GDPR and Data Privacy

Michelle Pisaneschi
Michelle Pisaneschi
  • Updated

Whiplash is an advocate for privacy and transparency in data collection. We believe that the set of regulations in the European Union's General Data Protection Regulation (GDPR) benefits consumers. In the GDPR framework, Whiplash is a data "processor", and the store operators that make up our client base are data "controllers".

GDPR provides a set of rights to consumers ("data subjects") to citizens of the EU. Those rights are detailed below.

Lawful Basis of Processing

You need to have a legal reason to collect someone's data. The consumer data Whiplash receives from store owners pertains directly to performing the activities described in our contracts with store owners. The legal basis of processing this data is "Contract".

For our client's themselves, Whiplash collects information needed to bill for services and perform other tasks necessary to satisfy the contract. Whiplash will not use, share, or otherwise distribute the data it receives from store owners except when it is explicitly necessary to satisfy the terms of the contract.

Withdrawal of consent

Consumers need to be able to see what they've given consent for, and to opt out just as easily as they opt in. This falls onto the shoulders of our clients.

Our clients can see the data we have collected for them. Because the data we collect from our clients is necessary to fulfill our obligations under the contract, access cannot be revoked without closing the account.


Consumers need to be given notice that you're using cookies to track them, and they need to provide consent.

Whiplash's public website satisfies this requirement.


Consumers have the right to request that you delete the personal data you have about them. This includes permanent removal from your database, email tracking history, call records, form submissions, and more. The right to deletion depends on the context of the request and allows for up to 30 days to respond to the request. The request may be rejected, if there is a lawful basis for doing so.

When our store owners are given a deletion request, they will need to relay that request to Whiplash to delete the consumer's data.

Contact Whiplash Technical Support to help you with this request.

3rd Parties

To satisfy the terms of our contracts, Whiplash may share the data it has received with 3rd parties, such as:

  • Parcel carriers (e.g., UPS, USPS, FedEx, etc)

  • Database and hosting providers (e.g., Amazon Web Services, Heroku)

  • Business Intelligence tools (e.g., Periscope)

  • Customer service providers (e.g., Intercom)

  • Email list management providers (e.g., Mailchimp)

  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or assets. We may acquire or merge with other businesses. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy notice.

Upon receipt of a deletion request, Whiplash will relay the request to all 3rd parties Whiplash has shared your data with.   

Access / Portability

Consumers have the right to access the personal data you have saved about them. Existing features in Whiplash, such as Search and Export, are already GDPR-compliant, and will continue to operate as they do today.


Consumers can request to have their data modified if it's inaccurate or incomplete. This is possible today using existing tools.