This document was last updated in October 2021.
Commerce.Live is a provider of Software as a Service (SaaS) AI-Powered solutions for eCommerce brands. For more information about Commerce.Live, please visit https://commerce.live .
We collect personal data from our customers (which includes employees of our corporate or institutional customers) for our own purposes, such as to provide and administer the Services. We are the data controller in respect of this personal data.
In order to provide our Services, we require our customers to login into our service after sign-up on our website and authorization by our sales team.
We collect your personal data when:
When you create an account with Commerce.live, we will ask you to complete a registration form indicating your first name, surname and email. You can log in to the Services with your username. In such case, you provide to us your username (email) and password. The password is hashed and Commerce.live does not see it.
For purposes of analysis and improvement of our Services, our servers may automatically record information when you visit our website or use some of our Services, including:
If our Services are purchased by an entity, it is the individual users within such entity’s organization who log into our Services platform and whose personal data are collected, as described above. Where such entity provides us directly with any personal data of its employees or other individual users that it authorized to access the Services, it must have all necessary consents, permissions or registrations to process and to provide to us its employees’ or users’ personal data.
We use your personal data for the following purposes:
We may process your personal data in the scope specified in Section 2.1 to learn how you use our Services to be able to continuously enhance user experience as well as provide our customers seamless customer support. We may process such personal data also to improve and enhance our existing Services and develop new offerings. This includes product and market statistics, research and analytics, benchmarks and other analyses to better understand your needs and the needs of users in the aggregate, diagnose problems and analyse trends.
3.4 To protect our Services and secure our or third party rights
We process your personal data in the scope specified in Section 2.1 to keep the Service safe, secure and reliable. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm Commerce.live, our customers and users.
We may process some of data specified in Section 2.1 when required by law or to establish, exercise or defend our legal claims or, where necessary, protect rights of Commerce.live. For example, we may store data about how you use our Services, including payments for Services, to prove or otherwise support our rights.
We may process your contact personal data, in particular email, name and company to offer you our new Services.
For the purposes specified in Sections 3.1 and 3.2, we process your personal data based on our contract with you (if you are our direct customer and an individual) or based on our legitimate interest to provide our Services to our customers (where our customer is your company or organisation and you are an authorized user designated by your company or organization).
For the purposes specified in Section 3.3, we process your personal data based on our legitimate interest to develop and improve our Services.
For the purposes specified in Section 3.4, we process your personal data based on our legitimate interest to protect and secure our rights or claims or the rights of our customers or users.
For the purpose specified in Section 3.5, we process your personal data based on your voluntary consent where you have given us such consent. In a limited scope permissible under applicable law, we may also use your electronic contact details to inform you about our Services without your explicit consent, based on our legitimate interest, as described in more detail in Section 8 below.
Where we use your personal data for our legitimate interests, we make sure that we take into account any potential impact that such use may have on you. Our legitimate interests don’t automatically override yours and we won’t use your information if we believe your interests should override ours unless we have other grounds to do so (such as performance of contract, your consent or a legal obligation). If you have any concerns about our processing, please refer to details of “Your rights” in Section 11 below.
Where we process personal data on behalf of our customers as a data processor, we retain such data for the duration of our agreement with such customers and delete them in accordance with our retention and backup processes automatically within 90 days after the termination of the agreement, unless the customers ask us to erase them earlier.
We may use and/or disclose to third parties (including government bodies and law enforcement authorities, our affiliates, professional advisors and our vendors or subcontractors) information about you when:
This information will be shared provided that, in all such circumstances, we will only share the limited personal information that is required to be shared in the unique situation.
To the extent we act as a data processor with respect to our client’s personal data (private data), we always enter into a data processing agreement with the data controllers (our clients) pursuant to Article 28 (3) of the GDPR, which provides a mechanism for the engagement of sub-processors.
To the extent we act as a data controller with respect to personal data, we may use processors to process personal data on our behalf.
Your data may be shared with Commerce.live affiliates in order for them to provide certain support services, marketing and pre-sales activities, or to offer their own products and services.
We may use aggregated anonymised data derived from the personal data provided by you or collected by the program analytics such as user behaviour and activities for our own statistics, for auditing, for the purposes of product and market research, for analytics (which helps us to optimise and improve our Services and their usability, the range of Services and to develop new technologies, products, and services), and for benchmarks and other analyses. Additionally, we may choose to publish such anonymised data and to share it with third parties outside of Commerce.live . We will not directly or indirectly transfer any data received from you to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising or monetization related toolset.
We may contact you about our news, events, Services and their features or special offers that we believe may interest you, provided that we have the requisite permission to do so, either on the basis of your consent (where we have requested it and you have provided it to us), or our legitimate interests to provide you with marketing communications where we may lawfully do so, within the limits provided by law. In the latter case, we will only send you marketing communication if you are using or have recently used any of our Services and have not objected to receiving such information (by any means mentioned below).
Your marketing communication preferences may be changed at any time by following the instructions below:
If you have received unwanted, unsolicited emails sent via our system or purporting to be sent via our system, please forward a copy of that email with your comments to firstname.lastname@example.org for review.
We may share your contact details with our vendors or business partners who provide the relevant services or functions on our behalf, including event organization, marketing, distribution of surveys customer service, or public relations. These third-party vendors have access to and may collect information only as needed to perform their functions on our behalf and are not permitted to share or use the information for any other purpose.
Please note that we may occasionally send you important information (including via email) about our Services that you are using or have used including changes to applicable terms and conditions and/or other communications or notifications as may be required to fulfill our legal and contractual obligations, as described in Section 3.2 above. These important Service communications are not affected by your marketing communication preferences.
