Last updated on June 8, 2021
On May 25th, 2018 the General Data Protection Regulation (GDPR) took effect. The GDPR is the European Union’s new data privacy law which impacts how all companies (big and small) collect and handle personal data about their European customers.
We support the GDPR and will ensure all Papathemes apps and services comply with its provisions by May 25, 2018. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection, security, and compliance in the industry.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.
Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.
We have taken steps to ensure that we will be compliant with the GDPR by May 25, 2018.
Who does the GDPR apply to?
The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).
What has Papathemes already done to prepare for the GDPR?
We’ve been hard at work preparing for the GDPR for a while. So far, we have:
- Reviewed the collected data of Papathemes Apps and Services and identified the Personal Information related data
- Developed Data Breach Policy and Action Plan
- Reviewed our system infrastructure, application securities and data access on Amazon Web Services
- Removed unnecessary store owner data and only kept the store owner personal data to Email (encrypted in the database) and State/Country for communication and application analysis
- Encrypted all personal-related data (if storing) in our database to prevent personal data leakage
- Implemented the Role-Based-Access-Control (RBAC) for staffs interacting with store’s owners
- Reviewed our app permissions and workflow to comply with the GDPR requirements from BigCommerce
- Conducted Privacy Impact Assessment (PIA) - Updated on Aug 25, 2020
What are the permissions we need for our apps?
Read Products, Write Products
This includes products and categories, product reviews. We need this permission to sync the product, product reviews data between your BigCommerce store and our app to deliver our app's features to your web stores.
This permission allows us to read store’s themes information for the auto theme setup process.
Read Scripts, Write Scripts
This permission allows us to install the app's scripts to your store front to provide the app's features to your store.
What are the personal data we collect and how do we make sure they comply with GDPR?
Based on the definitions in Art. 4 GDPR, we consider the following collected data are personal data that the App interacts with:
Store’s Owner Information
We store this data to communicate with the store’s owner regarding Papathemes apps and services. Our app minimizes the personal data of store’s owner as we only store Email Address (encrypted in the database) and State/Country of the owner.
This information is kept as long as the store owner continues using the app. When the store owner uninstalls the app, the data is deleted.
We also have cookies set by Google Analytics, MixPanel and Hotjar in our app’s admin pages. These cookies help us to adjust and improve experiences with our app.
Order Hook Information
We do not store any personal information from order hooks in our application or other databases.
UUID of Frontend API
We place an anonymous unique identifier on the device or computer of individuals that accesses the storefront. This identifier helps us to analyze how our app influences customer experiences.
This UUID is not personal information as it cannot be reversed to identify any personal information if this data is breached or accessed by other third parties.
We keep application logs for system performance monitoring and security audits.
The application logs are kept permanently for security reasons.
What about third parties? How do we control the information shared with them?
We do not and will never share, disclose, sell, rent, or otherwise provide personal information to other third parties or companies (other than to specific BigCommerce merchants you are interacting with, or to third-party apps or service providers being used by the merchants you are interacting with) for the marketing of their own products or services.
Still, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful requests for information we receive, or to otherwise protect our rights.
What we went through together should give you an idea of GDPR and what have we done to prepare for GDPR.
As for Papathemes, we are ready with our updated terms and training even, to assist you with questions at any time. For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by sending the request to Papathemes at:
Or sending an email to: