GDPR Privacy Policy

1. Data Flows

If you haven’t already done it, map out your data flows today. A data flow can be as simple as receiving address details from a customer making an order. Perhaps you then save those address details to then printing address labels off at the end of the year to send your best customers a Christmas card. Think about where personal information comes in (I imagine it’s when your customer places an order) and consider where it goes next and how it flows around your department. Do you pass details onto someone else? Do you save it somewhere else? In order to keep this data safe you firstly need to know where it is. More on data flows later.

2. Privacy Policy

Now is the time to update Privacy Policies. These need to demonstrate transparency over how customer information is stored and these policies need to be displayed on your website and whenever your customers fill out forms. This will instill trust with your customer who knows you care about their personal data. We will shortly be releasing a boiler plate Privacy Policy for you to use. 

3. Consent

In the case of internet shopping, the lawful basis for holding personal information is consent. Your customer has consented to provide you with their details in return for the purchase of your products. This information can legally be stored for as long as it is used for the intention it was provided (unless the customer asks you to delete it beforehand that is). Now is the time to think about data retention. How long do you need the personal information for? It may be different for different types of information. Your Data Retention Policy will need to be included in your Privacy document.

On the subject of consent, from May 25th you will only be able to send marketing information to your customers who have consented to receive it. By this I mean they have opted in – you can no longer imply consent to receive emails by pre-selected boxes. Unless a customer has actually told you they want this information you can no longer send it. Your Newsletter feature and Store Blog are going to be vital tools to engage with your customers and tell them about updates and new products. If your customers have signed up for your freewebstore Newsletter, this feature is set up to be fully GDPR compliant so your customers have given their consent to receive it.

4. Individual Rights

Consent for you to hold personal data can be withdrawn at any time. Individuals will have the right to be forgotten or even ask you what information you hold on them. You must respond within a month to such a request so you will need to know where your information is held. If you’ve mapped out your data flows you will be able to do this quickly. We will shortly be releasing an update which will allow you to search for all the records you hold on an individual which will allow you to comply with a request for information or erasure. 

When running a creative business, it’s important to respect your buyers’ privacy rights and follow data protection laws. As a business owner, you receive certain personal information about customers when they place an order or contact you about a potential order, such as name, postal address, email address, and phone number. The European General Data Protection Regulation (GDPR) and other local data protection laws guard how this kind of personal information is collected and used, and protect the privacy rights of online shoppers. Under these laws, buyers are entitled to certain information, including when, why, how, by whom, and for what purpose personal information is collected, used, and shared.

If you’re a seller based in the European Union or you offer your listings to buyers there, the GDPR applies to you, which means you’re required to have a privacy policy for your shop. Many other countries have also adopted data protection laws similar to the GDPR, so whether or not you sell to Europe, we recommend that all sellers create a privacy policy. Data protection laws are complex, and local legal requirements may vary, so if you’re uncertain whether the GDPR or any other data protection laws currently apply to you, or would like advice on your specific obligations, consult with an attorney about local laws and how they apply to your shop.

Read on to learn more about leading practices for sending marketing messages and creating a privacy policy for your Seller Bay shop—plus an example of what the privacy policy of a typical Etsy seller might look like.

Leading Practices for Marketing Messages

There are a few things you should know before using email addresses to contact your buyers, such as sending a newsletter or advertising new products. Under the laws of many countries, including those in Europe, you often need prior “express consent” from your buyers to send them marketing or promotional messages. Express consent means that you can only send marketing messages to a buyer if they have indicated their consent for you to do so through a clear affirmative action, such as a buyer agreeing in an  Seller Bay Convo or email to receive marketing messages from you. Even if you get a buyer’s email address through  Seller Bay to help fulfill the transaction, you’re required to get the buyer’s express consent before sending them marketing messages. Remember that even once you have express consent to send marketing messages, you must respect requests to opt out of receiving further marketing messages from you, as consent can be revoked at any time.

