> ## Documentation Index
> Fetch the complete documentation index at: https://docs.glood.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# GDPR Compliance

> Understanding how Glood.AI protects European users' data and ensures GDPR compliance

# Glood and GDPR Compliance

Privacy-First Personalization for European Users

<Check>
  **Glood.AI is fully GDPR compliant** with all required documentation, technical measures, and processes in place.
</Check>

Glood.AI is committed to protecting the privacy and personal data of all users, including those in the European Union. We comply with the General Data Protection Regulation (GDPR) to ensure transparent, secure, and lawful processing of personal data while delivering AI-powered personalization for Shopify stores.

<Info>
  For GDPR-related inquiries or to exercise your data rights, please contact our Data Protection Officer at **[privacy@glood.ai](mailto:privacy@glood.ai)**
</Info>

***

## Our Data Protection Officer

**Harshul Jain**, Founder and Data Protection Officer\
Email: **[privacy@glood.ai](mailto:privacy@glood.ai)**

Our DPO oversees all data protection activities and ensures GDPR compliance across our operations.

***

## Legal Basis for Processing

Glood.AI processes personal data based on:

<Cards>
  <Card title="Contractual Necessity" icon="file-contract">
    We have a contract with merchants (formalized through our DPA) to process their visitors' data for personalization services
  </Card>

  <Card title="Legitimate Interests" icon="scale-balanced">
    Processing is necessary for providing personalized shopping experiences that benefit both merchants and customers - fully documented in our Legitimate Interest Assessment (LIA)
  </Card>
</Cards>

<Note>
  Our **Legitimate Interest Assessment (LIA)** has been conducted and documented, confirming that our processing is proportionate, necessary, and respects individuals' rights.
</Note>

***

## How We Collect and Use Personal Data

### Types of Data Collected

We may collect and process the following personal data through Shopify:

* **Identifiers**: Name, email address, IP address
* **Shopping Behavior**: Browsing history, product views, cart additions
* **Transaction Data**: Purchase history, order details
* **Device Information**: Browser type, device type, screen resolution

### Purpose of Processing

All data is processed exclusively to:

* Provide personalized product recommendations
* Improve recommendation accuracy
* Enhance the shopping experience
* Generate anonymized analytics for merchants

<Check>
  **We do not sell, rent, or share personal data with third parties for their own marketing purposes**
</Check>

***

## Data Storage and Retention

### Storage Location

<Warning>
  Glood.AI servers are located in the United States. We implement appropriate safeguards for international data transfers to ensure your data remains protected according to GDPR standards.
</Warning>

### Retention Periods

<CardGroup cols={2}>
  <Card title="Real-Time Events" icon="clock">
    **365 days**

    Browsing behavior and interaction data
  </Card>

  <Card title="Order Data" icon="shopping-cart">
    **Contract duration**

    Purchase history retained while merchant contract is active
  </Card>
</CardGroup>

After these periods, data is automatically deleted as per the terms and conditions of the Shopify Partner Program and Glood.AI's Privacy Policy.

***

## Compliance Documentation & Accountability

### Key GDPR Documentation

Glood.AI maintains comprehensive GDPR compliance documentation:

<CardGroup cols={3}>
  <Card title="Records of Processing (RoPA)" icon="book">
    Complete inventory of all data processing activities as required by Article 30
  </Card>

  <Card title="Data Protection Impact Assessment (DPIA)" icon="shield-check">
    Risk assessment for AI-powered personalization per Article 35
  </Card>

  <Card title="Legitimate Interest Assessment (LIA)" icon="scale-balanced">
    Documented balancing test for legitimate interests basis per Article 6
  </Card>
</CardGroup>

<Note>
  All compliance documentation is reviewed annually and updated when processing activities change.
</Note>

***

## Technical and Organizational Measures

We implement comprehensive security measures to protect your personal data:

<CardGroup cols={3}>
  <Card title="Encryption at Rest" icon="lock">
    All stored data is encrypted using industry-standard encryption
  </Card>

  <Card title="Access Controls" icon="key">
    Strict role-based access controls limit data access to authorized personnel
  </Card>

  <Card title="Audit Logs" icon="file-lines">
    Comprehensive logging of all data access and processing activities
  </Card>
</CardGroup>

### Additional Safeguards

* Regular security assessments and updates
* Employee training on data protection
* Secure development practices
* Incident response procedures

***

## Your Rights Under GDPR

As an EU resident, you have the following rights:

### 1. Right to Access

Request a copy of your personal data we process. Contact **[privacy@glood.ai](mailto:privacy@glood.ai)** for data access requests, or submit through your merchant's Shopify store. We handle these requests via Shopify's customers/data\_request webhook.

