Legal
GDPR Compliance
Understanding how Glood.AI protects European users’ data and ensures GDPR compliance
Glood and GDPR Compliance
Privacy-First Personalization for European UsersGlood.AI is fully GDPR compliant with all required documentation, technical measures, and processes in place.
For GDPR-related inquiries or to exercise your data rights, please contact our Data Protection Officer at privacy@glood.ai
Our Data Protection Officer
Harshul Jain, Founder and Data Protection OfficerEmail: privacy@glood.ai Our DPO oversees all data protection activities and ensures GDPR compliance across our operations.
Legal Basis for Processing
Glood.AI processes personal data based on:Our Legitimate Interest Assessment (LIA) has been conducted and documented, confirming that our processing is proportionate, necessary, and respects individuals’ rights.
How We Collect and Use Personal Data
Types of Data Collected
We may collect and process the following personal data through Shopify:- Identifiers: Name, email address, IP address
- Shopping Behavior: Browsing history, product views, cart additions
- Transaction Data: Purchase history, order details
- Device Information: Browser type, device type, screen resolution
Purpose of Processing
All data is processed exclusively to:- Provide personalized product recommendations
- Improve recommendation accuracy
- Enhance the shopping experience
- Generate anonymized analytics for merchants
We do not sell, rent, or share personal data with third parties for their own marketing purposes
Data Storage and Retention
Storage Location
Glood.AI servers are located in the United States. We implement appropriate safeguards for international data transfers to ensure your data remains protected according to GDPR standards.
Retention Periods
Real-Time Events
365 daysBrowsing behavior and interaction data
Order Data
Contract durationPurchase history retained while merchant contract is active
Compliance Documentation & Accountability
Key GDPR Documentation
Glood.AI maintains comprehensive GDPR compliance documentation:Records of Processing (RoPA)
Complete inventory of all data processing activities as required by Article 30
Data Protection Impact Assessment (DPIA)
Risk assessment for AI-powered personalization per Article 35
Legitimate Interest Assessment (LIA)
Documented balancing test for legitimate interests basis per Article 6
All compliance documentation is reviewed annually and updated when processing activities change.
Technical and Organizational Measures
We implement comprehensive security measures to protect your personal data:Encryption at Rest
All stored data is encrypted using industry-standard encryption
Access Controls
Strict role-based access controls limit data access to authorized personnel
Audit Logs
Comprehensive logging of all data access and processing activities
Additional Safeguards
- Regular security assessments and updates
- Employee training on data protection
- Secure development practices
- Incident response procedures
Your Rights Under GDPR
As an EU resident, you have the following rights:1. Right to Access
Request a copy of your personal data we process. Contact privacy@glood.ai for data access requests, or submit through your merchant’s Shopify store. We handle these requests via Shopify’s customers/data_request webhook.2. Right to Rectification
Correct inaccurate personal information through Shopify, as we receive PII data via the Shopify platform.3. Right to Erasure (“Right to be Forgotten”)
Request deletion of your personal data, subject to legal obligations. Deletion requests are automatically processed through Shopify’s customers/redact webhook.4. Right to Restrict Processing
Limit how we process your personal data in certain circumstances.5. Right to Data Portability
Receive your data in a structured, machine-readable format through Shopify’s systems.6. Right to Object
Object to processing based on legitimate interests or for direct marketing.7. Rights Related to Automated Decision-Making
Glood.AI does not engage in automated decision-making that produces legal or similarly significant effects on individuals.
Data Sharing and Sub-processors
We do not share any personally identifiable information (PII) with sub-processors
International Data Transfers
When transferring data from the EU to our US-based servers, we ensure full GDPR compliance through:Legal Transfer Mechanism
Our DPA incorporates the EU Standard Contractual Clauses (Module 2: Controller to Processor) ensuring lawful data transfers from the EEA to the United States.
Comprehensive Safeguards
- Standard Contractual Clauses: Full implementation of EU Commission Decision 2021/914 SCCs
- Technical Measures: Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Supplementary Measures: Additional protections including access controls and legal challenge commitments
- Transfer Impact Assessment: Documented assessment confirming SCCs effectiveness with our measures
- Shopify Framework: Additional compliance through Shopify’s data processing requirements
Data Breach Notification
Our DPA establishes clear breach notification procedures:Notification Timeline
- Within 48 hours: Notification to affected merchants (Data Controllers)
- Immediate action: Assessment of breach severity and impact
- Documentation: Complete breach records maintained per GDPR requirements
Our Commitments
- Rapid notification to merchants with full breach details
- Impact assessment including affected data categories and individuals
- Mitigation measures to address and contain the breach
- Cooperation with merchants for regulatory notifications
- Documentation of all breach facts and remediation actions
As outlined in our DPA, merchants (as Data Controllers) are responsible for notifying supervisory authorities within 72 hours and affected individuals when required under GDPR.
