When you visit our websites and/or use the Platform, we may collect and use personal information about you (including your employees and/or persons who act on your behalf). We may also collect and use personal information from your customers on your behalf if they visit or make a purchase on your SHOPLINE-enabled online store. We are fully aware of the importance of personal information to you and your customers (collectively the “Personal Data Subjects”) and we are committed to ensuring the integrity and security of the Platform.
1. Who we are
2. What we collect and how we use personal information
3. What is our legal basis for processing your personal information
4. How we share, transfer and disclose personal information
5. International transfers
6. Automated decision making
7. How you exercise rights over your personal information
8. How we retain and protect personal information
11. SHOPLINE APP permission acquisition list
12. Third-party information sharing list
For the purposes of the General Data Protection Regulation 2016/679/EU (the "EU GDPR"), the Data Protection Act 2018 (the "Act") and the EU GDPR as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), the data controller is Shopline Technology (UK) Limited with registered company number 13133327 and with following trading address Chase Business Centre, 39-41 Chase Side, London N14 5BP (“SHOPLINE”, “we”, “us” or “our”).
We will only use your personal information when the law allows us to. In respect of each of the purposes for which we use your personal information, the UK GDPR requires us to ensure that we have a "legal basis" for that use. Most commonly, we will use your personal information in the following circumstances. We have set out our specific purposes and associated legal bases in more detail in table format above.
We may share your personal information with the following parties for the purposes set out in the table under section 2 above:
Certain features of the Platform may be provided by our third-party partners, and we may entrust partners (including technical service providers) with the processing of certain personal information of the Personal Data Subjects. For example, if you use the auto-payments feature, we may ask third-party payments companies to process your credit card information so that to charge you relevant services fee as directed by you; if you use SHOPLINE Payments, we may ask third-party services providers which can facilitate us in “Know Your Client” (“KYC") and transaction monitoring and risk management, to process your and your customers’ personal information.
In addition, in order to provide the Platform to you, we may use service providers. These service providers process your personal information as our data processors, on the basis of our instructions pursuant to a written agreement and we do not allow them to use your personal information for their own purposes.
We may share your personal information within our group, which may involve transferring your personal data outside the EEA and/or UK.
Some of our third-party partners are also based outside the EEA and/or UK so their processing of your personal information may involve a transfer of data outside the EEA and/or UK.
Whenever we transfer your personal information out of the EEA and/or UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
If we deploy automated technologies which give rise to automated decision-making about you, we will either: (1) have a human being involved in the process; or (2) use these technologies in ways that don’t have legal or similarly significant effects.
You have the right to, at any time:
a. If you want us to establish the data’s accuracy;
b. Where our use of the data is unlawful but you do not want us to erase it;
c. Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; and
d. You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
If you wish to exercise any of the rights set out above, please contact us at email@example.com .
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
(1) Retention period
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our customers (including contact and financial data) for six (6) years after they cease being customers for tax purposes.
In some circumstances, you can ask us to delete your data. Please see your legal rights above for further information.
(2) Protection of personal information
We take personal information security very seriously. We have adopted technical security measures, appropriate organisational structure and management system and other protections in line with industry standards to prevent leak, damage, misuse, unauthorised use, disclosure or alteration of your personal information, including:
(a) Technical measures for data security
In order to ensure the security of your personal information , we strive to take all reasonable technical measures to protect personal information, so that you and your customers’ personal information will not be leaked, damaged, destroyed, or lost. We use encrypted transmission technologies such as SSL to protect the security of data transmission and use appropriate protection mechanisms to prevent malicious data attacks. We adopt an encrypted storage and data permission control mechanism for personal information to prevent your and your customers’ personal information from being accessed, disclosed, used or altered without authorisation, or intentionally or accidentally damaged or lost.
(b) Organisational and management measures for data security
We have established internal policies for the safe use of data and implement strict management rules for employees or contractors who may have access to your and your customers’ information, including but not limited to implementing different access controls for different roles, signing confidentiality agreements with them, and monitoring their operations.
We provide employees with training on security and privacy protection and require them to complete assessments, in order to enhance their awareness of the importance of personal information protection.
(c) Contractual obligations for data security
We will require our partners to sign a data processing agreement or set out data protection compliant terms, as required by Article 28 of UK GDPR, in a contractual agreement signed by both parties, which stipulates those partners’ obligations, including to ensure that the use and transfer of personal information shall satisfy our requirements and is subject to our review, instructions and audit rights, and in the event of any breach, we will hold the processor partner legally liable to the extent it has not complied with the UK GDPR’s processor obligations or has acted outside or contrary to our lawful instructions.
(d) Handling of security incident
In the event of a personal information security incident, we will activate the emergency plan, take remedial measures, record the incident, and report it in time in accordance with the applicable laws and regulations. If the security incident may cause serious damage or pose high risk to the legitimate rights and freedoms of you and/or your customers, such as the unauthorised disclosure of sensitive personal information, we will inform you of the security incident and its possible impact, the measures we have taken or are about to take, risk prevention and mitigation we recommend for you, the remedies we provide to you and/or your customers, and our contact. We will promptly inform you of the above by email, letter, telephone or notification. When it is difficult to inform the Personal Data Subject one by one, we will issue a warning notice in a reasonable and effective way.
In the event of significant or material changes, we will notify you in a prominent manner as appropriate.
You: the registered seller user / merchant who uses the SHOPLINE Platform or other services, and its employees/developers/other persons authorised to operate the Platform.
Personal information (personal data): means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive personal information (special categories of personal data): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
Deletion: the act of removing personal information from the system involved in the provision of routine service functions, so that it cannot be retrieved or accessed.
When you use the services provided by a third party, we will share the corresponding information after obtaining or ensuring that the third party obtains your authorization and consent, as well as other cases in compliance with laws and regulations. You can know how the third party will deal with your personal information through the relevant information listed. We will also strictly restrict the third party’s access to personal information to protect the security of your personal information.
We may also access the software development kit (SDK) provided by a third party to achieve to ensure the stable operation of the platform or realize relevant functions. Our access-related third-party SDKs are also listed in the following list. You can view the data use and protection rules of third-party through the links or paths provided in the directory. Please note that the type of personal information processing of third-party SDK may change due to version upgrades, policy adjustments, and other reasons. Please follow the official instructions published by it.
Personal information: name, email, IP, device information, country
Name of the third party: Joincube, Inc.
Purpose: for delivering private messages to merchants
Usage scenario: to inform merchants of product adjustment, updates, and other matters
Sharing mode: background interface transmission
Third-party personal information processing rules: https://www.getbeamer.com/privacy-policy
Tencent Cloud Web (H5) player
Personal information: equipment manufacturer, equipment model, system language type, screen resolution, operating system version number, browser type, browser version, IP address
Name of the third party: Shenzhen Tencent Computer System Co., Ltd
Purpose: for attracting audience for live broadcast
Usage scenario: businesses use SC live broadcast function
Sharing mode: background interface transmission
Third-party personal information processing rules: https://cloud.tencent.com/document/product/454/61839
Personal information: IP address, geographical location, browser type, and version, operating system, recommended source, length of access, page views
Name of the third party: QZ Industries
Purpose: for printing the user’s order message
Usage scenario: to print user messages in a live broadcast scenario
Sharing mode: background interface transmission
Third-party personal information processing rules: https://qz.io/privacy/
Try SHOPLINE with our free 14 day trial to explore all of our smart commerce capabilitiesTry for free