### 2. Right to Rectification

Correct inaccurate personal information through Shopify, as we receive PII data via the Shopify platform.

### 3. Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data, subject to legal obligations. Deletion requests are automatically processed through Shopify's customers/redact webhook.

### 4. Right to Restrict Processing

Limit how we process your personal data in certain circumstances.

### 5. Right to Data Portability

Receive your data in a structured, machine-readable format through Shopify's systems.

### 6. Right to Object

Object to processing based on legitimate interests or for direct marketing.

### 7. Rights Related to Automated Decision-Making

<Note>
  Glood.AI does not engage in automated decision-making that produces legal or similarly significant effects on individuals.
</Note>

***

## Data Sharing and Sub-processors

<Check>
  **We do not share any personally identifiable information (PII) with sub-processors**
</Check>

All data processing occurs within Glood.AI's secure infrastructure. We maintain full control over your data and do not rely on third-party processors for handling personal information.

***

## International Data Transfers

When transferring data from the EU to our US-based servers, we ensure full GDPR compliance through:

### Legal Transfer Mechanism

<Check>
  **Our DPA incorporates the EU Standard Contractual Clauses (Module 2: Controller to Processor) ensuring lawful data transfers from the EEA to the United States.**
</Check>

### Comprehensive Safeguards

* **Standard Contractual Clauses**: Full implementation of EU Commission Decision 2021/914 SCCs
* **Technical Measures**: Encryption in transit (TLS 1.2+) and at rest (AES-256)
* **Supplementary Measures**: Additional protections including access controls and legal challenge commitments
* **Transfer Impact Assessment**: Documented assessment confirming SCCs effectiveness with our measures
* **Shopify Framework**: Additional compliance through Shopify's data processing requirements

***

## Data Breach Notification

Our DPA establishes clear breach notification procedures:

### Notification Timeline

* **Within 48 hours**: Notification to affected merchants (Data Controllers)
* **Immediate action**: Assessment of breach severity and impact
* **Documentation**: Complete breach records maintained per GDPR requirements

### Our Commitments

1. **Rapid notification** to merchants with full breach details
2. **Impact assessment** including affected data categories and individuals
3. **Mitigation measures** to address and contain the breach
4. **Cooperation** with merchants for regulatory notifications
5. **Documentation** of all breach facts and remediation actions

<Note>
  As outlined in our DPA, merchants (as Data Controllers) are responsible for notifying supervisory authorities within 72 hours and affected individuals when required under GDPR.
</Note>

***

## Children's Privacy

We do not knowingly collect or process personal data from individuals under 16 years of age. Our services are designed for adult shoppers, and we rely on merchants to ensure age-appropriate access to their stores.

***

## Cookies and Tracking

Glood.AI uses cookies that are essential for the proper functioning of personalization features on Shopify stores.

### Cookie Details

<Cards>
  <Card title="Cookie Names" icon="cookie-bite">
    **rk\_uid** and/or **rk.uid**

    Used to identify returning visitors and provide personalized recommendations
  </Card>

  <Card title="Cookie Purpose" icon="bullseye">
    Essential for running personalization features on the Shopify store
  </Card>
</Cards>

### Cookie Duration

Cookie retention depends on user consent:

<CardGroup cols={2}>
  <Card title="With Consent" icon="check">
    **1 year**

    When users accept cookies, the rk\_uid/rk.uid cookie is stored for one year to provide consistent personalization
  </Card>

  <Card title="Without Consent" icon="clock">
    **24 hours only**

    If consent is not provided, cookies are stored temporarily for 24 hours for essential session continuity
  </Card>
</CardGroup>

### Why These Cookies Are Essential

* **Session Management**: Maintain user sessions across page views
* **Personalization**: Remember product preferences and browsing history
* **Performance**: Optimize recommendation loading and accuracy
* **User Experience**: Provide consistent experiences for returning visitors

These cookies are strictly necessary for providing our personalization services and do not track users across other websites.

