At Judge.me, we take privacy seriously and have made great efforts to protect the privacy of both merchants and reviewers. We only collect personal data that is essential for running our customer review application and supporting you in providing the best experience to your reviewers. We do not use personal data for any other purposes than what has been agreed between you and Judge.me. As a result of these efforts, we are now among the top 50 privacy dedicated companies, according to Mine’s Privacy Index.

In this article, we'll describe how Judge.me is complied with the General Data Protection Regulation (GDPR) to protect the rights of you (as a store owner) and your reviewers.


TABLE OF CONTENTS

  1. What is GDPR?
  2. Judge.me's role as a data processor
  3. Data Processing Addendum (DPA)
  4. Sub-processors, integration apps, and Google Shopping
    1. Sub-processors
    2. Integration apps
    3. Google Shopping
  5. Security and location of our servers

Learn more about our compliance with GDPR and other regulations.


1. What is GDPR?

GDPR is the privacy and security law drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. 

2. Judge.me's role as a data processor

According to GDPR, you, the store owner, is a data controller and obliged to fulfill the Data Subject Rights (DSR) of Data Subjects (your buyers/reviewers) that are European residents. Data Subject Rights specify how Data Subjects can get control over the personal data that you control and process.

Judge.me is a data processor. We will process the personal data of your buyers/reviewers on the behalf of you, the data controller. As a data processor, we will help you to fulfill the DSR. In particular, we will

  • Send all the reviewer data that you have collected and processed upon request of the reviewers (right of access and right to be informed)
  • Provide tools for reviewers to edit their display name, display name format, and reviews, as well as let you make minor edits of the review content, with the consent of your reviewers (right to rectification/edit)
  • Provide tools for reviewers to delete their reviewers, and delete all reviewer data that you have collected and processed upon request of the reviewers (right to be forgotten)
  • Provide all personal data in a structured and machine-readable format (right to data portability)

We are referring to users of your store as reviewers, as most of Judge.me's functionalities are dealing with reviews. In a few cases, we will also process data you have provided to us that is not from (potential) reviewers. 

3. Data Processing Addendum (DPA)

As a data processor, we provide you with a Data Processing Addendum (DPA) that serves as a record of Judge.me's processing activities. You can download an example DPA here. 

Similarly, Judge.me has signed DPAs (and in some cases, Standard Contractual Clauses) with some sub-processors authorized by us to further process your personal data.

4. Sub-processors, integration apps, and Google Shopping

4.1. Sub-processors

We currently authorize some third-party sub-processors to process your data depending on which functions you enable in your Judge.me settings. The most common sub-processors and their services include:

  • Postmark: sending transactional emails, e.g. review request emails
  • Amazon Web Services (AWS): Cloud hosting services to host user-generated content that Judge.me collects on the Controller’s behalf. 
  • Heroku: Judge.me's server infrastructure
  • Freshworks: Customer support platform to enable Judge.me to support and manage Judge.me's relationship with our customers. 

You can find an extensive list of Judge.me's subprocessors here.

4.2. Integration apps

If you integrate Judge.me with other Shopify apps, the personal data of you and your reviewers will be processed by these apps.

4.3. Google Shopping

We may provide you with a Product Reviews XML Feed for your Google Merchant Center. You can submit this XML file inside your Google Merchant Center. In this case, the personal data of you and your reviewers may be processed by Google Shopping.

5. Security and location of our servers

We are running on Heroku and Amazon Web Service (AWS) technology. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. 

Amazon conducts recurring assessments to ensure compliance with industry standards. In particular, their data center operations have been accredited under: