Yotpo’s Guide to Privacy

      Yotpo’s Guide to Privacy

        Article summary



        SMS & Email

        Loyalty & Referrals

        Visual UGC

        Supported plans

        Free, Starter, Pro, Premium, Enterprise

        eCommerce Platform


        At Yotpo, protecting your data and your shoppers’ data is our top priority. We are committed to keeping a high level of privacy compliance, and, with our highly robust approach to privacy and data protection, we are dedicated to helping you meet your privacy obligations as well. 

        The guide below addresses some of the most frequent questions relating to the EU GDPR and California CCPA privacy laws.


        This guide does not act as legal or professional advice. You should consult with your legal counsel or privacy experts for compliance with privacy and data protection laws relevant to you.

        Data protection means better business

        Just like the eCommerce space, the scope of data protection laws continues to grow. It is important to adhere to the requirements of such laws, not only because it is legally required, but because this means more trust from your shoppers - if a shopper is confident that their data will be protected, they are more comfortable sharing their personal information when active online.

        We are committed to offering the highest standard of service when it comes to data protection, and to continuously support our merchants with privacy-related requests.

        What is GDPR? 

        The "General Data Protection Regulation", or GDPR for short, was established to safeguard the privacy rights of EU individuals by creating a framework to handle their data. 

        The GDPR outlines the roles – of ‘Data Controller’ (the entity that determines the means and purposes of the processing activities) and ‘Data Processor’ (the entity that operates based on the instructions of the controller), organizations can assume when ‘processing’ (collecting/using/sharing/etc.) data subjects’ ‘Personal Data’ (any information that can identify or lead to the identification of a natural person). The GDPR further outlines the security measures organizations should implement when handling personal data, the data transfer mechanisms that will allow for data to be processed outside the EU, and of course, the rights individuals have regarding their personal data (such as the right to access, rectification and deletion). 

        The GDPR affects any company, big or small, that processes the personal data of data subjects in the EU, regardless of the location of the company. 

        In other words, if you are offering your goods to EU individuals – the GDPR will apply!

        What is CCPA? 

        The "California Consumer Privacy Act," or CCPA for short, was established to safeguard the privacy rights of California residents by creating a framework to control their personal information.

        Similar to the GDPR, the CCPA outlines the roles of a "Business" (similar to a Data Controller) and a "Service Provider" (similar to a Data Processor), which organizations can assume when handling (collecting/sharing/selling/etc.) California residents’ personal information (any information that can identify or be linked, directly or indirectly, with a particular consumer or household).

        The CCPA grants California consumers various rights regarding their personal information (such as the right to access, data deletion, and opt-out of sale), and imposes certain obligations on organizations that process such information, such as the requirement to disclose data collection and processing practices, provide ‘user-friendly’ methods for consumers to exercise their privacy rights, and take reasonable security measures to protect the personal information they collect.

        Unlike the GDPR, the scope of CCPA applies to organizations that meet specific criteria relating to revenues, number of consumers located in California, or acts or selling/sharing personal information.

        In other words, if your shop operates in the US – the CCPA might apply!  

        How can I prepare?

        Every organization is unique and may have different obligations under GDPR or other privacy laws.

        Our best recommendation is for you to consult with your legal advisor or privacy consultant. 

        There are a few things that might help you with the process:

        • Map out the data in your organization - what personal data do you have? Where does it come from? With whom do you share it?
        • Understand your role and obligations under relevant privacy laws 
        • Ensure you are using up-to-date security protocols  
        • Consider all aspects of your activity and the information processed - remember, employee information is also covered by GDPR
        • Check what other privacy laws apply to you, for example, in the EU, website cookies are also subject to the ePrivacy directive

        How does Yotpo support your obligations under relevant privacy laws?

        Yotpo acts as the data processor/service provider when providing its services to you. As the data processor, we process data on your behalf and have limited ability to use your shopper data for purposes other than those we agree upon. 

        These limitations are governed by our Terms of Service and online Data Processing Addendum (DPA), which incorporates the EU Standard Contractual Clauses (EU SCCs) and other relevant transfer mechanisms such as the UK ICO’s IDTA, and the Swiss FADP’s SCCs. 

        If you want to obtain a signed copy of the applicable SCCs, please reach out to privacy@yotpo.com

        You can also see our security measures and the list of our sub processors. If you want to receive updates on changes to the list, you can sign up here.