***

## Data Processing Agreement (DPA)

### Standard DPA for European Customers

<Check>
  **Glood.AI provides a comprehensive Data Processing Agreement (DPA) that complies with GDPR Article 28 requirements.**
</Check>

Our DPA is available to all European merchants and covers:

<Cards>
  <Card title="Clear Roles & Responsibilities" icon="users">
    Defines Glood as Data Processor and merchant as Data Controller with specific obligations for each party
  </Card>

  <Card title="Security & Compliance" icon="shield">
    Documents technical and organizational measures including encryption, access controls, and breach notification procedures
  </Card>

  <Card title="Data Subject Rights" icon="hand">
    Outlines how we assist with access, deletion, rectification, and other GDPR rights through automated processes
  </Card>
</Cards>

<Tip>
  **Access our DPA**: View and accept our standard [Data Processing Agreement](/legal/data-processing-agreement) which forms part of your service agreement with Glood.AI
</Tip>

### Shopify Compliance Framework

In addition to our DPA, we operate within Shopify's comprehensive GDPR framework:

<CardGroup cols={2}>
  <Card title="Partner Agreement" icon="handshake">
    Full compliance with Shopify Partner Agreement including all data protection requirements
  </Card>

  <Card title="Compliance Webhooks" icon="webhook">
    Implementation of mandatory webhooks:

    * customers/redact
    * customers/data\_request
    * shop/redact
  </Card>
</CardGroup>

### Key DPA Provisions

Our comprehensive Data Processing Agreement includes:

* **Standard Contractual Clauses (SCCs)**: Full incorporation of EU Commission's Module 2 SCCs for lawful EU-US data transfers
* **Processing Scope**: Clear definition of data types, purposes, and retention periods (documented in RoPA)
* **Security Measures**: Documented encryption (AES-256, TLS 1.2+), access controls, and audit logging
* **Transfer Impact Assessment**: Documented assessment with supplementary measures for US transfers
* **Risk Assessment**: Comprehensive DPIA conducted for AI-powered processing
* **Breach Notification**: 48-hour notification commitment to controllers
* **No Sub-processors**: We don't share PII with any third parties
* **Data Deletion**: Automatic deletion within 2 days upon request or contract termination
* **Compliance Verification**: Annual verification rights for controllers

***

## Updates to Our GDPR Practices

We may update our GDPR compliance measures as regulations evolve or our services change. Any significant changes will be communicated to merchants through their registered email addresses.

***

## Contact Us

For any GDPR-related questions, requests, or to exercise your data rights:

<CardGroup cols={2}>
  <Card title="Data Protection Officer" icon="user-shield">
    **[privacy@glood.ai](mailto:privacy@glood.ai)**

    For data protection inquiries and rights requests
  </Card>

  <Card title="General Support" icon="headset">
    **[support@glood.ai](mailto:support@glood.ai)**

    For general questions about our services
  </Card>
</CardGroup>

<Note>
  When contacting us, please include your Shopify store URL and any relevant order numbers to help us locate your data efficiently.
</Note>

***

## Supervisory Authority

EU residents have the right to lodge a complaint with their local data protection supervisory authority if they believe their rights under GDPR have been violated. You can find your local authority at [https://edpb.europa.eu/about-edpb/board/members\_en](https://edpb.europa.eu/about-edpb/board/members_en)

***

## GDPR Compliance Summary

<Check>
  **Glood.AI maintains full GDPR compliance** with all required legal, technical, and organizational measures in place.
</Check>

### Comprehensive Compliance Framework

<CardGroup cols={2}>
  <Card title="Legal Documentation" icon="gavel">
    ✅ DPA with Standard Contractual Clauses
    ✅ Legitimate Interest Assessment (LIA)
    ✅ Records of Processing Activities (RoPA)
    ✅ Data Protection Impact Assessment (DPIA)
  </Card>

  <Card title="Technical Safeguards" icon="shield">
    ✅ Encryption (AES-256, TLS 1.2+)
    ✅ Access controls & audit logging
    ✅ Shopify compliance webhooks
    ✅ Automated data deletion
  </Card>

  <Card title="Rights & Transparency" icon="users">
    ✅ Data subject rights via webhooks
    ✅ Clear retention periods
    ✅ Consent management system
    ✅ 48-hour breach notification
  </Card>

  <Card title="Governance" icon="building">
    ✅ Designated Data Protection Officer
    ✅ Annual compliance reviews
    ✅ No sale of personal data
    ✅ No PII sub-processors
  </Card>
</CardGroup>

<Note>
  Our GDPR compliance is continuously monitored and updated. All documentation undergoes annual review or whenever processing activities change.
</Note>