We have general processes in place for handling of personal data. In terms of who is the data controller, because we are POS-integrated, NitroSell is legally a data processor and the retailer is the data controller.
Should you need to delete a person’s data under “right to forget”, you can delete their record from the POS, and can request that we erase order history and any web records through a ticket. As a policy, we only retain data at a retailer’s request, and data is only retained as long as you are a NitroSell customer.
In terms of breach protection, we have extensive security measures in place in order to meet and maintain PCI-DSS Level 1 compliance. We have a comprehensive compliance process, and many industry standard security measures in place, and all of these are checked annually with an on-site audit, annual penetration testing, weekly internal and external security scans, and managed intrusion detection systems. Our compliance provider is Trustwave, the leader in the space.
Finally, with regards to “opt in” for personal data collection, we do not yet have a standardised message to be displayed at registration or checkout, and a checkbox for same. Once we have come up with a standardised message that meets the standard, we would be happy to add this as a config option that can be enabled. If you would like us to add one in the meantime, please open a ticket, and it can be done easily.
If you have any other queries or concerns, please let me know.