Children’s Privacy
We do not knowingly collect or process personal data from individuals under 16 years of age. Our services are designed for adult shoppers, and we rely on merchants to ensure age-appropriate access to their stores.Cookies and Tracking
Glood.AI uses cookies that are essential for the proper functioning of personalization features on Shopify stores.Cookie Details
Cookie Duration
Cookie retention depends on user consent:With Consent
1 yearWhen users accept cookies, the rk_uid/rk.uid cookie is stored for one year to provide consistent personalization
Without Consent
24 hours onlyIf consent is not provided, cookies are stored temporarily for 24 hours for essential session continuity
Why These Cookies Are Essential
- Session Management: Maintain user sessions across page views
- Personalization: Remember product preferences and browsing history
- Performance: Optimize recommendation loading and accuracy
- User Experience: Provide consistent experiences for returning visitors
Data Processing Agreement (DPA)
Standard DPA for European Customers
Glood.AI provides a comprehensive Data Processing Agreement (DPA) that complies with GDPR Article 28 requirements.
Access our DPA: View and accept our standard Data Processing Agreement which forms part of your service agreement with Glood.AI
Shopify Compliance Framework
In addition to our DPA, we operate within Shopify’s comprehensive GDPR framework:Partner Agreement
Full compliance with Shopify Partner Agreement including all data protection requirements
Compliance Webhooks
Implementation of mandatory webhooks:
- customers/redact
- customers/data_request
- shop/redact
Key DPA Provisions
Our comprehensive Data Processing Agreement includes:- Standard Contractual Clauses (SCCs): Full incorporation of EU Commission’s Module 2 SCCs for lawful EU-US data transfers
- Processing Scope: Clear definition of data types, purposes, and retention periods (documented in RoPA)
- Security Measures: Documented encryption (AES-256, TLS 1.2+), access controls, and audit logging
- Transfer Impact Assessment: Documented assessment with supplementary measures for US transfers
- Risk Assessment: Comprehensive DPIA conducted for AI-powered processing
- Breach Notification: 48-hour notification commitment to controllers
- No Sub-processors: We don’t share PII with any third parties
- Data Deletion: Automatic deletion within 2 days upon request or contract termination
- Compliance Verification: Annual verification rights for controllers
Updates to Our GDPR Practices
We may update our GDPR compliance measures as regulations evolve or our services change. Any significant changes will be communicated to merchants through their registered email addresses.Contact Us
For any GDPR-related questions, requests, or to exercise your data rights:Data Protection Officer
privacy@glood.aiFor data protection inquiries and rights requests
General Support
support@glood.aiFor general questions about our services
When contacting us, please include your Shopify store URL and any relevant order numbers to help us locate your data efficiently.
Supervisory Authority
EU residents have the right to lodge a complaint with their local data protection supervisory authority if they believe their rights under GDPR have been violated. You can find your local authority at https://edpb.europa.eu/about-edpb/board/members_enGDPR Compliance Summary
Glood.AI maintains full GDPR compliance with all required legal, technical, and organizational measures in place.
Comprehensive Compliance Framework
Legal Documentation
✅ DPA with Standard Contractual Clauses
✅ Legitimate Interest Assessment (LIA)
✅ Records of Processing Activities (RoPA)
✅ Data Protection Impact Assessment (DPIA)
Technical Safeguards
✅ Encryption (AES-256, TLS 1.2+)
✅ Access controls & audit logging
✅ Shopify compliance webhooks
✅ Automated data deletion
Rights & Transparency
✅ Data subject rights via webhooks
✅ Clear retention periods
✅ Consent management system
✅ 48-hour breach notification
Governance
✅ Designated Data Protection Officer
✅ Annual compliance reviews
✅ No sale of personal data
✅ No PII sub-processors
Our GDPR compliance is continuously monitored and updated. All documentation undergoes annual review or whenever processing activities change.