        Our supportive role as a data processor is typically related to the handling of data subject requests, while you, the controller, are required to execute the requests of data subjects to exercise their rights under relevant legislation. Yotpo, as the processor, is required to assist you in managing such requests that relate to information we process on your behalf. 

        Yotpo has created internal tools that enable our support team to assist you with data subject requests quickly and efficiently.  

        If you receive a request to exercise the right to access / the right to rectification / the right to erasure (also known as ‘the right to be forgotten’) or the right to portability, please contact Yotpo’s support team.

        If you receive a request to exercise the right to restrict processing, you can quickly remove this shopper's email address from Yotpo’s email delivery system in your Yotpo account. You can also retrieve all of the shopper’s information and suspend all published UGC (user-generated content) so that it will no longer be displayed on your site or marketing channels.

        To learn how to accomplish this with the Yotpo product you’re using, please contact Yotpo’s support team.

        Privacy FAQs

        Have a question about GDPR or CCPA? Below you'll find several frequently asked questions about common privacy issues and processes, and their related answers.

        Does Yotpo have a Data Protection Officer or another role responsible for data protection?

        Yes. Yotpo has appointed PrivacyTeam as its DPO to answer your privacy-related questions.

        Please do not hesitate to reach out to dpo@yotpo.com

        Can you provide a summary of the activities undertaken by Yotpo to ensure compliance with the GDPR?

        Yotpo is working with PrivacyTeam to create and maintain a robust privacy program to support our global operations, which includes working closely with legal and security to provide excellent support to our clients, keeping up-to-date internal and external policies and procedures, conducting periodical gap analysis and privacy assessments, recurring meetings and sessions with relevant data processing teams, conducting privacy training to all employees, and more. This is all to ensure our internal and external processes are aligned with the GDPR, the CCPA, and other relevant privacy legislation.

        Are Yotpo's products and features GDPR compliant?

        Yotpo, acting as the data processor, operating on your behalf, the data controller,- processes the information as it was submitted by you, in accordance with our online DPA. Yotpo provides its 

        merchants with tools and features they can customize to fit their legal/regulatory/business requirements. It's the merchant's responsibility, as the data controllers, to decide how to use them and we recommend they reach out to their legal/privacy functions to define how to use our tools.

        What personal data does Yotpo process on behalf of my business?

        Yotpo typically processes the first and last names, email, and IP addresses of the shoppers as well as other information related to their order/purchases as provided via your integration with Yotpo.

        What technical and organizational security measures does Yotpo have in place to ensure an appropriate level of security?

        Please visit our Security page for more information.

        Does Yotpo engage sub-processors?

        Yes. Please visit our Subsidiaries and Sub-processor page for our updated list of sub-processors.

        How do you ensure that your sub-processors have appropriate technical and security measures to ensure a level of security appropriate to the risk?

        Yotpo’s legal, security, and privacy teams conduct a thorough assessment and review each vendor as part of Yotpo’s vendor onboarding process. Executing a DPA is part of such assessment to ensure appropriate technical and organizational measures are in place.

        If Yotpo's sub-processors are in a third country, what steps did Yotpo take to ensure the transfer is legitimate under the GDPR?

        Data transfers outside of the EU will be done in accordance with appropriate transfer mechanisms approved by the EU such as relying on Adequacy Decisions when transferring data to Israel or the UK. For transfers to countries that were not listed as adequate, Yotpo relies on the EU or the EU SCC when transferring data to the US. Furthermore, we maintain an up-to-date Transfer Impact Assessment, to support our decision to rely on SCC or the DPF when transferring data to the US. Visit our Subsidiaries and Sub-processor page for more information.

        What provisions does Yotpo have in place to either delete or return personal data once the service comes to an end?

        Data can be exported by our clients at any time using their Yotpo account, by submitting a request to the dedicated Account Manager, or by contacting Yotpo’s support team.

        The account’s data can also be permanently removed from Yotpo’s database by contacting the dedicated  Account Manager or Yotpo’s support team.

        What training does Yotpo have in place to ensure that your employees process personal data in accordance with the GDPR guidelines?

        All Yotpo employees are required to undergo privacy training as part of their onboarding process. Existing employees complete a refresher training annually.

        If you have any other questions or concerns regarding privacy, feel free to get in touch with Yotpo’s DPO at dpo@yotpo.com, or visit our Privacy Policy.

        Was this article helpful?

        What's Next