Posted on Leave a comment

Koffeeware photo products and GDPR

GDPR (General Data Protection Regulation) is around the corner and has quite some implications for e-commerce web sites.

Koffeeware being a provider of photo centric e-commerce environments, we are obviously concerned by privacy in general and GDPR in particular.

Privacy by design

First of all, our products have always been designed with privacy as a concern. This translates into the fact that our tools only collect really needed data, the data needed to properly process and ship orders (when relevant).

Going into the details

Creator Five

Creator Five does not collect any customer related data. The only data stored by Creator Five is an anonymous ID to the creations stored. The link between the customer account and the creation’s ID is to be managed by the host site. only stores basic information for email based confirmation and to identify the customer at in-shop pick-up. partners can add additional data collection fields. In this case, it is their responsibility to clearly state what is done with the collected data.

An anonymous session cookie is also stored on the customer’s side. It is deleted as the customer leaves the web site.

Photo Web Shop

Photo Web Shop being a complete photo ecommerce environment, customer related data linked to shipment of orders need to be collected and stored. By default, this data is only used for order related communication. An additional field provides for optionally collecting consent for marketing communication. The customer can update this information at any time by connecting to his account.

Accounts are stored on a store-by-store basis, each store manager defines his policy in term of data usage outside of Koffeeware’s control.

An anonymous session cookie is also stored on the customer’s side. It is deleted as the customer leaves the web site.

GDPR roles

To understand and implement GDPR correctly, roles need to be clearly defined.

  • As per GDPR, Koffeeware acts as a Data Processor for its customers.
  • Koffeeware’s customers act as Data Controllers as they have to define how and why personal data is used and therefore need to make sure to clearly publicize their Privacy Policy. Furthermore, merchants are responsible for the collection and safe storage of their customers’ data as well as gaining consent from their customers for their marketing usage.

Simply said, the idea behind a privacy policy statement as per GDPR is “Say what you do and do what you say.” and “with simple words”.

Data Protection Officer (DPO)

In compliance with the GDPR, we have named a Data Protection Officer (DPO).

Third party service providers

Koffeeware uses the following third party service providers:

  • Databases are stored on Amazon Web Services servers located in Ireland.
  • Other services are running on Online and OVH servers located in France.
  • Our email platform is run by Mailjet who claims having their servers located in France.
  • This web site runs on o2switch servers located in France.

Regarding Google Analytics, we invite our customers using Google Analytics to set the data storage settings in accordance with their Privacy Policy. This obviously applies to other tracking tools.


This article may be updated at any time to match updates to our products.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.