Last Updated: 3/03/2026
Privacy Notice pursuant to Art. 13 of Regulation (EU) 2016/679 - GDPR
1. DATA CONTROLLER
Pursuant to Articles 4 and 24 of Regulation (EU) 2016/679, the Data Controller is Shoppywhere LLP with registered office at 44-45 Beaufort Court, Admirals Way, London E14 9XL.
Privacy contact email: staff@shoppywhere.com.
2. TYPES OF DATA PROCESSED AND PURPOSES OF PROCESSING
2.1 Data provided by the user
During the use of the App, personal data provided directly by the user may be collected, such as:
• Identification data: first name, last name, shipping address
• Contact data: email address, phone number
These data are processed for the following purposes:
a) Performance of a contract or pre-contractual measures (Art. 6, par. 1, lett. B - GDPR), in particular provision of the App services, including: account creation and management, order and shipping management, customer support;
b) Compliance with legal obligations (Art. 6, par. 1, lett. C - GDPR) such as compliance with tax, accounting and administrative obligations,
c) Personal data may be processed for marketing, remarketing and profiling purposes in accordance with Article 6, par. 1, lett. A - GDPR (consent) or, where permitted by applicable law, pursuant to the soft opt-in exception for existing customers under the European ePrivacy Directive and its local implementations. For such purposes, ShoppyWhere may:
• send newsletters, email communications, SMS or other promotional communications;
• display personalized advertisements on third-party platforms, such as Meta, based on user interactions with the App;
• improve user experience through personalized suggestions and targeted offers;
• create user segments (e.g., “users who added a product to cart”) to optimize communications and advertising campaigns.
Where required by applicable law, promotional communications are sent on the basis of prior opt-in consent. In certain cases involving existing customers whose contact details were collected in the context of a sale of products or services, ShoppyWhere may rely on the soft opt-in exception, provided that a clear and simple opt-out mechanism is always available. In all cases, users may withdraw consent or object to marketing processing at any time via the unsubscribe mechanisms included in each marketing communication or through their account settings.
It is specified that ShoppyWhere does not store nor have access to full payment card details. Transactions are handled exclusively through secure and certified payment service providers compliant with industry security standards.
2.2 Data collected automatically
The App’s IT systems and software procedures automatically acquire certain personal data during normal operation, the transmission of which is inherent in the use of mobile and digital communication protocols. Such data may include:
• technical information about the device used (device type, operating system and related version);
• usage data and access logs;
• information about interactions carried out within the App (e.g., product views, addition to cart, checkout initiation);
• date and time of operations performed.
These data are processed, pursuant to Art. 6, par. 1, lett. b and f of Regulation (EU) 2016/679 – GDPR, for the following purposes:
a) ensuring the proper functioning of the App;
b) improving performance;
c) ensuring service security;
d) personalizing the user experience, where applicable, in compliance with current legislation.
For the purposes of European privacy law, ‘cookies’ and similar tracking technologies are tools that store or access information on a user’s device to provide certain functions. These may include features such as session management, analytics or personalised advertising. Where such technologies are used, consent is obtained in accordance with applicable law.
2.3 Marketing Communications and Legal Basis
When ShoppyWhere sends promotional emails or SMS, the legal basis for processing the contact data used for such communications is consent obtained in accordance with applicable law. Where we cannot determine the user’s place of residence or jurisdiction, we rely on explicit consent provided by the user for marketing purposes and comply with applicable European privacy laws (including GDPR and ePrivacy Directive) for users located within the European Economic Area (EEA).
If ShoppyWhere needs to process email addresses collected for other purposes (e.g., transactional or service communications), such processing will be limited to what is necessary for the performance of those services and will not include promotional content unless separate consent has been obtained.
3. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF DATA
Personal data collected through the App may be disclosed to the following parties:
- Payment service providers;
- Technical and cloud service providers
- Marketing service providers
Data may be shared with service providers that process data on behalf of ShoppyWhere in order to send newsletters, promotional SMS and manage personalized remarketing activities, in compliance with the Controller’s instructions and applicable legislation.
- Other recipients
Personal data may be disclosed, within the limits provided by law, to:
• Competent authorities, in cases required by regulatory or legal obligations;
• Professionals or consultants appointed to provide legal, tax or accounting support services.
The above-mentioned entities act as Data Processors pursuant to Art. 28 of Regulation (EU) 2016/679 - GDPR, or operate independently as separate Data Controllers.
4. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR AN INTERNATIONAL ORGANIZATION
Personal data may be transferred outside the European Economic Area (EEA). In particular, certain processing activities may involve the transfer of data to the United States, to service providers adhering to the EU–U.S. Data Privacy Framework, as recognized by the European Commission Adequacy Decision of 10 July 2023.
5. METHODS OF PROCESSING
Processing is carried out in automated form using methods and tools aimed at ensuring maximum security and confidentiality, by duly authorized personnel.
No automated decision-making processes producing legal or similarly significant effects on the data subject pursuant to Art. 22 GDPR are carried out.
Any profiling activities for marketing purposes are carried out exclusively subject to the user’s prior consent.
6. RETENTION PERIOD OR CRITERIA
In accordance with Art. 5, paragraph 1, lett. e) of Regulation (EU) 2016/679, personal data collected will be retained in a form that allows identification of data subjects for no longer than necessary to achieve the purposes for which the data are processed.
In particular:
- Data processed for service provision
are retained for the entire duration of the contractual relationship and, subsequently, for the time necessary to comply with legal obligations or to protect the Controller’s rights.
- Data processed for marketing purposes
are retained until the withdrawal of consent by the data subject or the exercise of the right to object. In the event of prolonged inactivity, the Controller may proceed with deletion or anonymization of the data.
ShoppyWhere does not store nor have access to full payment card details.
7. NATURE OF DATA PROVISION AND REFUSAL
Provision of personal data for the purposes referred to in point 2.1 a) of this document is necessary for the provision of the services offered in the App; refusal to provide such data makes it impossible to fully use the App services or complete orders. Data required to comply with tax, accounting and administrative obligations, referred to in point 2.1 b), are mandatory by law; failure to provide such data prevents ShoppyWhere from complying with its legal obligations.
Provision of data for the purpose of Marketing, remarketing and profiling referred to in point 2.1 c) is optional and takes place exclusively upon explicit consent of the data subject.
Refusal or subsequent withdrawal of consent does not prevent use of the App and does not affect the contractual or legal purposes described above.
8. RIGHTS OF DATA SUBJECTS
The data subject may exercise the rights provided for by Articles 15, 16, 17, 18, 19 and 20 of Regulation (EU) 2016/679 by contacting the Data Controller at the email address: staff@shoppywhere.com.
In particular, the data subject has the right to obtain from the Data Controller access to personal data, rectification or erasure thereof, restriction of processing, as well as to object at any time to the processing of personal data concerning them (including automated processing such as profiling). The data subject also has the right to data portability.
Without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of personal data infringes Regulation (EU) 2016/679, they have the right to lodge a complaint with the competent supervisory authority in their Member State pursuant to Art. 77 GDPR.
In the event of a portability request, the Controller will provide personal data in a structured, commonly used and machine-readable format pursuant to Art. 20 of Regulation (EU) 2016/679, subject to the limitations set out in paragraphs 3 and 4 of the same article.