At Judge.me, we take privacy seriously and have made great efforts to protect the privacy of anyone who interacts with our services, both directly and indirectly.
We only collect personal data that is essential for running our services and supporting merchants in providing the best experience to reviewers.
As a result of these efforts, we are now among the top 50 privacy-dedicated companies, according to Mine’s Privacy Index.
In this article, we'll describe how Judge.me complies with the General Data Protection Regulation (GDPR) to protect the rights of all Data Subjects.
TABLE OF CONTENTS
- What is GDPR?
- Judge.me's role as a Data Processor
- Judge.me's role as a Data Controller
- Data Processing Addendum (DPA)
- Sub-processors, integration apps, and Google Shopping
- Security and location of our servers
Learn more about our compliance with GDPR and other regulations.
1. What is GDPR?
GDPR is the privacy and security law drafted and passed by the European Union (EU) and implemented into UK law by the Data Protection Act 2018. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people located in the EU (for EU-GDPR) and the UK for the UK implementation of GDPR via the Data Protection Act 2018 (“UK-GDPR”). When we refer to “GDPR” we mean both the EU GDPR and UK-GDPR and when we refer to “Europe” we mean the EU and UK.
2. Judge.me's role as a Data Processor
Merchants (store owners) are the data controllers for the purposes of GDPR and are obliged to fulfill the Data Subject Rights (DSR) of Data Subjects (buyers/reviewers) that are European residents.
Data Subject Rights specify how Data Subjects can correct, amend, delete, or limit the use of Personal Data that you control.
In terms of personal data received from Merchants, via eCommerce platforms, Judge.me is a data processor.
We will process the personal data of your buyers/reviewers on behalf of the Merchant, the data controller.
As a data processor, we will help you, the Merchant to fulfill the Data Subject Rights and in particular, we will:
- Send all the reviewer data that you have collected and processed upon request of the reviewers (right of access and right to be informed)
- Provide tools for reviewers to edit their display name, display name format, and reviews, as well as let you make minor edits to the review content, with the consent of your reviewers (right to rectification/edit)
- Provide tools for reviewers to delete their reviews, and delete all reviewer data that you have collected and processed upon request of the reviewers (right to be forgotten)
- Provide all personal data in a structured and machine-readable format (right to data portability)
We are referring to users of your store as reviewers, as most of Judge.me's functionalities are dealing with reviews. In a few cases, we will also process data you have provided to us that is not from (potential) reviewers.
3. Judge.me's role as a Data Controller
When receiving person information, directly from a merchant of an eCommerce store, an influencer or a reviewer, they create an account using our services and otherwise interact directly with our website, Judge.me is the Data Controller.
Judge.me aims to take reasonable steps to allow the data subject the right to correct, amend, delete, or limit the use of your Personal Data, and in certain circumstances, as a data subject, you have the right to:
- To access and receive a copy of the Personal Data we hold about you.
- To rectify any Personal Data held about you that is inaccurate.
- To request the deletion of Personal Data held about you.
The right to data portability for the information you provide to Judge.me Ltd. You can request to obtain a copy of your Personal Data in a commonly used electronic format so that you can manage and move it.
4. Data Processing Addendum (DPA)
As a data processor, we provide you with a Data Processing Addendum (DPA) that serves as a record of Judge.me's processing activities. You can download an example DPA here.
Similarly, Judge.me has signed DPAs (and in some cases, Standard Contractual Clauses) with some sub-processors authorized by us to further process your personal data.
5. Sub-processors, integration apps, and Google Shopping
We currently authorize some third-party sub-processors to process your data depending on which functions you enable in your Judge.me settings. The most common sub-processors and their services include:
- Postmark: sending transactional emails, e.g. review request emails
- Amazon Web Services (AWS): Cloud hosting services to host user-generated content that Judge.me collects on the Controller’s behalf.
- Heroku: Judge.me's server infrastructure
- Freshworks: Customer support platform to enable Judge.me to support and manage Judge.me's relationship with our customers.
You can find an extensive list of Judge.me's subprocessors here.
5.2. Integration apps
If you integrate Judge.me with other Shopify apps, the personal data of you and your reviewers will be processed by these apps.
5.3. Google Shopping
We may provide you with a Product Reviews XML Feed for your Google Merchant Center. You can submit this XML file inside your Google Merchant Center. In this case, the personal data of you and your reviewers may be processed by Google Shopping.
6. Security and location of our servers
We are running on Heroku and Amazon Web Service (AWS) technology. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology.
Amazon conducts recurring assessments to ensure compliance with industry standards. In particular, their data center operations have been accredited under: