is authorized by the User, to advertise its products.
5.4 In the terms of applicable legislation, it is guaranteed to the User, with no extra costs, the right to access, removal and update of his personal Data, directly or by written request, as well as the right to oppose to the Use of the same data for the previously stated use. For this, the User should contact the department responsible for personal data management: email@example.com
5.5 The Internet is an open network, so, the User’s personal data and other information, might circulate on the web with no safety conditions, risking to be accessed and used by third party people or entities that are not authorized. DCK cannot be held responsible for this access/information.
6.1 DCK ships to most countries in the world, with the list being available on the website. Deliveries to some countries can be affected or cancelled because of Events not controlled by DCK. If this happens, the User will be warned and the money will be refunded.
6.2. Shipping Timings All orders are Shipped 5 times a week through a transportation company (SEUR; UPS; Chronopost; Fedex or similar) to the European Union or through CTT – Portugal Mail to outside the EU. All orders are shipped at 3pm and delivered, at least, 48h later. The delivery time varies depending on the destination
6.3. Shipping Costs Shipping costs change depending on the destination country. All prices are stated in the Checkout page
7.1 Products ordered online can be exchanged in the 15 (fifteen) days following the delivery, as long as the product stays intact. The packaging must be returned complete, as delivered and along with all documents regarded, namely the sale invoice (can be sent by e-mail to firstname.lastname@example.org) and the price Tag (cannot be removed). The product cannot have been worn; otherwise the exchange will be canceled and the original product will be returned to the User. The package should be sent to:
DCK – Exchanges
Rua D. João V, 2C
7.3 Before the Exchange process, the User must alert DCK by e-mail (email@example.com) with the Subject: Exchange DCK (or Trocas/Cambios, depending on the Language). Please state clearly the Order/ID number (available in the order confirmation e-mail), your name, and name and size or product.
7.3 In case the product or size wanted is not available, the User can request a Gift Card to exchange later.
8. Payment Methods
8.1 All orders can be paid by Credit Card; PayPal or Entity+Reference. This service is provided by Shopify's partners or partner company – “Easypay - Instituição de Pagamento Lda”, located in Portugal, with the VAT number 505237431.
9. Canceling Orders
9.1 By request of the User The User can cancel his order by soliciting it to DCK by phone or e- mail, referring the Order number/ID. DCK will accept it unless it has not been processed yet and in the maximum of 14 days. To confirm the cancelling, the User should also state the name, VAT number and address used at the time of Order.
9.2 By DCK’s decision DCK reserves the right to not process Orders when some inconsistency in the personal data or bad conduct is noted.
DCK reserves the right to not process any Order, Cancelation or Exchange in case there are some errors noted. These errors can be in the values and/or details of the products, when occurring from technical problems not caused by DCK
10. Return (Right to Refund)
10.1. According to Law, the User has the right to return the product and get a refund in the 14 days following the delivery, unless the package, price Tag or the original product has been removed or altered. If this has happened, the Return will be canceled and the original product will be returned to the User.
The package should be sent to:
DCK – Returns
Rua D. João V, 2C
10.2 Before the Return process, the User must alert DCK by e-mail (firstname.lastname@example.org) with the Subject: Return DCK (or Devoluções/Devolución, depending on the Language). Please state clearly the Order/ID number (available in the order confirmation e- mail), your name, and name and size or product along with a proof of IBAN/Swift code.
10.3 The User can request a Gift Card to exchange later instead of a Refund.
10.4 After receiving the returned product, DCK will refund the client the amount paid for the product (excluding Promo codes/discounts).
10.5 The payment method used to place the order will be used for the refund. In case the payment has been made with Credit Card, the value will be credited in the respective account. In other cases, the refund will be made by Bank Transfer to the IBAN of the User after he has provided it. The refund will be made up to 14 days after the return of the product.
10.6 In case any part of the product is missing, or it is not intact, in perfect shape or has been worn, the refund will be canceled and the product will be shipped back to the initial expedition address.
11. Manufacturing Defect
11.1. In case of manufacturing defect, which is when a problem is detected in the product that is obviously not meant to exist, the user should return the product, along with a copy of the invoice. The packaging must be returned complete, as delivered and along with all documents regarded, namely the sale invoice (can be sent by e-mail to email@example.com) and the price Tag, otherwise the exchange or refund will be canceled and the original product will be returned to the User. The package should be sent to: DCK – Returns Rua D. João V, 2C 1250-090 Lisbon, Portugal
12. Intellectual Property
12.1 “Shop” is a registered website and the Service provided by the website is DCK’s responsibility.
