by Mike Rubini, Founder @

The General Data Protection Regulation (GDPR) is approaching and will set the bar high in regards to protecting the integrity of the individual in the EU. Cart is currently working with preparing our business for compliance. This post is intended to give our customers an update on our current status in regards to GDPR.

The General Data Protection Regulation (GDPR) is the new legal regulation for personal data, applying to all organizations operating within the EU (as well as non-EU organizations with customers who are individuals in the EU zone). The definition of personal data under GDPR has been boiled down into “any information relating to an identified or identifiable person”. The purpose of GDPR is to harmonize the data protection laws across all member countries of the EU to strengthen the integrity of the individual. The law will come to effect on May 25th, 2018.

What Cart is doing as a Data Controller

Being a Data controller, Cart is currently working on getting GDPR compliant. By doing so we’re examining and updating our internal data systems and processes to make sure we’re compliant by this month (May 2018). We also already updated our Terms of Service and Privacy Policy in line with the GDPR restrictions.

Further, Cart will lay out a Data Processing Agreement (DPA) between the data controller and the data processor, in the cases the data controller is affected by GDPR. The data controller is affected by the GDPR, if it is a controller of personal data of end-users in the European Union. The DPA lay out the foundation of the obligations of the data processing.

We have been receiving data from you since you created an account on our platform and throughout your use of our services. With that said, Cart (as a data controller) only stores the following information about you, the customer/user:

  • username
  • email
  • password (encrypted)

  • The processing of your personal data is voluntary but – to the extent to which we use your data for providing services – it is also necessary. Without your data, we will not be able to do so.

    To this extent, we process your personal data because it is necessary for our legitimate interests, though it is voluntary and you may object to it according to GDPR provisions by contacting us (as described above).

    Additionally, you do not need to agree to the receiving of commercial information via email (or by any other telecommunication means) from us – it is always your choice. However, we encourage you to do so because we will then be able to send you up-to-date information about our products, services and current promotions.

    We will continue to process your data for the period of time required to satisfy the purposes for which it was collected. For example, with reference to our services your data will be processed for the period in which these services will be provided

    Where you have consented to marketing communications via email or other telecommunication means for our marketing purposes (e.g., where you have agreed to receive our newsletter or for us to contact you by phone), you may withdraw your consent at any time by contacting us. Likewise, you may unsubscribe from our newsletter at any time by clicking the “unsubscribe” link in any email received from us. In these circumstances, your personal data will be processed until withdrawal of your consent.

    We are actively improving data tooling which includes the ability to download and delete your data from Cart. Much of this tooling exists today but we’ll be adding upgrades.

    We will ensure we document and share any pertinent changes with customers as we implement our changes.

    What Cart is doing as a Data Processor

    As a Data Processor, Cart will ensure that the information we process does not identify any person in the EU. As part of this, we are removing our "Sales Network" feature.

    Your Legal Rights & Contact

    Cart will respect your legal rights to your data as listed below:

  • the right to access your personal data
  • the right to rectify or erase your personal data (“right to be forgotten”)
  • the right to restrict the processing of your personal data
  • the right to object to the processing of your personal data (to the extent to which it is processed because it is necessary for our legitimate interests)
  • the right to withdraw your consent to processing of your personal data (although the withdrawal of consent does not affect the compliance of the processing that was made on its basis before the withdrawal of consent)
  • the right to data portability.

  • If you have any questions in regards to GDPR and your use of Cart, feel free to email [email protected]

    You can put a request for any of your rights through this form.

    Please note that this post is for informational purposes only, and should not be considered legal advice.