Updated October 2025
Kudobuzz GDPR Compliance
Kudobuzz is committed to protecting the privacy and data rights of our customers and their end-users in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This document outlines Kudobuzz’s role, responsibilities, and commitments under GDPR, as well as the responsibilities of our customers when using Kudobuzz services.
Scope
This statement applies to all Kudobuzz services, including apps, integrations, and features offered through supported platforms.
Data Controller vs Data Processor
- Customers (Merchants) act as the Data Controller. They determine the purposes and means of processing personal data collected through Kudobuzz.
- Kudobuzz acts as the Data Processor, processing data strictly on the instructions of our customers.
Note: Kudobuzz does not determine the purpose of data collection for merchants’ customers. Therefore, ultimate responsibility for GDPR compliance in how data is collected and used rests with the merchant.
Data Processing Activities
Kudobuzz processes data solely to provide its services, which may include:
- Collecting, storing, and displaying customer reviews.
- Syncing and displaying user-generated content from social media platforms.
- Providing analytics and reports to merchants.
We do not use or sell personal data for advertising purposes.
Legal Basis for Processing
Our legal basis for processing personal data is derived from:
- The necessity of processing to perform the Kudobuzz service.
- The consent obtained by merchants from their end-users.
- Legitimate interests, where applicable, such as fraud prevention and product security.
Data Subject Rights
Under GDPR, individuals have rights including:
- Access to their data.
- Rectification of inaccurate data.
- Erasure (“right to be forgotten”).
- Restriction or objection to processing.
- Data portability.
Kudobuzz will reasonably assist merchants in fulfilling these requests, but it is the merchant’s responsibility to respond to their customers’ GDPR requests in a timely manner.
Data Transfers
Kudobuzz may transfer and store data outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards such as:
- Standard Contractual Clauses (SCCs).
- Hosting with GDPR-compliant cloud providers.
Data Security
Kudobuzz may transfer and store data outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards such as:
- Encrypted data transmission (TLS/SSL).
- Encrypted storage where applicable.
- Role-based access control and auditing.
- Regular security testing and monitoring.
Data Retention
Kudobuzz retains personal data only as long as necessary to provide services or as required by law. Merchants may request deletion of data at any time by contacting us.
Sub-Processors
Kudobuzz uses carefully selected third-party sub-processors (such as hosting providers and email delivery services). A current list can be provided upon request. Kudobuzz ensures sub-processors are GDPR-compliant.
Breach Notification
In the unlikely event of a personal data breach, Kudobuzz will:
- Notify affected customers without undue delay once aware of the breach.
- Provide necessary details to support merchants in their legal notification obligations.
Merchant Responsibilities
To ensure GDPR compliance, merchants using Kudobuzz must:
- Obtain valid consent from their end-users before collecting and processing data.
- Provide clear privacy notices explaining how Kudobuzz is used.
- Respond to data subject requests directly.
- Configure Kudobuzz in compliance with GDPR principles.
Kudobuzz will not be liable for GDPR violations arising from a merchant’s failure to comply with these obligations.
Contact Information
If you have questions about this GDPR statement or require assistance, please contact:
Data Protection Team (DPT)
Kudobuzz
[email protected]