12.2 The User acknowledges that the Service contains confidential information and is protected by Copyright and related, industrial property and furthermore applicable legislation.
12.3 The User acknowledges that any content that is part of DCK’s advertising, featured on any promotion or mention of any Sponsor or Partner is protected by the laws related to Copyright and related, industrial property and furthermore applicable legislation. Any use of these contents can only occur under express authorization by the respective holders.
12.4 The User commits to fully respect the rights referred in the previous paragraph, namely abstaining to commit any act that can violate the law or the referred rights, such as reproducing, commercialize, transmitting or making available to the public any content or any other non-authorized acts that have the same goals.
13. Safety Conditions of the Service
13.1 The User complies to observe all legal applicable dispositions, namely to not practice or promote the illicit or offensive moral acts, such as Spamming or violating the personal data treatment and advertising laws. The User should observe the rules of Use of the Service, under the possibility of DCK suspending the Service.
13.2 The User expressly recognizes and accepts that the IP Network is a public electronic communication Network and is susceptible to Use by several Users and, therefore, computing overload. DCK does not guarantee uninterrupted Service, without loss of data or delays.
13.3 DCK does not guarantee that the Service is provided in unpredicted situations of system overload or Force Majeure (Extraordinary situations, not controlled by DCK)
13.4 In case the Service is interrupted due to unpredicted overload in the Systems that control it, DCK commits to regulate it as soon as possible.
13.5 Without prejudice of other forms of communication mentioned in these Terms and Conditions, any eventual changes to them can be informed to the User in the form of e-mail by request to firstname.lastname@example.org.
13.6 The User accepts to get any kind of notification or communication related to the Online store to the Address, telephone or e-mail stated during the Order placement. At any moment, the User can solicit to not receive these communications and/or notifications by e-mail to email@example.com or by clicking the option “Do not receive Newsletter” available in any newsletter.
14. Technical Configurations
14.1 Without prejudice to what is mentioned in the following paragraph, DCK can alter the Service and/or the Technical conditions of the Service and Rules of Use. DCK should inform the User such changes with a minimum of 15 days in advance.
14.2 The Current version of the Terms and Conditions and attachments at any moment is available in the website www.dck.pt.
15.1 Whenever DCK decides it is necessary or convenient to optimize the experience of browsing and/or improve the connection conditions, it can remotely reformulate the network configurations.
15.2 Without prejudice of the following paragraphs and attesting the innovative character of the Service and technological evolution that can occur, DCK can alter it’s technical configurations whenever it is convenient to adapt it to eventual technological development.
15.3 DCK does not guarantee, however, any upgrades or improve to the Service.
15.4 Some upgrades or new functionalities of the Service can be available only after payment by the User or Subscription to certain specific Conditions of Use.
16.1 The User can submit any complain to the Service, to the Mechanic, to the Rules or Mediation that are available, as well as complaining to DCK about acts or omissions that violate the applicable legal dispositions to goods acquisition.
16.2 The claim should be submitted in the maximum of 30 (thirty) days after the User acknowledges the facts. It will be registered in DCK’s information system that will ponder on the Claim and will notify the User in the maximum of 30 (thirty) days counting after its reception.
17. Applicable Law
17.1 The Terms and Conditions are ruled by Portuguese Law.
April 20, 2018
Table of contents
Table of contents 2
Global GDPR application 5
Who does the GDPR apply to? 5 Shopify 5 Merchants and partners 5 Buyers 6
What data does the GDPR apply to? 6
Controller vs. processor status 6
Processor obligations 8 Subprocessing 9 Data protection impact assessments 9 Personal data breach reporting 9 Appointment of a Data Protection Officer 10
Controller obligations 10 Facilitating requests 10 Posting a privacy notice 10 Complying with marketing and cookie regulations 11 Obtaining consent to process children’s data 11
Legal basis for processing 11
Data transfers 13
Within EEA 14 EEA to Canada 14 United States 14 Disclosures to third parties 15 Shopify ecosystem 16 App Store disclosures 16
Data subject rights 16
Erasure 17 Timing 17
Scope 18 Access 18 Data portability 19 Rectification 19 Automated decision-making 20
Data protection and security 21
Organisational measures 21 Technological measures 22 Monitoring and logging 22 Security controls 22 Security standards and certifications 23
Contractual agreements and data processing addenda 23
Shopify plans 23 Shopify Plus plans 24
Accountability and transparency 24 FAQ 25
What do I do if I have more questions about the GDPR or my local privacy laws? 25
Who can I contact for more information on Shopify’s practices? 25
If I use Shopify to host my store, does my business comply with GDPR? 25
Will Shopify sign Standard Contractual Clauses? 26
Shopify is working to make sure that it will comply with the European Union’s General Data Protection Regulation (GDPR) when it takes effect on May 25, 2018, and to make sure that its merchants will also be in a position to comply in relation to their use of Shopify. This whitepaper presents Shopify's approach to GDPR preparation and compliance.
