What is the GDPR and why does it concern you?

The European Union (EU) introduced a landmark regulation called the General Data Protection Regulation (GDPR) on May 25, 2018. The primary goal of the GDPR is to provide EU residents with drastic improvements to their privacy rights and control over their personal data, protecting them from privacy breaches and unauthorized data leaks.

Because software, SaaS, and digital products are typically sold globally, this regulation applies to businesses everywhere, regardless of their physical headquarters. Every organization that handles, markets to, or tracks the personal data of EU residents is impacted by the GDPR. With strong penalties in place for non-compliance—up to €20m or 4% of global annual turnover, whichever is higher—ensuring that your customers' personal data is treated correctly while maintaining a seamless buyer experience is a core focus across the Spensit platform.

Core Principles of Data Protection

Navigating privacy requirements can be complex, but we have implemented system-wide protocols to ensure that maintaining compliance is simple and straightforward for your business. Our approach is built on several key GDPR concepts:

• Lawful Processing: Personal data requires a lawful basis for processing. For example, marketing communications cannot be enabled if we do not know whether a buyer has explicitly consented to them.

• Clear Communication Preferences: Buyers must be able to specify exactly what communications they want to receive. The language explaining how you will contact users needs to be exceptionally clear, which ultimately leads to fewer unsubscribes and spam reports.

• Transparency: Buyers have the right to transparency around data collection. They can ask for the data stored on them and receive it in a simple, accessible format.

• The Right to be Forgotten: If a buyer requests it, we will remove all their personal data, allowing you to maintain a clean database focused strictly on engaged customers.

How Spensit Handles Buyer Data and Compliance

As part of our comprehensive business management ecosystem, certain Spensit services will act as the Merchant of Record (MoR) upon your discretion.

When you choose to leverage these specific capabilities, Spensit legally acts on your behalf as the reseller of your software or digital products. This means we assume the responsibility for compliance with local regulations and the handling of global taxes on your behalf, legally behaving as if we had created the software ourselves. This removes a massive operational burden, allowing you to scale internationally without worrying about local tax jurisdictions.

Because buyers using these MoR services are technically contracting directly with Spensit, their personal data is protected under the GDPR, and we must establish a lawful reason to pass that data back to you. We collect buyer data during the checkout process for payment processing and order fulfillment purposes, including names, locations, contact details, and billing information.

Under the GDPR, there are two applicable scenarios that allow us to securely pass that data to you:

1. Legitimate Interest: Spensit and our sellers have a legitimate interest in using buyer-provided data for product fulfillment, order processing, fraud prevention, and customer support. We pass buyer data to you to enable these necessary operational use cases without requiring additional explicit consent from the buyer. However, it is your strict obligation to only use this buyer data for these specific scenarios. Using it for marketing without further consent violates the GDPR and our seller terms and conditions.

2. Explicit Consent: Buyers can give us explicit consent to pass information to you for reasons not covered by legitimate interest, primarily for marketing. We have designed our checkout flows to make collecting this explicit consent simple, clear, and fully compliant. We then pass this consent status back to you securely via the Spensit Dashboard and our APIs. Any buyers who previously opted in via non-compliant methods (such as pre-checked boxes) will have their marketing consent statuses reset within our system until a compliant, explicit opt-in is provided.

Security, Tracking, and Data Transfers

While Spensit processes data globally to serve international merchants, we do so through mechanisms that are fully compliant with EU law.

During the checkout process, buyer data is securely shared with our payment gateways and providers, all of which are strictly GDPR and PCI DSS compliant. This sharing is functionally necessary to facilitate the payment process. Additionally, anonymized data is shared with our GDPR-compliant fraud monitoring platforms to protect the ecosystem. Our platform implements industry best practices for data security, including encryption at rest and in transit, strict access controls, and regular auditing.

To optimize the platform, we utilize a select number of GDPR-compliant tracking and monitoring services. These use a combination of temporary and long-lived cookies to identify unique user journeys. This data is used exclusively internally for platform diagnostics, security, and product improvements. It is not shared with outside third parties, nor is it used for activities that would require separate GDPR compliance or an opt-out, as they are strictly necessary to ensure the reliable operation of Spensit.

For full details on our operational guidelines, please review the Spensit Terms and Conditions for sellers, along with our comprehensive Privacy Policy.