Controller: UAB Komerza, company code 307395204, Giedraičių g. 39, R53,
LT-09302 Vilnius, Lithuania ("Komerza", "we", "our").
Contact: legal@komerza.com
1. Scope
This Privacy Policy explains how Komerza processes personal data of:
- Merchants using the Komerza platform and site-builder;
- Buyers who make purchases on merchant stores hosted by Komerza; and
- Visitors to komerza.com, builder.komerza.com, or related services.
It applies to all Komerza-operated products including the Site Builder, Marketplace infrastructure, and Email Marketing add-on.
2. Roles under GDPR
- Merchants act as data controllers for their buyers' data.
- Komerza acts as:
- a processor for data processed on behalf of merchants (orders, buyers, store analytics); and
- a controller for its own data (merchant accounts, billing, support, security, analytics).
- For personal data of buyers processed on behalf of merchants, Komerza acts under the Data Processing Addendum.
3. Categories of Data We Process
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Merchant Account | name, email, company, VAT ID | Account creation, authentication, billing | Contract (Art. 6 (1)(b)) |
| Buyer Order | email, IP, browser UA, order ID, timestamps | Checkout, delivery, anti-fraud | Contract (Art. 6 (1)(b)); Legitimate Interest (Art. 6 (1)(f)) |
| Payment Meta | PSP transaction IDs, status, error codes | Payment processing through merchant PSPs | Contract with merchant; Legitimate Interest |
| Analytics & Logs | IP, user agent, event ID, performance data | Platform reliability, abuse detection | Legitimate Interest |
| Marketing Add-on | sender domain, campaign content, recipient emails (merchant-provided) | Email delivery and analytics | Consent (Art. 6 (1)(a)) & Contract |
No special-category or children's data are knowingly collected.
4. Purposes of Processing
We process personal data to:
- Provide and secure Komerza's platform and site builder;
- Manage merchant billing, subscriptions, and fraud prevention;
- Deliver orders and messages between merchants and buyers;
- Provide customer and technical support;
- Perform analytics, debugging, and security monitoring;
- Comply with accounting, taxation, and legal requirements.
5. Data Sharing and Sub-processors
We use trusted service providers to operate our infrastructure. Each provider is bound by GDPR-equivalent safeguards (EEA location or SCCs).
| Provider | Purpose | Location / Safeguard |
|---|---|---|
| Fly.io Inc. | Ephemeral build & preview compute | EEA / SCCs |
| Cloudflare Inc. | CDN, R2 storage, DDoS protection, DNS | EEA + US / SCCs |
| Hetzner Online GmbH | Backend servers, database, cache | Germany |
| Amazon Web Services EU-North-1 | Email (SES) | Sweden |
| Revolut Bank UAB | Merchant billing | Lithuania |
| Functional Software Inc. (d/b/a Sentry) | Error logging & performance monitoring | Germany / SCCs |
| Everapi GmbH | Currency rates (no personal data) | EU |
6. Data Retention
- Buyer order data: kept until merchant deletion or buyer request.
- Merchant account data: kept until account deletion or legal-record expiry.
- Logs: 14 days (info/warn), 60 days (error/performance).
- Backups: encrypted, isolated, deleted automatically upon expiry.
7. International Transfers
Where data leaves the EEA, transfers rely on Standard Contractual Clauses (EU 2021/914) or equivalent safeguards. Copies of SCCs are available upon request.
8. Security Measures
We employ industry-standard safeguards, including:
- LUKS2 encryption at rest; TLS 1.3 and mTLS in transit;
- Physical and hardware-key access control;
- Continuous monitoring via Sentry;
- Segmented infrastructure and rate-limiting.
Full technical details are provided in the DPA Annex III.
9. Your Rights
Under GDPR you may:
- Access your personal data;
- Request correction or deletion;
- Object to processing;
- Request portability;
- Withdraw consent where applicable.
Buyers should contact the relevant Merchant for order-related data. Merchants may contact legal@komerza.com.
We will respond without undue delay and within 30 days.
10. Cookies and Tracking
Komerza and its merchants may use cookies for:
- Session management and authentication;
- Basic analytics and load balancing;
- Fraud and abuse prevention.
Essential cookies cannot be disabled. Optional analytics cookies require consent and are disclosed in-app.
11. Email Marketing Add-on
Merchants must use their own verified domain for sending email marketing campaigns.
12. Legal Basis Summary
| Purpose | Legal Basis |
|---|---|
| Service provision | Art. 6 (1)(b) – Contract |
| Platform analytics & fraud prevention | Art. 6 (1)(f) – Legitimate interest |
| Marketing emails | Art. 6 (1)(a) – Consent |
| Legal compliance (tax, accounting) | Art. 6 (1)(c) – Legal obligation |
13. Data Protection Officer & Complaints
Data Protection Officer: Airanas Leonavičius, CEO – UAB Komerza
Email: legal@komerza.com
You may lodge a complaint with the State Data Protection Inspectorate (VDAI), L. Sapiegos 17, Vilnius, Lithuania or your local EU supervisory authority.
14. Changes to This Policy
Material updates will be announced at least 15 days in advance via dashboard notice or email. Continued use of Komerza after that period constitutes acceptance of the revised Policy.
Contact
UAB Komerza
Giedraičių g. 39, R53, LT-09302 Vilnius, Lithuania
legal@komerza.com