BCRs: Binding Corporate Rules.
Buyer: Person visiting a store hosted by Shopify.
Controller: Party that determines how and for what purposes personal data is processed.
DPIA: Data Protection Impact Assessment.
EEA:E uropeanEconomicArea.EEAcountriescurrentlyincludeAustria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
GDPR: General Data Protection Regulation.
NDA: Non-disclosure Agreement
Partner: Party that creates Shopify stores on behalf of merchants. Personal data: Any information relating to an identified or identifiable person.
PIPEDA: Personal Information Protection and Electronic Documents Act. Processor: Party that processes personal data on behalf of the controller.
Global GDPR application Who does the GDPR apply to?
The GDPR applies to any company that handles the personal data of residents in the European Economic Area (EEA). Because Shopify works with merchants who serve buyers in the EEA, and serves buyers in the EEA directly, the GDPR applies to these elements of its business.
However, because Shopify believes strongly in data protection and privacy, it will give all of its merchants and partners the ability to offer their buyers the rights afforded by the GDPR to control their personal data, wherever they live. Additionally, Shopify will provide tools and processes for its merchants to fulfill GDPR-related requests from their buyers regardless of the buyer’s location.
Merchants and partners
Separate from the way in which the GDPR applies to Shopify, the regulation also applies to Shopify’s merchants and partners who operate in the EEA or offer goods or services to residents of the EEA.
While Shopify is working to make sure that its own operations will comply with the GDPR, and to provide its merchants and partners with the tools to help its merchants comply with the GDPR, each merchant is ultimately responsible for ensuring that their business complies with the laws of the jurisdictions in which they operate or have buyers.
Using Shopify does not guarantee that a merchant or partner complies with the GDPR.
The GDPR also gives certain rights to identified or identifiable persons (referred to as data subjects) , including buyers visiting stores belonging to Shopify merchants. These include the right to request:
● Deletion (e rasure) of their personal data
● Correction (r ectification) of their data
● Access to their data
● An export of their data in a common (portable) format
This topic is discussed more fully in the Data subject rights section. What data does the GDPR apply to?
The GDPR generally applies to the collection and processing of personal data. Under the GDPR, personal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
● Identification number
● Location data
● Online identifier (such as IP address or cookie ID)1
Controller vs. processor status
The GDPR separates data protection responsibilities into two categories: controllers and processors.
Controller: The party that determines for what purposes and how personal data is processed.2
1 G eneral Data Protection Regulation, Article 4(1). 2 General Data Protection Regulation, Article 4(7).
Processor: The party that processes personal data on behalf of the controller.3
Under the GDPR, in most cases the merchant collects information from their buyers as a controller. Generally, Shopify acts as a processor for the merchant with respect to such buyer personal data (or, if the merchant acts as a processor, Shopify acts as a subprocessor):
The one exception is for buyers with whom Shopify has a direct existing relationship. For example:
● Buyers who use Shopify's Frenzy flash-sale app to access a merchant's store
● Buyers who use Shopify Pay, which allows the buyer to store their payment information with Shopify for use across different Shopify stores
● Buyers who use Shopify’s Arrive app to track the status of orders made from a merchant’s store
Although in such cases the merchant may also separately be a controller of the buyer’s personal data, Shopify processes the personal data of these buyers as a controller, as indicated in the following diagram:
3 General Data Protection Regulation, Article 4(8).
To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller.
Where Shopify is a processor for a merchant, it processes personal data on documented instructions from merchants. For example, when a merchant clicks Fulfill items, they give Shopify the instruction to process the data necessary to perform that action.4
Similarly, when a merchant selects a particular payment processor, or installs an application through the Shopify app store, they give Shopify the instruction to transmit data to the relevant party.