Keep in mind that sending unsolicited advertising or promotions through  Seller Bay Convos is not allowed under Seller Bay’s policies. It is also a criminal offense in some countries. Before using buyers’ personal information for any purpose other than fulfilling orders, providing customer service, and sending marketing messages where you have obtained the buyer’s express consent, you should seek legal advice.

Creating a Privacy Policy for Your Shop

Giving your buyers information about how and why you’re going to use their personal information is the heart of a privacy policy. For instance,  Seller Bay has a privacy policy which details what information  Seller Bay collects and receives as well as how and why that information is used and shared. Soon, we’ll provide an additional field in your  Seller Bay shop policies where you can create a privacy policy that will be visible to buyers. We’ll let you know as soon as that field is available.

Below is a sample privacy policy you might find in a seller’s shop. It’s designed to help guide you as you create a privacy policy for your Seller Bay  shop. Throughout, we’ll point out which parts of the policy address requirements of the GDPR. The specific needs and practices of each Seller Bay  shop are different, so you should customize this sample policy to reflect the needs and practices of your shop.

 Seller Bay Seller:  Privacy Policy

This uses Google Cloud to host some of his buyers’ personal information.

The GDPR requires that  provide certain information to his buyers in his privacy policy, including:

  • the personal information he collects;
  • the legal bases he relies on to collect, use, and share personal information;
  • the third parties with whom he shares personal information;
  • the length of time he keeps personal information;
  • if he’s transferring personal information outside of Europe (for example, if he moves his business to the United States and continues to sell to buyers in Europe, or uses a third party provider located outside of Europe, or uses Google Cloud to host some of his buyers’ information), how the transfer will be handled;
  • his buyers’ rights regarding his use of their personal information; and
  • how his buyers can contact him with privacy-related requests.

Visit this EU GDPR help site and read Articles 13 and 14 for more details on the information that must be included in your privacy policy to comply with the GDPR.

Based on GDPR requirements, here’s how  might introduce his privacy policy to his buyers:

This Privacy Policy describes how and when I collect, use, and share information when you purchase an item from me, contact me, or otherwise use my services through or its related sites and services.

This Privacy Policy does not apply to the practices of third parties that I do not own or control, including  Seller Bay or any third party services you access through Seller Bay. You can reference the  Seller Bay Privacy Policy to learn more about its privacy practices. Nathan should then go on to include information on the following:

1. Personal information he collects

Should go on to explain what information he collects from buyers, why he needs the information, how he uses it to fulfill orders, the third parties with whom he shares the information, and the length of time he keeps the information. Here’s an example:

Information I Collect

To fulfil your order, you must provide me with certain information (which you authorized  Seller Bay to provide to me), such as your name, email address, postal address, payment information, and the details of the product that you’re ordering. You may also choose to provide me with additional personal information (for a custom order of jewelry, for example), if you contact me directly.

2. The legal bases he relies on to collect, use, and share personal information

The GDPR requires that you explain the legal bases you rely on to collect, use, and share personal information. The legal bases may include a buyer’s affirmative consent to receive marketing messages, compliance with legal obligations, and a seller’s use of the personal information in their legitimate interests (improving their services, for example). Throughout his privacy policy,  should be as clear as possible about where and why he’s relying on these different legal bases. For example:

Why I Need Your Information and How I Use It

I rely on a number of legal bases to collect, use, and share your information, including:

  • as needed to provide my services, such as when I use your information to fulfil your order, to settle disputes, or to provide customer support;
  • when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for my mailing list;
  • if necessary to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases if required by tax law; and
  • as necessary for the purpose of my legitimate interests, if those legitimate interests are not overridden by your rights or interests, such as 1) providing and improving my services. I use your information to provide the services you requested and in my legitimate interest toimprove my services; and 2) Compliance with the  Seller Bay Seller Policy and Terms of Use. I use your information as necessary to comply with my obligations under the  Seller Bay Seller Policy and Terms of Use.

