GDPR Compliance

Last updated: April 1, 2026

If you serve customers in the European Economic Area, the United Kingdom, or Switzerland, the GDPR applies to your store. This page explains how Quoli helps you meet your GDPR obligations and what we commit to as your processor.

On this page11 sections
  1. 01Introduction
  2. 02Who this applies to
  3. 03Our role under GDPR
  4. 04Data we process
  5. 05Lawful basis for processing
  6. 06Data subject rights
  7. 07International transfers
  8. 08Security and breach notification
  9. 09Sub-processors
  10. 10Data Processing Addendum (DPA)
  11. 11Contact our DPO

Effective date: April 1, 2026

Document version: 2.1

Read together with our Privacy Policy and Security page. The current sub-processors list is in section 9. Need a counter-signed Data Processing Addendum? See section 10.

1. Introduction

The General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") governs how organizations process personal data of people located in the European Economic Area (EEA). Equivalent regimes apply in the United Kingdom (UK GDPR) and Switzerland (FADP).

Quoli is built to help merchants comply with these laws when collecting reviews, photos, videos, and Questions from EEA, UK, or Swiss shoppers. This page sets out our commitments and the specific GDPR-relevant features we offer.

2. Who this applies to

The GDPR applies if any of the following is true:

  • You are a merchant established in the EEA, UK, or Switzerland.
  • You sell to or market to customers located in the EEA, UK, or Switzerland.
  • You monitor the behavior of people in those regions (for example, analytics that profile EU shoppers).

If any of those apply, the obligations in this page apply to your use of Quoli.

3. Our role under GDPR

For data processed via the Quoli Service, the relationship is:

  • The Merchant is the Controller. You determine the purposes and means of processing your shoppers' personal data.
  • Quoli is the Processor. We act on your documented instructions to provide the Service.
  • Our sub-processors (listed in section 9) act as further processors, bound by contract to the same standards.

Where Quoli collects data about you and your team directly (account info, billing, support), we act as the Controller for that data. That handling is described in our Privacy Policy.

4. Data we process on your behalf

The personal data Quoli processes about your shoppers typically includes:

  • Identifiers: name, email, customer ID, IP address (used for fraud prevention only).
  • Order metadata: order ID, products purchased, fulfillment date.
  • Review and Questions content: text, star rating, photos, videos.
  • Optional shopper-submitted attributes: location, age range, fit / size details where the shopper chooses to provide them.

We do not process special categories of personal data (health, race, religion, political opinions, biometric data) and we do not knowingly collect data from children under 16.

5. Lawful basis for processing

As your processor, we rely on the lawful basis you have established as the controller. For most review-related processing, the typical lawful bases are:

  • Consent from the shopper at the moment they submit a review, photo, or video.
  • Legitimate interest for sending review request emails after a confirmed purchase, where the customer relationship arising from the purchase justifies the contact.
  • Legal obligation for retention of records required by law (for example, tax records).

You should reference these in your own privacy notice. We make it easy by providing a default review request flow that asks for explicit consent on photo and video uploads, and by suppressing recipients who unsubscribe.

6. Data subject rights

Under the GDPR, data subjects (shoppers, in our context) have the following rights:

  • Access: request a copy of the personal data held about them.
  • Rectification: ask to correct inaccurate or incomplete data.
  • Erasure: request deletion (the "right to be forgotten").
  • Restriction: request that processing be paused.
  • Portability: receive their data in a machine-readable format.
  • Object: object to processing based on legitimate interest.
  • Withdraw consent: at any time, where processing is based on consent.

The Quoli dashboard lets you fulfill all of these requests directly: search by email or order ID, view all reviews and submissions tied to a shopper, edit, delete, or export. For requests Quoli cannot fulfill from the dashboard, contact support@quoli.io and we will assist within 5 business days.

7. International data transfers

Personal data we process is stored and processed primarily in the United States and the European Union. Where data of EEA, UK, or Swiss data subjects is transferred to a country that has not been recognized as offering an adequate level of protection, the transfer is governed by:

  • The Standard Contractual Clauses (SCCs) issued by the European Commission in Decision 2021/914 (Module 2: Controller-to-Processor).
  • The UK International Data Transfer Addendum for transfers from the UK.
  • The Swiss DPA-equivalent of the SCCs as recognized by the Swiss FDPIC.

The SCCs are pre-incorporated into the DPA we offer to merchants (see section 10).

8. Security and breach notification

Quoli implements technical and organizational measures appropriate to the risk, including encryption in transit and at rest, role-based access controls, continuous monitoring, and annual third-party security audits. Read our full Security page for details.

If a personal data breach affects your data, we will notify you without undue delay and within 72 hours of discovery, with the information you need to meet your own GDPR Article 33 / 34 notification obligations.

9. Sub-processors

We engage a small number of vetted sub-processors to deliver the Service. Every sub-processor is bound by contract to data protection obligations no less protective than those we owe you. We provide at least 30 days' advance notice before adding or replacing a sub-processor that processes personal data. To subscribe to sub-processor change notifications, email support@quoli.io with subject "Subscribe to sub-processor updates."

The current sub-processor list:

Sub-processorPurposeLocationData processed
Amazon Web Services (AWS)Primary cloud infrastructure (compute, storage, networking)United States, IrelandAll Personal Data processed by the Service
Google Cloud Platform (GCP)Secondary cloud infrastructure for AI workloads, regional failover, analytics pipelinesUnited States, European UnionAggregated usage data, AI inference inputs
MongoDB AtlasApplication database and internal analytics warehouse (reviews, attribution, cohort analysis)United States, European UnionAll Personal Data processed by the Service
CloudflareEdge CDN, DDoS protection, web application firewallGlobal edge networkIP addresses, request metadata, transit traffic
Amazon SESTransactional email delivery (review requests, reminders, replies, billing)United States, IrelandRecipient email, name, message content
AnthropicAI Replies, Nuggets extraction, Questions seeding (sole AI provider; enterprise tier with zero data retention)United StatesReview text, reply drafts. No customer PII unless present in the review body itself.
SentryError monitoring, performance tracing, conversion attribution analyticsUnited StatesError metadata, stack traces, request context, anonymized event data
IntercomCustomer support chat, ticketing, public knowledge base at help.quoli.ioUnited States, IrelandSupport conversations, merchant contact details
MantleRevOps automation, partner program management, referral tracking, partner payoutsUnited States, CanadaPartner contact info, attributed merchant signups, commission events
ShopifySource of truth for orders, products, merchant authentication, App Store billingUnited States, CanadaOrder, product, customer data shared by the merchant; subscription billing metadata

Objections to a current or proposed sub-processor on reasonable data protection grounds: contact support@quoli.io. Where the parties cannot resolve the objection in good faith within 30 days, you may terminate the affected portion of the Service without penalty.

10. Data Processing Addendum (DPA)

Most merchants do not need a separately executed DPA because our standard Terms of Service already incorporate the necessary processor obligations and the SCCs by reference. The Terms operate as our DPA on acceptance.

If your legal team requires a counter-signed DPA document, email support@quoli.io with the subject line "DPA execution request." Include:

  • Your full legal entity name and registered address.
  • Any required modifications (we accept reasonable redlines).
  • Your signing party's name, title, and email.

We return a counter-signed PDF within 5 business days. There is no fee, and DPA execution does not require an upgraded plan.

11. Contact our Data Protection point of contact

For GDPR questions, data subject requests routed to Quoli, sub-processor objections, or anything else GDPR-related, contact us at support@quoli.io with subject line "GDPR request." Our team responds within 5 business days.