Back to home

GDPR Compliance

Last updated: March 4, 2026

Shop Bridge is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR). This page explains how we handle your data, your rights, and how you can exercise them.

We give you full control over your data. You can export all your personal information at any time and permanently delete your account whenever you choose.

Table of Contents

  1. 1. What is GDPR?
  2. 2. Your Rights Under GDPR
  3. 3. Data We Collect
  4. 4. How We Protect Your Data
  5. 5. Data Retention
  6. 6. International Data Transfers
  7. 7. Cookies & Tracking
  8. 8. How to Exercise Your Rights
  9. 9. Changes to This Policy

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that went into effect on May 25, 2018. It gives individuals in the European Economic Area (EEA) greater control over their personal data and establishes strict requirements for how organizations collect, store, process, and share that data.

Key Principles

  • Lawfulness, fairness, and transparency
  • Purpose limitation — data collected for specified, explicit purposes
  • Data minimisation — only collect what is necessary
  • Accuracy — keep data accurate and up to date
  • Storage limitation — retain data only as long as needed
  • Integrity and confidentiality — ensure appropriate security
  • Accountability — demonstrate compliance

    • 2. Your Rights Under GDPR

    If you are located in the EEA, you have the following rights regarding your personal data:

    Right to Access

  • You can request a copy of all personal data we hold about you
  • We will provide this data in a portable, machine-readable format (JSON)
  • Use your account Settings page to export your data instantly

    • Right to Rectification

  • You can correct any inaccurate personal data
  • Update your profile information at any time via your account settings

    • Right to Erasure ("Right to be Forgotten")

  • You can request the permanent deletion of your account and all associated data
  • This action is irreversible — all stores, products, orders, and customer data will be removed
  • Use the "Delete Account" option in your Settings page

    • Right to Restrict Processing

  • You can ask us to temporarily stop processing your data in certain circumstances

    • Right to Data Portability

  • You can receive your personal data in a structured, commonly used format
  • Our data export feature provides a comprehensive JSON file

    • Right to Object

  • You can object to the processing of your data for marketing purposes
  • Manage your email and notification preferences in Settings

    • Right to Withdraw Consent

  • Where processing is based on consent, you can withdraw that consent at any time

    • 3. Data We Collect

    Shop Bridge collects and processes the following categories of personal data:

    Account Data

  • Name, email address
  • Hashed password (we never store plaintext passwords)
  • Profile image (if provided)
  • Account creation and update timestamps

    • Store & Business Data

  • Store name, description, and configuration
  • Products, categories, and inventory
  • Customer records and order history
  • Staff accounts and roles

    • Usage Data

  • Analytics and page views (aggregated)
  • Feature usage patterns
  • Error logs for debugging

    • Payment Data

  • Billing and subscription information (processed by Mollie)
  • We do not directly store credit card numbers

    • 4. How We Protect Your Data

    We implement industry-standard security measures to protect your personal data:

    Technical Measures

  • All data transmitted via HTTPS/TLS encryption
  • Passwords hashed using bcrypt with salt rounds
  • Database hosted on Supabase with encryption at rest
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Security headers (CSP, HSTS, X-Frame-Options) on all responses

    • Organizational Measures

  • Access to production data is strictly limited
  • Regular security reviews and updates
  • Incident response procedures in place

    • Third-Party Processors

  • Mollie — payment processing (PCI DSS compliant)
  • Supabase — database and authentication hosting
  • Vercel — application hosting
  • All processors are GDPR-compliant and bound by data processing agreements

    • 5. Data Retention

    We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

    Active Accounts

  • Account data is retained while your account is active
  • Store and order data is maintained for the lifetime of the store

    • Deleted Accounts

  • When you delete your account, all personal data is permanently removed
  • This includes stores, products, orders, customers, staff accounts, and analytics
  • Deletion is cascading and irreversible

    • Legal Obligations

  • Some data may be retained longer if required by law (e.g., financial records for tax compliance)
  • In such cases, the data is locked and not used for any other purpose

    • 6. International Data Transfers

    Your data may be transferred to and processed in countries outside the EEA:

    Transfer Safeguards

  • Our hosting providers operate under Standard Contractual Clauses (SCCs)
  • Supabase and Vercel maintain certifications and commitments for GDPR compliance
  • Mollie complies with GDPR through its Data Processing Agreement

    • Your Consent

  • By using Shop Bridge, you consent to the transfer of your data to these processors
  • You may withdraw consent by deleting your account

    • 7. Cookies & Tracking

    Shop Bridge uses cookies to provide and improve our services:

    Essential Cookies

  • Authentication session cookies (required for login)
  • CSRF protection tokens
  • These cannot be disabled as they are necessary for the platform to function

    • Analytics Cookies

  • We may use analytics to understand usage patterns
  • These are aggregated and do not identify individual users

    • No Third-Party Tracking

  • We do not sell your data to advertisers
  • We do not use third-party advertising trackers

    • 8. How to Exercise Your Rights

    You can exercise your GDPR rights in several ways:

    Self-Service (Recommended)

  • Export your data: Go to Settings → Privacy → Export Data
  • Delete your account: Go to Settings → Danger Zone → Delete Account
  • Update your information: Go to Profile settings

    • Contact Us

  • Email our Data Protection team at privacy@shopbridge.io
  • We will respond to all GDPR requests within 30 days
  • You may also lodge a complaint with your local Data Protection Authority

    • Verification

  • We may need to verify your identity before processing certain requests
  • This is to protect your data from unauthorized access

    • 9. Changes to This Policy

    We may update this GDPR policy from time to time to reflect changes in our practices or applicable law.

    Notification

  • We will notify you of material changes via email or a prominent notice on our platform
  • The "Last updated" date at the top of this page indicates when changes were last made

    • Continued Use

  • Your continued use of Shop Bridge after changes constitutes acceptance of the updated policy

    • Related Documents

    Privacy PolicyTerms of ServiceAccount Settings