At Judge.me, we take your privacy seriously and have put in significant effort to safeguard your privacy when you interact with our services, whether directly or indirectly.
As a result of our commitment, we are recognized as one of the top 50 privacy-dedicated companies in Mine's Privacy Index.
In this article, we'll explain how Judge.me complies with the General Data Protection Regulation (GDPR) to protect the rights of all Data Subjects.
To learn more about our GDPR compliance and other regulations, please visit our documentation.
1. What is GDPR?
GDPR is the privacy and security law drafted and passed by the European Union (EU) and implemented into UK law by the Data Protection Act 2018. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people located in the EU (for EU-GDPR) and the UK for the UK implementation of GDPR via the Data Protection Act 2018 (“UK-GDPR”). When we refer to “GDPR” we mean both the EU GDPR and UK-GDPR and when we refer to “Europe” we mean the EU and UK.
2. Judge.me's role as a Data Processor
Merchants (store owners) are the data controllers for the purposes of GDPR and are obliged to fulfill the Data Subject Rights (DSR) of Data Subjects (buyers/reviewers) that are European residents.
Data Subject Rights specify how Data Subjects can correct, amend, delete, or limit the use of Personal Data that you control.
In terms of personal data received from Merchants, via eCommerce platforms, Judge.me is a data processor.
We will process the personal data of your buyers/reviewers on behalf of the Merchant, the data controller.
As a data processor, we will help you, the Merchant to fulfill the Data Subject Rights and in particular, we will:
Send all the reviewer data that you have collected and processed upon request of the reviewers (right of access and right to be informed)
Provide tools for reviewers to edit their display name, display name format, and reviews, as well as let you make minor edits to the review content, with the consent of your reviewers (right to rectification/edit)
Provide tools for reviewers to delete their reviews, and delete all reviewer data that you have collected and processed upon request of the reviewers (right to be forgotten)
Provide all personal data in a structured and machine-readable format (right to data portability)
We are referring to users of your store as reviewers, as most of Judge.me's functionalities are dealing with reviews. In a few cases, we will also process data you have provided to us that is not from (potential) reviewers.
3. Judge.me's role as a Data Controller
When receiving person information, directly from a merchant of an eCommerce store, an influencer or a reviewer, they create an account using our services and otherwise interact directly with our website, Judge.me is the Data Controller.
Judge.me aims to take reasonable steps to allow the data subject the right to correct, amend, delete, or limit the use of your Personal Data, and in certain circumstances, as a data subject, you have the right to:
To access and receive a copy of the Personal Data we hold about you.
To rectify any Personal Data held about you that is inaccurate.
To request the deletion of Personal Data held about you.
The right to data portability for the information you provide to Judge.me Ltd. You can request to obtain a copy of your Personal Data in a commonly used electronic format so that you can manage and move it.
4. Data Processing Addendum (DPA)
Judge.me's Data Processing Agreement (DPA) sets out the terms upon which we process personal data on behalf of our customers and transfer and share that data with our Merchants and Sub-Processors.
The DPA incorporates the latest Standard Contractual Clauses (SCC) published by the European Commission as well as the UK's international data transfer addendum, allowing Judge.me to lawfully transfer personal data from the UK to overseas parties pursuant to a set of defined processing particulars, including to parties who may be based in countries where the EU has not issued an adequacy decision based on GDPR-equivalent levels of data protection.
You can download Judge.me's DPA here.
5. Sub-processors, integration apps, and Google Shopping
We currently authorize some third-party sub-processors to process your data depending on which functions you enable in your Judge.me settings. The most common sub-processors and their services include:
Postmark: sending transactional emails, e.g. review request emails
Amazon Web Services (AWS): Cloud hosting services to host user-generated content that Judge.me collects on the Controller’s behalf.
Heroku: Judge.me's server infrastructure
Freshworks: Customer support platform to enable Judge.me to support and manage Judge.me's relationship with our customers.
You can find an extensive list of Judge.me's subprocessors here.
If you integrate Judge.me with other Shopify apps, the personal data of you and your reviewers will be processed by these apps.
We may provide you with a Product Reviews XML Feed for your Google Merchant Center. You can submit this XML file inside your Google Merchant Center. In this case, the personal data of you and your reviewers may be processed by Google Shopping.
6. Security and location of our servers
We are running on Heroku and Amazon Web Service (AWS) technology. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and uses the Amazon Web Service (AWS) technology.
Amazon conducts recurring assessments to ensure compliance with industry standards. In particular, their data center operations have been accredited under: