Company

GDPR

Clerk is fully GDPR compliant. This article explains everything you need to know about Clerk and GDPR, and how we make it easy for you to handle GDPR requests.

Trust Center #

At trust.clerk.io, you can review our privacy policy, subprocessors, data management, and much more. The page contains everything needed to understand how Clerk handles your data.

Managing Data #

As a data processor, Clerk stores customers’ email addresses, purchase histories, and click histories, which are considered sensitive data.

In response to GDPR, we have made it easy to:

  • Check all data tracked for the customer.
  • Remove the customer’s email address and click history from an order, keeping the order data but making it anonymous. This process is called Forgetting.

Customer Profiles #

Each customer has their own profile in the Clerk admin, which can be found either by searching for it in the top of the page, searching in Data > Customers or by going to this URL: https://my.clerk.io/store/customer/CUSTOMER.

Simply replace CUSTOMER with the email address or ID of the customer you wish to inspect data for.

Customers

Data Requests #

All data we have tracked for each customer can be viewed from their unique profile. You can also use our Privacy Information API to get the same data, which can then be integrated into your existing setup.

Requests to Forget #

Remember to remove the personal data from any system syncing with Clerk before issuing the Forget Request, to avoid the data getting re-synced.

You can forget a customer by simply clicking Forget Customer at the bottom of their profile or by using our Privacy Forget API.

When a customer is forgotten, we remove any personal data we have on the data subject while still preserving all non-personal data.

Due to backup and security measures, it can take up to 30 days for all personal data to be purged from our platform.

If we ever need to use a backup to recover lost data, personal data will be restored. In such cases, you will be informed and will need to re-issue all Forget Requests made in the last 30 days.

Forget customer

Data Collection #

As a data controller, you are responsible for informing your data subjects about how their personal data is used and for using Clerk in a compliant manner.

Clerk can be configured to only collect the personal data you want, but by default, we collect the following for each customer on your website:

  • Pages they visit.
  • Content they view via Clerk.
  • Clicks on content shown by Clerk.
  • Products in the orders they place (if any).
  • Their email address, but only if the store explicitly enables it.

Visitor data is stored between 1–12 months, depending on the frequency and length of their visits, as well as the need for legal documentation of GDPR compliance.

Data Processing #

Clerk was built from the beginning with privacy and security in mind. We had implemented the below measures, even before GDPR was introduced:

  • Our servers are located in Germany, with a backup stored in Ireland. All personal data is stored and processed here.
  • Any personal data is stored in isolated databases to enhance data separation between our customers.
  • We ensure that any of our service providers who may handle personal data keep this data within the EU.
  • We conduct routine vulnerability scans and penetration tests of our entire platform.
  • We ensure and monitor that our employees only have access to personal data when it is needed to perform their job.

Further, in preparation for GDPR, we introduced the following before May 25, 2018:

  • A standard Data Processing Agreement.
  • The ability to remove all of a users personal information both via our API and UI.
  • Third-party GDPR certification as both a Data Controller and Data Processor.

GDPR Dashboard #

Every Clerk account has its own dedicated GDPR dashboard. This provides an always up-to-date overview of the data you are sending to Clerk and which subprocessors are using that data to optimize the results shown to customers.

You can find it here.

It can also be accessed in your Clerk admin by searching for “GDPR” in the top of the page of or by going to ACCOUNT NAME > GDPR.

GDPR Dashboard

Sub-Processor #

Clerk uses several subprocessors to store and process the data you send. The subprocessors used depend on which Clerk products and features you are using. Any subprocessors handling your data will be highlighted in green.

Data #

Since a company can have multiple Stores, the data section is sorted by the data accessible in each Store.

Each data type is indicated with a green checkmark if the corresponding Store has access to that data type.

Website Browsing History #

The Store successfully tracks visitor IDs and associates behavior with it.

You can check the associated Visitor IDs for any customers on their profile.

Visitor IDs have their own unique URL: https://my.clerk.io/store/visitor/VISITOR_ID.

Visitor Log

Purchase Preferences #

The store can identify customers and generate recommendations based on their preferences, which are derived from their clicks or purchase history. On each customers profile, you can inspect the orders we have tracked for them.

Customer Preferences

Email Address #

The store has access to customers’ email addresses.

Customers

Order History #

The store has access to historical order data, independent of the ability to identify customers by their email address or ID.

Orders

CRM #

The store has access to customer information, like age, gender, city etc. independent of the ability to identify customers by their email address or ID.

Customer Data