The GDPR also places several other responsibilities on the processor, discussed below:
4 See section 2.2.1 of Shopify's Data Processing Addendum:
Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Shopify uses a number of subprocessors to provide the service, including to:
● Store platform data
● Operate the forums and other portions of Shopify's website
● Respond to and manage support inquiries
When a merchant signs up for the Shopify service, they consent to allow Shopify to use subprocessors. A list of subprocessors is available upon request.
Data protection impact assessments
Shopify is formalising the process for conducting data protection impact assessments (DPIAs) any time a change in processing procedure occurs that is likely to result in a high risk to individuals’ privacy rights. Shopify will help answer reasonable questions a merchant has about Shopify’s processing activities.
Personal data breach reporting
Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.
Shopify is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a merchant's contract with Shopify.
Appointment of a Data Protection Officer
Processors must appoint a Data Protection Officer if they conduct certain types of personal data processing.
Shopify’s Data Protection Officer can be reached at firstname.lastname@example.org. Merchants should consider whether they also need to appoint a Data Protection Officer.5
Under the GDPR, the controller has the following responsibilities:
Controllers are obligated to help data subjects exercise their rights.6 Shopify’s merchants can do this by forwarding buyer requests to Shopify,
asdetailedintheD atasubjectrightssectionofthisdocument. Posting a privacy notice
When personal data is collected from a data subject, controllers must provide certain minimum information about the intended processing of the personal data, as well as information about how to contact and identify the controller.7
5 General Data Protection Regulation, Article 37.
6 General Data Protection Regulation, Article 12(2). 7 General Data Protection Regulation, Article 13.
Complying with marketing and cookie regulations
Controllers are responsible for making sure that they comply with marketing and cookie regulations in the jurisdictions in which they operate.
All merchants should similarly make sure that their email marketing practices comply with applicable e-marketing or anti-spam requirements.
Obtaining consent to process children’s data
When offering goods or services online directly to children under 16 years of age, the controller is responsible for obtaining verifiable consent from the child's parents for processing their data.10
Merchants are responsible for assessing whether they need to obtain a higher level of consent for certain buyers.
Legal basis for processing
Personal data cannot be processed except under a recognized legal basis (unless an exemption applies). The GDPR sets out a list of possible legal
bases under which personal data may be processed. These reasons include:
● Contractual obligations
● Legal obligations
● The public’s interests
● Legitimate interests of the controller or third party, balanced
against the rights of the data subject11
Consent of the data subject means the data subject has agreed to the processing of their personal data with a clear affirmative action.12
This agreement must be:
● Freely given
Merchants, as controllers of their buyers’ personal data, are responsible for ensuring they have a proper legal basis for doing so, including keeping evidence of consent when processing is based on consent.13
As its merchants’ processor, Shopify is not responsible for the merchants’ legal bases but only processes buyers’ personal data on behalf of and on the instructions of the merchant. In certain cases, however, the law may additionally require consent for certain types of processing (for example, when placing or retrieving cookies on a device). In such cases, the merchant is also responsible for obtaining appropriate consent.
11 General Data Protection Regulation, Article 6.
12 General Data Protection Regulation, Article 4(11). 13 General Data Protection Regulation, Article 7(1).
9 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Will be replaced by the ePrivacy Regulation.
10 General Data Protection Regulation, Article 8. Individual member states may lower the age of consent.
Upon request, Shopify will provide merchants with any reasonable information they require to obtain consent (for example, information about the categories of cookies placed when a buyer visits a storefront).
Personal data of residents of the EEA can only be transferred to recipients outside the EEA if the recipient has adequate protections in place. These protections may include:
● Adherence to domestic laws that have been deemed adequate by the European Commission
● Negotiated agreements (such as the EU-U.S. Privacy Shield)
● Contractual protections
● Approved sets of internal policies (Binding Corporate Rules)
● Approved codes of conduct or certifications
Shopify has protections for personal data in every step of its data flow, as described below. The following diagram illustrates Shopify's data transfer structure
EEA personal data is received and initially processed by Shopify's Irish entity, Shopify International Ltd.
EEA to Canada
Data is exported from the EEA to Shopify’s Canadian parent entity, Shopify Inc. This export takes place within Shopify’s corporate structure.
Data within Shopify Inc. is protected under PIPEDA, Canada’s private
sector privacy legislation, which is considered adequate under the GDPR. 14
Shopify Inc. uses a combination of data centers and cloud service providers to store this personal data in the United States and Canada.