3. The third parties with whom he shares personal information

The GDPR requires that you disclose the details of any personal information you share with third parties. Should explain to his buyers why, when, and with whom he may share buyers’ personal information. For example:

Information Sharing and Disclosure

Information about my customers is important to my business. I share your personal information for very limited reasons and in limited circumstances, as follows:

  •  Seller Bay. I share information with Etsy as necessary to provide you my services and comply with my obligations under both the  Seller Bay Seller Policy and  Seller Bay Terms of Use.
  • Service providers. I engage certain trusted third parties to perform functions and provide services to my shop, such as delivery companies. I will share your personal information with these third parties, but only to the extent necessary to perform these services.
  • Business transfers. If I sell or merge my business, I may disclose your information as part of that transaction, only to the extent permitted by law.
  • Compliance with laws. I may collect, use, retain, and share your information if I have a good faith belief that it is reasonably necessary to: (a) respond to legal process or to government requests; (b) enforce my agreements, terms and policies; (c) prevent, investigate, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of my customers, or others.

4. The length of time he keeps personal information

The GDPR requires you to disclose the period of time during which you will store personal information. Nathan should consider how long he needs to retain information for business purposes and to comply with any legal or tax obligations, and keep in mind that data shouldn’t be kept for any longer than necessary. For example:

Data Retention

I retain your personal information only for as long as necessary to provide you with my services and as described in my Privacy Policy. However, I may also be required to retain this information to comply with my legal and regulatory obligations, to resolve disputes, and to enforce my agreements. I generally keep your data for the following time period: 4 years.

5. If transferring personal information outside of Europe, how the transfer will be handled

GDPR requires you to disclose if you transfer personal information outside of the EU and the legal bases Uyou rely on to do so, such as consent and contractual necessity.  uses Google Cloud, which is Privacy Shield certified, so he should explain to his buyers that he relies on Privacy Shield as the legal basis for the transfer of his buyers’ personal information outside of the EU.

Transfers of Personal Information Outside the EU

I may store and process your information through third-party hosting services in the US and other jurisdictions. As a result, I may transfer your personal information to a jurisdiction with different data protection and government surveillance laws than your jurisdiction. If I am deemed to transfer information about you outside of the EU, I rely on Privacy Shield as the legal basis for the transfer, as Google Cloud is Privacy Shield certified.

6. His buyers’ rights regarding his use of their personal information and his contact details

Based on GDPR requirements, should finish by explaining to his buyers their rights regarding the information they provide to him on Seller Bay.  Should also provide his contact details and explain to his buyers that he is the data controller of their personal information.

Your Rights

If you reside in certain territories, including the EU, you have a number of rights in relation to your personal information. While some of these rights apply generally, certain rights apply only in certain limited cases. I describe these rights below:

  • Access. You may have the right to access and receive a copy of the personal information I hold about you by contacting me using the contact information below.
  • Change, restrict, delete. You may also have rights to change, restrict my use of, or delete your personal information. Absent exceptional circumstances (like where I am required to store data for legal reasons) I will generally delete your personal information upon request.
  • Object. You can object to (i) my processing of some of your information based on my legitimate interests and (ii) receiving marketing messages from me after providing your express consent to receive them. In such cases, I will delete your personal information unless I have compelling and legitimate grounds to continue using that information or if it is needed for legal reasons.
  • Complain. If you reside in the EU and wish to raise a concern about my use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local data protection authority.

How to Contact Me

For purposes of EU data protection law,  am the data controller of your personal information. If you have any questions or concerns, you may contact me at  Alternately, you may mail me at:

*If a customer contacts you to access, correct or delete personal information held by Seller Bay, you may contact  Seller Bay at for assistance, or request that the customer send a request directly to Seller Bay.

Privacy policy is intended to be a guide to the information that should be included in a privacy policy. If you use this policy as a template for your own, you should customize it so it makes sense for your shop. You can replace the details in his policy with yours, including your name, business name, email address, and newsletter settings (if you have an email newsletter). The sections entitled “Why I Need Your Information and How I Use It” and “Transfers of Personal Information Outside the EU” must be customized based on how you operate your shop. Adjust the wording to reflect the voice of your brand and add or remove information to reflect specific facets of your business. For example, if you’re a business owner, you can change the pronouns from “I” and “me” to “we” and “us” to more accurately represent your  Seller Bay shop.

Comments are closed.