• SmartSlip
  • Smartslip Lite
  • SmartGift
  • e-documents

GDPR and Data Management

ARC X-Media Ltd and its trading styles of "Retain.me", "ReMarket.me" and "ZAP~POST", collectively: "ARC X-Media"

Introduction

This GDPR Compliance Policy ("Policy") outlines the commitment of ARC X-Media Ltd ("we," "us," or "our") to the principles of the General Data Protection Regulation (GDPR). As a provider of software-as-a-service (SaaS) solutions to Direct to Consumer brands ("you," "your," or "Client"), we process personal data on your behalf. This policy details our role as a Data Processor, our data protection practices, and our obligations under the GDPR.

This Policy should be read in conjunction with our Terms of Service and our Data Processing and Retention Policy.  Request access to view this document via Vanta.com

Our Role: Data Processor
In the context of providing our services, you are the Data Controller, and we are the Data Processor. This means:

You (the Data Controller) determine the purposes and means of processing personal data. You are responsible for the lawfulness of the data processing and for upholding the rights of the data subjects (your end-customers).
We (the Data Processor) process personal data only on your behalf and in accordance with your documented instructions.

Data We Process on Your Behalf
As a Data Processor, we may process the following categories of personal data related to your customers, as determined by you:

Contact Information: Name, email address, phone number, shipping and billing address.
Transactional Information: Order details and purchase history. We do not store any payment information.
Technical Information: IP address, device information, browser type, and other data related to the use of your online store.
Other Data: Any other personal data you choose to collect and process through our Services.

How We Process Data
We process personal data solely for the purpose of providing our Services to you, as outlined in our Agreement. Our processing activities are limited to what is necessary to:

  • Deliver, maintain, and improve our services.
  • Provide technical support.
  • Prevent and address service or technical issues.
  • Comply with your documented instructions.
  • We will not process personal data for any other purpose without your explicit consent.


Legal Basis for Processing
As a Data Processor, our legal basis for processing personal data is the fulfilment of our contractual obligations to you. You, as the Data Controller, are responsible for establishing a valid legal basis for the collection and processing of personal data from your customers.

Data Security
We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Encryption: Data is encrypted in transit and at rest.
Access Control: Access to personal data is restricted to authorised personnel with a legitimate business need.
Regular Security Assessments: We conduct regular security audits and penetration testing to identify and address vulnerabilities.
Data Minimisation: We only process the personal data that is necessary to provide our services.

Sub-processors
We may engage third-party sub-processors to assist in providing our services. Before engaging a new sub-processor, we will:

  • Conduct due diligence to ensure they have adequate data protection measures in place.
  • Enter into a written agreement that imposes data protection obligations equivalent to those in our Data Processing and Retention Policy.
  • Inform you of any intended changes concerning the addition or replacement of sub-processors, thereby giving you the opportunity to object to such changes.

For Retain.me's SMARTSlip solution, the only sub-processor is Microsoft Azure.
You may request additional Sub-processors in order for Retain.me to provide the Services You require.


Data Subject Rights
As the Data Controller, you are responsible for responding to requests from data subjects to exercise their rights under the GDPR (e.g., access, rectification, erasure). We will provide you with reasonable assistance to fulfil your obligations in responding to such requests. You may use the form below to remove a data subject from Retain.me systems.

Data Breach Notification
In the event of a personal data breach, we will notify you without undue delay after becoming aware of the breach. Our notification will include:

  • A description of the nature of the breach.
  • The categories and approximate number of data subjects and personal data records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to be taken to address the breach.
  • International Data Transfers
  • If we transfer personal data outside the European Economic Area (EEA), we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to protect the data in accordance with GDPR requirements.


Data Retention and Deletion
We will retain personal data for the duration of our agreement with you. Upon termination of the agreement, we will, at your choice, delete or return all personal data to you, and delete existing copies unless applicable law requires storage of the personal data. You may advise Us of Your preferred data retention period.

Contact Information
If you have any questions about this GDPR Policy or our data protection practices, please contact us at: ARC X-media Ltd, 78 York Street, London, W1H 1DP

Retain.Me
  •               

Terms | Privacy | Cookies | GDPR

Resources
Client Login
Support
Contact
About Us
Discover Direct Mail with a difference