When personal data is transferred to the United States, it is either done so through the EU-U.S. and Swiss-U.S. Privacy Shield, for Shopify’s own storage, or through contractual data protection addenda (DPAs) with third-party service providers. The EU-U.S. and Swiss-U.S. Privacy Shields are also considered adequate under the GDPR. Shopify’s Privacy Shield certification statement can be found on PrivacyShield.gov.15
14 P ursuant to the European Commission’s adequacy decision 2002/2/EC. Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539), online at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002D0002&qid=14 15699250815.
15 See: https://www.privacyshield.gov/participant?id=a2zt0000000TNSNAA4.
Additionally, Shopify is in the process of applying for approval of Binding Corporate Rules (BCRs) by the Irish Data Protection Commissioner. After they are approved, Shopify will rely on these BCRs to protect the personal data that is transferred between Shopify’s corporate entities worldwide.
Disclosures to third parties
Shopify will never independently sell personal data for commercial purposes. However, Shopify does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:
● Store platform data
● Operate the forums and other portions of Shopify's website
● Respond to and manage support inquiries
Additionally, Shopify may provide personal data, where permitted, to prevent, investigate, or respond to:
● Potential fraud
● Illegal conduct
● Physical threats
● Violations of any agreements with Shopify
Shopify also provides information to third parties when legally required to do so. Where Shopify believes it is legally required to provide information, and not legally prohibited from disclosing the existence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order.
More information on when Shopify discloses personal data will soon be provided on Shopify's website under the heading Guidelines for Legal Requests for Merchant or Buyer Data.
If a merchant agrees to use a third-party service provider such as a payment processor, a sales channel, or an app that is not controlled by Shopify, the respective service provider’s use of personal data is controlled by the merchant’s agreement with the provider. Shopify is not responsible for the data practices of these third-party service providers, and merchants should carefully evaluate these service providers as they would any third party.
Shopify recognises that it might be difficult for some merchants to obtain enough information from these service providers to conduct a careful evaluation. Shopify is working with these providers to make sure that they make information available to merchants about their data practices.
App Store disclosures
Similarly, Shopify is requiring all apps on the Shopify App Store to post disclosures about how the app handles personal data, but Shopify is not responsible for any app’s data collection or use, or for how the merchant uses the app. The merchant is responsible for reviewing these disclosures and to ensure that their use of the app complies with the laws of the jurisdictions in which the merchant operates or where it has buyers.
Data subject rights
The GDPR provides data subjects (in this case, buyers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous.16 The following rights are granted to data subjects:
16 General Data Protection Regulation, Article 12(3).
Data subjects have the right to request that their personal data be erased in certain circumstances.
If a merchant receives a request from a buyer to delete their personal data, before forwarding the request to Shopify, the merchant should:
● Verify that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data)
● Confirm there is no legal reason to preserve this data
If both conditions are satisfied, the merchant should forward the request to Shopify, either through Shopify's support system, or by emailing email@example.com.
After a request is received, Shopify will ensure that the relevant personal data is erased. If erasing it is impossible, Shopify will let the merchant know to what degree it is impossible, and why.
In addition to contacting Shopify, the merchant should also work with any relevant third parties to make sure that they delete or anonymise the personal data.
Personal data cannot be erased from Shopify while it is:
● Associated with a pending order
● Associated with an order made fewer than 180 days before the
request (the usual window in which a buyer can make a chargeback).
If the buyer’s personal data cannot be erased for this reason, the merchant should re-submit the deletion request after the appropriate time has passed.
When processing a request for erasure, Shopify will anonymise the personal data of the buyer, but keep non-personal data such as revenue information and order details. Order details that are retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method.
If no data erasure requests are received, Shopify will keep data for the lifetime of a store, and purge personal data within 90 days after a store is closed.
Controllers must, upon request, explain to data subjects how their personal data is processed and provide access to this personal data.
If merchants cannot export data sufficient to fulfill the request from their admin, they can forward the request to Shopify. Similar to a request for erasure, if a buyer requests access to their personal data, the merchant should first validate the identity of the requester.
The merchant can then reach out to Shopify, either through Shopify's supportsystem,orbyemailingp firstname.lastname@example.org.
When Shopify receives the request, it will:
● Confirm whether personal data about a buyer is being processed
● Confirm what categories of data are being processed by Shopify
● Provide the buyer with the relevant information from Shopify
Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine-readable format.
Merchants may export some data directly from their store’s admin page. Many data types can be exported to common formats such as Excel or CSV with one click:
● Transaction histories
● Product lists
● Customer lists
In addition, if a merchant contacts Shopify to request copies of processed data, Shopify will make the data available in a common format.