We have implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines in accordance with good industry practice while keeping in mind the state of technological development in order to protect your data against accidental loss, destruction, alteration, unauthorized disclosure or access or unlawful destruction. Such measures may include, without limitation, taking reasonable steps to ensure the reliability of employees having access to your data and providing for limited access rights and access controls; authentication; personnel training; regular back up; data recovery and incident management procedures; restrictions on storing, printing and disposal of personal data; software protection of devices on which personal data are stored; etc.
We have also implemented Information Security Management in accordance with the requirements of information security standard – ISO 27001, including penetration tests, vulnerability scans, secure development frameworks access management, supplier management and compliance processes. We have also successfully completed a SOC 2 Type II audit of our platform performed by an independent auditing firm.
Data collected from you may be transferred to, and stored and processed in, the United States (US) or any other country in which Commerce.live, its affiliates, subcontractors, suppliers or other vendors maintain facilities. While we reserve the right to change our business partners and /or data locations, when we transfer any personal data to the USA or any other country outside the EU or EEA in which Commerce.live, its affiliates, subcontractors, suppliers or vendors maintain facilities, we will implement such appropriate legal mechanism as are required by EU law to ensure an adequate level of personal data protection by such third parties receiving your personal data (for example, European Commission’s Standard Contractual Clauses approved by the European Commission (the “SCCs”)). In light of the ruling of the Court of Justice of the European Union (CJEU) which struck down the EU-US Privacy Shield, we have performed a review of our vendor ecosystem to ensure that all our US-based vendors have signed the European Commission’s SCCs. Further, we have entered into robust data processing agreements signed with all non-EU (sub)processors which contain SCCs and define strict security standards and measures to be employed by each our (sub)processor (including state of the art encryption). We also contractually require our (sub)processors to provide us a prompt notice of any data breach or security incident concerning processed data.
Our platform and Services (including any personal data contained therein) are hosted in the Google cloud. Legally, this means that data are transferred to and stored and processed by Google Cloud Services. Commerce.live and Google have signed the controller-to-processor SCCs approved by the European Commission ((EU) 2021/914) to ensure regulatory compliance for data transfers from Europe to the USA. The specific Data Processing Addendum incorporating these model clauses has been approved and validated on EU level by Article 29 Working Party in 2015 as ensuring an adequate level of protection.
If you wish to exercise these rights and/or obtain all relevant information about the processing of your personal data, please contact us at email@example.com. You will be asked to identify yourself; this is necessary to verify that the request has been sent by you. We will respond within 1 month after receipt of your request, but we retain the right to extend this period up to 2 months in exceptional circumstances. We will in any event inform you within 1 month after receipt of your request if we decide to extend the period for our response.
In accordance with applicable laws and as further described below, you have the right to request access to your personal data and information about their processing, the right to rectification, erasure or portability (e.g. transfer of your personal data to another service provider) of your personal data we process, as well as the right to object to the processing of your personal data and/or request the restriction of such processing.
Please note that your objection to processing could mean that we are unable to provide you with our Services or otherwise perform the actions necessary to achieve the purposes set out above (see Section 3 ‘How we use the data’).
According to applicable laws, you have the right to obtain confirmation as to whether or not personal data concerning you are being processed (pursuant to the process described above), and, where that is the case, the right to access and rectify your personal data you have shared with us. Through your settings of the Services, you can access and update your account information and change your profile settings.
If you wish to limit or change access to or the sharing of your personal data with a social network, please do this via your account settings on that social network.
We take reasonable measures to ensure that you are able to keep your personal data accurate and updated. You can always approach us in order to obtain confirmation whether or not we still process your personal data.
You can ask us to erase your personal data at any time. If you approach us with such a request, we will delete all your personal data we have without undue delay, provided that your personal data is no longer necessary for the provision of the Services or other permitted purposes, in particular in connection with exercising and defending our legal rights, or meeting our legal obligations. We will also delete (and ensure deletion by the processors that we engage) all your personal data in case you withdraw your consent or in the circumstances that the law requires us to do so.
If you request us to restrict the processing of your personal data, e.g. in circumstances when you contest the accuracy, lawfulness or our need to process your personal data, we will limit the processing of your personal data to the necessary minimum (storage) and, if applicable, will process them only for the establishment, exercise or defense of legal claims or, where necessary, for protection of rights of another natural or legal person, or other limited reasons dictated by the applicable law. In case the restriction is lifted, and we continue processing your personal data, you will be informed accordingly without undue delay.
You have the right to receive personal data relating to you and which you have provided to us. If you approach us with such a request, we will provide your personal data in commonly used and machine-readable format to you without undue delay from receipt of your request. If you request so, we will send your personal data to a third party (another data controller) which you will identify in your request, unless such request would adversely affect the rights or freedoms of others and where technically feasible.
You have the right to object to our using your personal data on the basis of our legitimate interests (refer to Section 4 above to see when we are relying on our legitimate interests) (or those of a third party)) and there is something about your particular situation which makes you want to object to processing on this ground. In such case, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for their further processing which override your interests, rights, and freedoms, or for the establishment, exercise or defense of our legal claims. If you object to processing your data for direct marketing purposes, we will cease to process your data for these purposes.
If you have provided us any consent with the processing of personal data, for example for marketing communication, you can withdraw your given consent at any time without stating any reason. We will block your personal data for any further processing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing based on consent before its withdrawal.
Commerce.live does not sell, as defined in the CCPA, any personal data. Therefore, if a California consumer communicates an opt-out request under this provision, it will have no effect. If you require additional information about your rights under the CCPA to opt out of the sale of your personal data, please contact: firstname.lastname@example.org and put CCPA Request in the subject line.
If you have any queries regarding our data collection and protection practices or your rights, please do not hesitate to contact our Data Protection Officer, at email@example.com