Mercato Logo

Data Protection Addendum

GDPR and CCPA compliant data processing terms for EU and California clients.

GDPR Compliant CCPA Compliant

Table of Contents

1. Applicability2. Definitions3. Controller Responsibilities4. Processor Obligations5. Data Transfers6. Data Subject Rights7. Impact Assessments8. Compliance Monitoring9. Breach Notification10. Processing Specifics11. CCPA Terms12. Liability13. Contact

1. Applicability

This Data Protection Addendum (DPA) applies to clients whose customers are located in:

  • European Union (GDPR - Regulation 2016/679)
  • California, USA (CCPA - California Consumer Privacy Act)
  • United Kingdom (UK GDPR - Data Protection Act 2018)
  • Other regions with equivalent privacy laws

Important: If you are subject to GDPR or CCPA, you must sign this DPA before using Mercato services.

2. Definitions

Data Controller
You (the e-commerce brand) determine purposes/means of data processing
Data Processor
Mercato processes data on your behalf per your instructions
Personal Data
Any information identifying an EU/California resident
Processing
Collection, use, storage, or disclosure of personal data

3. Your (Controller) Responsibilities

3.1 Lawful Basis

  • Obtain lawful basis for processing customer data (consent, legitimate interest, etc.)
  • Publish privacy notice explaining data use
  • Provide customers with right to opt-out

3.2 Consent

Before uploading customer data to Mercato, obtain explicit consent:

  • • Display notice: "Your data is processed by Mercato's AI chatbot for product recommendations"
  • • Consent must be freely given, specific, informed, unambiguous

3.3 Data Minimization

  • Provide only necessary data to Mercato for Service delivery
  • Do not upload sensitive data (health info, financial data, biometrics beyond AR photos)

3.4 Third-Party Disclosure

  • Inform customers that data may be processed by LLM providers (OpenAI, Google)
  • Disclose all third-party processors in your privacy policy

4. Mercato (Processor) Obligations

4.1 Process Only Upon Instruction

  • • Mercato processes data solely per your documented instructions
  • • No independent use or sale of customer data
  • • Processing limited to Service delivery

4.2 Confidentiality

  • All Mercato employees sign confidentiality agreements
  • Access restricted to need-to-know basis
  • Team members trained on GDPR/CCPA annually

4.3 Sub-Processor Management

  • • Sub-processors: OpenAI, Google (Gemini), Anthropic
  • • 30-day notice given before adding/replacing sub-processors
  • • You may object to sub-processor changes

4.4 Data Security

Encryption & access controls
Employee training
Annual security audits
Incident response plan

4.5 Data Rights Assistance

  • Assist with data subject access requests (20 business days)
  • Assist with deletion/correction requests

4.6 Data Deletion

  • Upon contract termination, delete or return all customer data within 30 days
  • Provide certificate of deletion upon request

5. Data Transfers (International)

5.1 Problem

Customer data originates in EU/California but may be processed in US, India, or other countries.

5.2 Solution

  • EU Data: Transfers via Standard Contractual Clauses (SCCs) per GDPR Article 46
  • California Data: Transfers comply with CCPA Service Provider requirements
  • • Adequate safeguards: encryption, access controls, contractual obligations

5.3 Your Responsibility

You (as Controller) are responsible for ensuring lawful transfer mechanisms. Mercato provides SCCs, but you must implement them.

6. Data Subject Rights

Right to Access

CSV export within 15 business days

Right to Deletion

Deleted within 30 days (GDPR "Right to Be Forgotten")

Right to Rectification

Records updated within 7 business days

Right to Restrict

Processing limited during restriction period

7. Data Impact Assessments

GDPR requires a Data Protection Impact Assessment (DPIA) when processing presents high risk.

Mercato's Assistance

  • • Assists with DPIA upon request
  • • Provides technical documentation and security details
  • • No additional fee for standard DPIA assistance

8. Compliance Monitoring

8.1 Audit Rights

  • You have right to audit Mercato's GDPR/CCPA compliance
  • Audits conducted annually by independent third party
  • Mercato provides documentation and system access

8.2 Certifications

  • • SOC 2 Type II report available (under NDA)
  • • Privacy certification targeted Q1 2026

9. Breach Notification

9.1 Mercato's Obligation

  • • Notify you within 24 hours of breach detection
  • • Includes: nature of breach, data affected, consequences, mitigation steps
  • • Full cooperation with investigation

9.2 Your Obligation

  • • Notify affected individuals within 72 hours (GDPR)
  • • Mercato assists with notification letter if requested

10. Data Processing Specifics

10.1 Purpose

  • Chatbot support and product recommendations
  • Analytics and conversion attribution
  • Service improvement and AI tuning

10.2 Retention Duration

Chat logs90 days
Behavioral data0 days
Analytics24 months
Post contract30 days

10.3 Categories of Data

  • Chat conversation text
  • User IP address and browser info
  • Product interaction data
  • Purchase history
  • AR try-on photos (deleted immediately after session)

11. CCPA-Specific Terms

11.1 Service Provider Agreement

Mercato is a "Service Provider" under CCPA:

  • • Processes California consumer data on your behalf
  • • Cannot combine data with other sources
  • • Cannot retain/use data for own purposes
  • • Certifies compliance in writing

11.2 California Consumer Rights

Right to know what data is collected
Right to delete data
Right to opt-out of data sales
Right to non-discrimination

Note: Mercato does not sell data. We assist with fulfilling consumer requests.

12. Liability

  • • Liability for GDPR/CCPA violations limited to direct damages only
  • • Liability capped at 3 months of service fees (or zero, per Terms of Use)
  • • You indemnify Mercato for breaches caused by your instructions or data

13. Contact

For data protection inquiries, DPA requests, or to report a concern:

📧contact@mercato.agency

⏱️Response time: 15 business days

Designed for Fashion Brands

Ready to Elevate Your
Fashion Experience?

Transform Your E-Commerce Into a Personalized Styling Journey—All Within Minutes. Start for Free.

Get Started