Kommercio is controller for the data we collect about you directly, and processor for the data you store on behalf of your customers. Here's what that means in practice.
UK GDPR distinguishes between the data controller (the party that decides why and how personal data is processed) and the data processor (the party that processes on the controller's instruction). Kommercio wears both hats depending on the data category.
| Data category | Controller | Processor | Examples |
|---|---|---|---|
| Account data for Kommercio tenants | Kommercio | Kommercio + sub-processors | Your tenant's signup email, billing info, passkey credentials, subscription tier |
| Tenant's customer and supplier personal data | Tenant (our customer) | Kommercio + sub-processors | End-customer email addresses, billing addresses, order histories, invoice records |
| Tenant's staff user data | Tenant | Kommercio + sub-processors | Staff names, emails, roles, passkey credentials on the tenant's admin panel |
| Public website visitors (kommercio.io) | Kommercio | Kommercio + sub-processors | Contact form submissions, anonymous analytics |
This matters because the roles come with different obligations. As controller, Kommercio determines purposes and must respond to data subject requests directly. As processor, Kommercio acts on written instruction from the controller (the tenant) and passes data subject requests back to the controller to handle.
Our Data Processing Agreement (DPA) governs the processor relationship between Kommercio and each tenant. The DPA is incorporated by reference into our Terms of Service and is automatically accepted when you sign up for a Kommercio Subscription — you do not need to sign a separate document for it to be in force.
A PDF copy of the executed DPA is available on request for procurement, audit, or compliance purposes. Email privacy@kommercio.io with your account details and we will send a signed copy within one working day.
The DPA includes the standard UK GDPR Article 28 processor obligations: processing only on documented instruction, staff confidentiality, security measures, sub-processor controls, assistance with data subject requests and breach handling, deletion/return of data at end of service, and cooperation with audits.
The sub-processors listed in our Privacy Policy are the full current list. The same list applies here — we do not operate separate processor relationships for controller vs processor data.
When we add or change a sub-processor, we notify tenant admins by email at least 30 days in advance. If a tenant has reasonable grounds to object, they may terminate their Subscription without penalty at the point of the sub-processor change.
Where Kommercio is controller (for our tenants' account data, or for visitors to kommercio.io): requests come direct to us. We respond within 30 days as required by UK GDPR, extendable once by 60 days for genuinely complex requests with notification to the data subject.
Where Kommercio is processor (for tenant customer/supplier/staff data): if an end-user contacts us directly with a data subject request, we identify the relevant tenant and pass the request back to the tenant within 72 hours. The tenant, as controller, must then respond within the UK GDPR timescale. We assist the tenant with technical tools (export, anonymisation, deletion) required to fulfil the request.
To exercise any data subject right, contact the right party:
If Kommercio becomes aware of a personal data breach affecting a tenant's data, we notify the affected tenant(s) within 24 hours of becoming aware. This is faster than the UK GDPR requires of a processor and exists to give controllers the maximum window to meet their own 72-hour notification obligation to the ICO under Article 33.
Breach notifications include, to the extent available at the time of notification:
Where a breach affects data for which Kommercio is controller, we notify the ICO within 72 hours as required by Article 33, and notify affected data subjects directly where the breach is likely to result in high risk to their rights and freedoms (Article 34).
Where personal data is transferred outside the UK or European Economic Area, we rely on one or more of:
Our sub-processors are selected in part for their ability to support one of these mechanisms. Executed SCC / IDTA copies are available on request.
We maintain records of processing activities as required by UK GDPR Article 30, covering both our controller and processor activities. Records are kept up to date as our processing evolves and are available to the ICO on request as required by law.
Kommercio is not statutorily required to appoint a Data Protection Officer — we are an SME, we do not carry out large-scale systematic monitoring of data subjects, and we do not process special category data at scale. We have nevertheless designated a privacy contact who oversees GDPR compliance across the business. Reach that contact at privacy@kommercio.io.
Under UK GDPR, every data subject has the rights of access, rectification, erasure, restriction of processing, data portability, objection, and — where processing relies on consent — withdrawal of consent at any time. The route to exercising those rights depends on whether Kommercio is controller or processor for the data in question; see section 4 above.
You also have the right to complain to the Information Commissioner's Office at any time. Details are in our Privacy Policy.