GDPR Compliance Statement

This GDPR Compliance Statement is supplemental to our Privacy Policy, and applies to all users within the European Union that use our services. Accordingly, Shopchums conducts all data processing procedures (e.g., collection, processing, and transmission) in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation). Nothing in this Statement is intended to contradict or limit the applicability of the information provided in our Privacy Policy.

The following provides you with an overview of the type of data collected, how it is used, how it may be shared with others, how we protect your data using various security measures, and how you can exercise your rights.

The Controller

The responsible entity according to Article 24 GDPR is:
5800 Ambler Drive, Suite 210, Mississauga, Ontario, Canada L4W 4J4


You may contact us using our contact form, or via email to if you:

  • have any questions about this Policy Statement,
  • wish to file a complaint about a possible violation of data protection laws,
  • have any requests related to your rights, and
  • wish to access and/or correct incomplete, inaccurate, or outdated data.
  • Please note that certain account information related to you is essential in order for us to process and manage our accounts and deliver services to you, and deletion of such information may result in termination of services provided to you.

    We will make every effort to respond to your requests in the shortest possible time, and always in strict compliance with applicable law. In some cases, requests for deletion may not be honored immediately, due to a legal obligation or restriction.

    Your Rights

    You have the following rights as a data subject. These rights are standardized in Art. 15 - 22 GDPR. They include:

  • The right to information (Art. 15 GDPR),
  • The right to erasure (Art. 17 GDPR),
  • The right to rectification (Art. 16 GDPR),
  • The right to data portability (Art. 20 GDPR),
  • The right to restriction of data processing (Art. 18 GDPR),
  • The right to object to data processing (Art. 21 GDPR).
  • To assert these rights, or if you have questions about data processing in our company, please contact us using our contact form, or via email to

    You also have the right to lodge a complaint with a data protection supervisory authority. For Shopchums, The Office of the Privacy Commissioner of Canada (OPC) is the relevant authority in matters of data protection. You have the right to make a complaint at any time to the OPC ( We would, however, appreciate the opportunity to deal with your concerns before you approach the OPC, and we therefore ask you to please contact us in the first instance.

    Legal Bases for Processing

    The processing of your personal data may be based on the following legal bases:

  • Art. 6 (1) lit. a GDPR serves as our legal basis for processing operations, which requires us to obtain your consent for a specific processing purpose.
  • Art. 6 (1) lit. b GDPR, serves as our legal basis for the processing of personal data as necessary for the performance of a contract; e.g., if you purchase a product. The same basis applies to such processing operations that are necessary for the performance of pre-contractual measures; for example, enquiries about our products or services.
  • Art. 6 (1) lit. c GDPR, serves as our legal basis for the processing of personal data, such as for the fulfillment of tax obligations.
  • Art. 6 (1) lit. d GDPR serves as our legal basis for the processing of personal data relative to your vital interests, or for the processing of personal data relative to the vital interests of any other natural person.
  • Art. 6 (1) lit. f GDPR serves as our legal basis related to using third parties, e.g., when we use service providers for a part of order processing, such as shipping service providers, conducting statistical surveys and analyses, and reviewing logging in registration procedures. Our interest is to optimize our website in order to meet your expectations, by creating a user-friendly, appealing, and secure website.
  • Duration of Storage and Routine Deletion of Personal Data

    We process and store your personal data only for time periods required to fulfill our obligations to you and as required in applicable laws or regulations. When these purposes have been fulfilled, your personal data will be deleted, or blocked.

    If your data is blocked, deletion will take place as soon as legal, statutory, or contractual retention periods are met and does not conflict with our legitimate interest.

    Log Files

    Article 6 (1) b) GDPR is the legal basis for data processing related to the collection and storage of data necessary for the operation of the website, in order to ensure proper functioning of the website, and to deliver the content of our website correctly.

    Article 6 (1) f) GDPR is the legal basis which allows us to process data to optimize our website, and to ensure the security of our IT systems. Accordingly, and as a technical precaution, this data is stored for a maximum of 7 days.

    If you have not exercised your right to object to this use of your data (see information on the right to object under "Your rights"), we may also use this data for the purposes of advertising, market research, and by creating and evaluating user profiles under pseudonyms, in order to better design our services to meet your needs.