Data subjects have the right to correct incomplete or inaccurate personal data held or processed by a controller.17
Shopify’s platform allows a merchant to change customer records directly from their store admin.18
17 General Data Protection Regulation, Article 16. 18 However, current orders cannot be modified.
Data subjects have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision making has a legal effect on the data subject or otherwise significantly affects them.19 An example of a legal effect is a decision that impacts an individual’s legal or civil rights, or their rights under a contract. Examples of significant effects include decisions that have a financial impact on individuals, or impact their employment.
Shopify does not currently engage in fully automated decision-making that has a legal or otherwise significant effect using buyer data.
Services that include elements of automated decision-making are highlighted in the table below:
Temporary blacklist of IP addresses associated with repeated failed transactions
Persists for a small number of hours.
Temporary blacklist of credit cards associated with blacklisted IP addresses
Persists for a small number of days.
Data protection and security
Under the GDPR, controllers and processors are required to implement appropriate technical and organisational measures.20
19 General Data Protection Regulation, Article 21.
20 General Data Protection Regulation, Article 25, 32.
Shopify has implemented many of the controls and processes identified in the GDPR, including:
● Anonymising and encrypting personal data
● Ensuring confidentiality, integrity, availability, and resilience of
● Restricting who may access personal data
● Ensuring availability and access to personal data in the event of a
physical or technical incident
● Performing regular testing, assessments, and evaluation of
technical and organisational security measures
Shopify has a robust, cross-functional data protection program that is integrated with its information security program and includes several teams across the organisation. In particular, the data protection program includes a designated Data Protection Officer, who reports to senior management, as well as individuals from:
● Internal Security
● Legal Operations
● Production Security
● Processing Integrity
Technological measures Monitoring and logging
Controllers—and where applicable, their representative—must maintain records of the personal data processing activities for which they are responsible.
Shopify maintains system and application logs relating to events and access to certain systems used for the processing of personal data. These logs are stored on log servers for approximately a month, and then moved to offsite backup locations, where they remain available for at least 12 months.
Shopify encrypts data sent to and from merchants and buyers using the HTTPS protocol.
Shopify also encrypts any sensitive stored information, and salts and hashes merchant and buyer passwords using bcrypt.
Merchants can also set up additional security features. An account holder can take the following actions from their Shopify admin:
● Enable multi-factor authentication for staff
● Define, to a certain extent, what personal data is collected from
● View certain activity logs, including recent login activity by staff
● Set role-based permissions for staff accounts
Security standards and certifications
Shopify and all online stores powered by Shopify are Level 1 PCI-DSS compliant.21
Shopify uses third-party data centers with industry-standard certifications. Examples include:
21 See: h ttps://www.shopify.ca/pci-compliant.
● Tier III
● ISO 27001 ● PCI-DSS
SOC reports for all facilities, which include physical protections, can be provided to merchants on request under an appropriate NDA.
Contractual agreements and data processing addenda
For merchants whose relationship with Shopify is governed by Shopify's online Terms of Service, Shopify has automatically incorporated a Data Processing Addendum, which will apply to its processing of personal data. Just as Shopify is not able to negotiate its Terms of Service, it is not able to negotiate this Data Processing Addendum.
Shopify Plus plans
For Shopify Plus merchants, their negotiated contract will govern their relationship with Shopify. Merchants can sign a Data Processing Addendum to address their needs. Shopify Plus merchants that have not already signed a Data Processing Addendum with Shopify and would like to do so should reach out to their Merchant Success Managers. Shopify Plus merchants that do not sign a Data Processing Addendum will be governed by Shopify’s online Data Processing Addendum (which is incorporated by reference into our online Terms of Service).
Accountability and transparency
Shopify is compiling data for a transparency report, to be released at the end of 2018.
Who can I contact for more information on Shopify’s practices?
Contests / Giveaways
DCK occasionally organizes contests/promos such as Giveaways, Quizes, among others.
These contests are done for leisure purposes and should be consideres as such.
By participating, the users submit to its terms and conditions.
The rules of these contests are subject to change at any given time. DCK can decide whether each participation is valid or not, and block users from participating for various reasons.
If various participations are eligible to win, the winner will be decided in a form decided by DCK, normally in a manner of a random pick.
DCK is responsible of deciding which participation is the winner.
To pick a random winner, DCK will use either an online platform to do such a task, or an excel workbook.