The European Union’s (EU) General Data Protection Regulation (“GDPR”) became effective on May 25, 2018. Building on our membership with the Privacy Shield Framework, Rithum Corporation, including our affiliated entities (referred to collectively as “Rithum,” “we,” “our,” or “us”), has taken all necessary steps and maintained processes and protections for Personal Data in compliance with the GDPR. “Personal Data” under GDPR means any information related to an identified or identifiable natural person, where that person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to an individual. While Rithum’s Personal Data protection standards include GDPR support, they are not limited to citizens of the European Union. Instead, we apply the same level of protection for all Personal Data regardless of the individual’s location. Rithum maintains reasonable and appropriate technical and organizational measures that adequately protect personal data in accordance with applicable privacy laws.

Below are frequently asked questions about Rithum’s observance of the GDPR and how we handle Personal Data.

Is Rithum bound by the GDPR?

Yes, because Rithum’s operations within the European Union involve processing personal data of European residents.

How is Personal Data protected by Rithum?

All Personal Data is encrypted both in transmission and when stored in our systems. Rithum also has a robust set of security and organizational measures in place to protect personal data, such as physical and access controls in our hardware and software as well as our offices, and the facilities where our applications are hosted.

How long is Personal Data retained by Rithum?

The retention period for Personal Data varies according to the type of service Rithum is providing to a particular client. Personal Data is retained only as long as needed to perform our contractual obligations, or for other legitimate business reasons. The majority of Personal Data Rithum stores is order-related information that Rithum maintains on behalf of our clients, to support the services we provide related to their marketplaces and webstore accounts. This data is retained for no longer than 90 days after the order creation date on the marketplace or webstore, except that for Amazon marketplace orders the Personal Data is only retained for 30 days. For clients who use our pixel tracking system, such as for our Digital Marketing solution, the IP address of the prospective buyer that may be collected by Rithum during our performance of these services is retained for no more than 60 days. Further information about types of Personal Data collected by Rithum are found elsewhere in these FAQs as well as in our Privacy Policy.

As a Rithum Client, what are my responsibilities under the GDPR?

Just like Rithum, our clients also share in the responsibility of the Personal Data which they choose to collect using our systems. Our clients must protect any Personal Data which they transfer from Rithum to their systems, using methods and processes which follow the requirements of the GDPR. For Personal Data that Rithum obtains from marketplaces and other channels, the client is the “Controller” of that data, whereas Rithum is the “Processor” of the data, as those terms are used in the GDPR. The GDPR strictly limits the retention and use of Personal Data, so it cannot be used for marketing directed towards a data subject unless that person has explicitly agreed to the use of their data for that purpose.

Does my contract with Rithum need to be modified for the GDPR?

Contractual requirements vary depending on the nature of the client’s business and their location, so a client should review its contract to determine whether it believes a change is needed regarding Personal Data processed by Rithum on your behalf. Rithum does provide a Data Processing Agreement (DPA) for use under the GDPR. To discuss the need for a DPA with Rithum, please open a case on our Community site. As client contracts are created and renewed they will also include a DPA where appropriate.

How do I handle data deletion requests from data subjects for Personal Data retained by Rithum?

Please see the related sections below regarding clients who sell on marketplaces and webstores, as well as those who are advertisers on online marketing sites.

What are your rights with respect to Personal Data held by Rithum?

For our Clients who are Sellers on marketplaces and webstores: In addition to the existing functionality available in the Rithum application for clients to find, view and export order data for specific buyers, we also provide clients with the ability to delete the Personal Data on such orders from the Orders and Orders Detail pages in the Rithum platform. As such, clients can handle data privacy requests from their buyers or other individuals themselves without any need for Rithum’s assistance. Please be advised that clients may need to contact any other third parties who also might have this data, to pass along data privacy requests. These third parties may include, for example, any shipping providers who the client has configured to access buyer data using our application.

For our Clients who are Advertisers on online marketing sites: Rithum may collect Personal Data in our Digital Marketing application, such as the IP address of the user, which is collected through use of our Digital Marketing tracking pixel. If you are not using our Digital Marketing tracking pixel, then Rithum will not collect the Personal Data of your prospective or actual consumers. If you are using our Digital Marketing tracking pixel, Rithum might have IP addresses associated with your consumers. In such cases, Rithum must retain those IP addresses for 60 days, after which time they are automatically deleted. No affirmative request or action from you is needed in order to facilitate such deletion.

For our Partners: Rithum may process Personal Data at the request of our clients, such as marketplace sellers or advertisers who use your platform, in order to fulfill our contractual obligations with them. We can only locate Personal Data if we know the seller or advertiser with whom the buyer’s Personal Data might be associated. As such, in order for Rithum to process valid GDPR data subject requests, such requests must be made through the seller or advertiser who sold product(s) to the data subject in question. Because they are our client, the seller or advertiser can then contact Rithum to help facilitate your applicable request. Contacting the seller will also ensure that any other third parties with whom the seller or advertiser has shared the Personal Data will also be notified.

For EU Citizens: If you are an EU citizen, you have certain rights with respect to our use and disclosure of your Personal Data. However, Rithum cannot help you exercise those rights without first obtaining additional information from the seller or advertiser who directed us to collect your data on their behalf. Rithum processes Personal Data at the request of our clients (sellers and advertisers) in order to fulfill our contractual obligations with them. Your relationship is with the seller or advertiser who sold your product(s) to you, so we need the seller or advertiser to contact us directly in order to determine the account against which we should process a request regarding your Personal Data. In order for your data privacy request to be handled properly, please contact the seller or advertiser who sold your product(s) to you. If they need to contact us to help facilitate your request they will do so.

How can I get more information from Rithum about the GDPR?

If needed you can contact us by using the information found on Rithum’s Privacy Policy.