Skip to content

GDPR & Data Protection Overview

This guide explains what GDPR compliance looks like when running an online store with Capyshop. It covers what the platform handles for you, what remains your responsibility as the store operator, and how to handle common data protection scenarios.

Your Role: Data Controller

As the store operator, you are the data controller. This means you determine the purposes and means of processing your customers' personal data. Capyshop is your data processor — it provides the technology and infrastructure, but you bear the legal responsibility for GDPR compliance.

What Capyshop Covers

The platform provides these built-in GDPR features:

FeatureHow it works
Cookie consent bannerVisitors see a banner on first visit with Accept/Decline options. Analytics and third-party scripts are only loaded after explicit consent.
Analytics consent gatingThird-party scripts and analytics are fully disabled until the visitor accepts cookies.
Right of accessUsers can download all their data in structured JSON format from their profile page.
Right to erasureUsers can delete their account directly from their profile. Orders are anonymized (PII removed) while financial records are retained for tax compliance.
Right to data portabilityOne-click export of all personal data (profile, addresses, orders, consent logs, reviews) in machine-readable JSON.
Age verificationUsers must provide their date of birth at signup. Accounts cannot be created by anyone under 18.
Privacy policyA comprehensive privacy policy is automatically generated with GDPR rights disclosure, processor information, and contact details.
ToS consent auditAcceptance of Terms of Service is logged with timestamp, IP address, and version number.
Data retentionAnalytics data is automatically deleted after a configurable period (default 90 days via ANALYTICS_RETENTION_DAYS). Inactive accounts are flagged for deletion after a configurable number of years of inactivity (default 3 years via INACTIVE_ACCOUNT_DELETION_YEARS).
Account inactivityUsers who haven't accessed the platform in a configurable number of years receive a warning email and their account is scheduled for deletion.
Security headersHSTS, CSP, X-Content-Type-Options, and X-Frame-Options are enforced.
Rate limitingAuth endpoints and API operations are rate-limited to prevent abuse.

Your Responsibilities

Compliant — Implemented: Cookie consent decisions are logged server-side via the ConsentLog model with type "cookies". When a user accepts or declines the cookie banner, the decision is recorded alongside their IP address and timestamp.

Data Processing Agreements (DPAs)

You should have DPAs in place with all third-party processors you use:

ServicePurposeDPA Available?
StripePayment processingYes (Stripe DPA)
PostHogPlatform telemetryYes (PostHog DPA)
Your SMTP providerEmail deliveryDepends on provider
Custom scripts (admin-controlled)Storefront scriptsControlled by store operator
Your hosting providerInfrastructureDepends on provider

Marketing Compliance

Capyshop tracks a subscribeToNews flag but has no built-in email marketing system. If you connect an external email marketing service, you must:

  • Obtain explicit consent (no pre-ticked boxes)
  • Implement double opt-in where required
  • Provide one-click unsubscribe links
  • Maintain your own consent audit trail

Data Breach Notification

Capyshop does not automatically detect or report data breaches. If a breach occurs:

  1. Notify your supervisory authority within 72 hours
  2. Notify affected users without undue delay if there is high risk
  3. You can export all user data from the admin panel to contact affected users

EU Data Protection Authorities

Records of Processing Activities (ROPA)

You should maintain a written record of your processing activities. This document should list what data you collect, why, how long you keep it, and who processes it.

Handling Data Subject Requests

Right of Access

Users can view their data on their profile page and download it via the Download My Data button. Admins can also export user data from the admin panel.

Right to Erasure

Users can delete their own account from their profile page (Danger Zone). Admins can also delete users from the admin panel. The deletion process:

  • Anonymizes order PII (name, email, addresses) while keeping financial records for tax purposes
  • Deletes analytics data, consent logs, reviews, wishlist, and sessions
  • Cascading delete handles addresses, accounts, and other related records

Right to Data Portability

Users can download all their personal data as a JSON file from their profile page. The export includes profile, addresses, orders with items, consent logs, and product reviews.

Automated Inactive Account Cleanup

By default, accounts that have been inactive for 3 years are flagged for deletion:

  1. An email is sent to the user warning that their account will be deleted in 7 days
  2. If the user signs in again, the inactivity timer resets
  3. After 7 days without activity, the account is automatically deleted

Configure the threshold with the INACTIVE_ACCOUNT_DELETION_YEARS environment variable.

Third-Party Processors Summary

When running a Capyshop store, these services may process personal data:

ProcessorPurposeData
StripePayment processingPayment amounts, currency, metadata
PostHogPlatform telemetry (opt-in)Page views, errors (no customer PII)
Email provider (SMTP)Transactional emailsEmail addresses, order details, names
Custom scripts (admin-controlled)Storefront analytics (opt-in)Page views, events (gated behind consent)
Hosting providerApplication + database hostingAll personal data (at rest)

Disclaimer

Capyshop is provided "as is" without warranties. You use the platform at your own risk. Capyshop is not responsible for data breaches, data loss, or GDPR compliance violations on self-hosted stores.

Useful Resources