    Contractual Relationship

    Art. 6 (1) b) GDPR is the legal basis for establishing or implementing the contractual relationship with our users, as it is necessary to regularly process the personal master data and contract data you provide to us. Article 6 (1) f) is the legal basis for processing customer and prospect data for evaluation and marketing purposes, and serves our interest in further developing and informing you specifically about our services. If you have consented under Article 6 (1) f) GDPR, further data processing may take place pursuant to Article 6 (1) c) GDPR, if such processing serves the fulfillment of a legal obligation.

    Commercial and business services

    We process information related to our contractual and business partners, e.g., users and interested parties in the context of contractual and other comparable legal relationships or similar relationships, related to communication with contractual partners before execution of a contract or during contract administration, and to answer enquiries.

    We process this information to fulfill our contractual obligations, to secure our rights and to perform administrative tasks associated with this information, and for our business organization purposes. We only disclose partners’ contractual information to third parties as permitted by applicable law, and only to the extent necessary for the aforementioned purposes, for the fulfillment of legal obligations, or with the consent of the contractual partners, to participating telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisers or tax authorities.Unless otherwise specified, the purposes of the above processing are related to contractual performance, customer service, responding to contact requests and related communication, fulfilling our office and organizational procedures, administration, visit action evaluation, and interest-based and behavioral marketing. The Legal bases are Art. 6 (1) b) GDPR, Art. 6 (1) c) GDPR, and Art. 6 (1) f) GDPR.

    Administration, Financial Accounting, Office Organization, Contact Management

    Article 6 (1) c) GDPR and Article 6 (1) f) GDPR are the legal bases for the data processing immediately herein. We process data to perform administrative tasks to organize our operations, to perform financial accounting, and to comply with legal obligations, such as archiving. In this regard, we process data identical or similar to the data that we process in the course of providing and fulfilling our contractual services and obligations. Users, interested parties, business partners and website visitors are affected by this data processing. The purpose of and our interest in this data processing is for the administration, financial accounting, office organization, archiving of data, i.e., tasks required for the maintenance of our business activities, performance of our tasks, and the provision of our services. The data in all processing activities immediately herein is identical to the data processed for contractual services and contractual communication, and the deletion of data in activities described immediately herein would correspond with any deletion of identical data related to contractual services and communication.

    In this context, we disclose or transfer data to tax authorities, consultants including tax advisors or auditors, etc.

    Furthermore, based on our business interests, we store information on suppliers, and other business partners, e.g., for the purpose of future contact. This data, most of which is company-related, is generally stored permanently.

    Information Processing for the Purpose of Fraud Prevention and Optimization of Our Processes

    Where applicable and when may be requested, we provide our service providers with information, which they may use for fraud prevention, and for optimization of our relationship processes and procedures. This serves our legitimate interests as outlined in Article 6 (1) f) GDPR (by helping to protect us against fraud, or to assist us in efficient risk management).

    Technical Services

    We process our Users data to enable them to select, execute, purchase or commission selected services from us, and associated activities. The required information is or may be related to a payment or service request or comparable contract performance, and includes user contact information required for the provision of services and billing, in order to provide service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioral marketing.

    Unless otherwise specified, the purposes of data processing herein are contract performance and service, responding to and dealing with contact requests and communication, performing office administrative and organizational procedures, response to user requests, dealing with and evaluating actions related to site visits, and processing interest-based and behavioral marketing. The Legal bases for contractual performance and dealing with and responding to pre-contractual inquiries, fulfilling our legal obligations are Art. 6 (1) b) GDPR, Art. 6 (1) c) GDPR, and Art. 6 (1) f) GDPR.

    Exercising Our Rights

    Art. 6 (1) lit. c) and f) GDPR are the legal bases for us to use and store your personal data and related technical information as necessary to prevent, or to prosecute, misuse or any illegal behavior on our website, e.g., to maintain data security in the event of attacks on our IT systems. We also process data to the extent that we may be legally obligated to do so due to court and similar official orders, and in order to protect and exercise our rights, and for our defense pursuant to any legal claims that may be made against us.

    Enquiries by e-mail or Contact Form

    If an enquiry is submitted to us via our provided e-mail address or contact form, we will store the personal data in the submission, and such data will be processed exclusively for the purpose of answering the enquiry. If an enquiry to us is aimed at concluding a contract, the legal basis for processing such data is Art. 6 (1) lit. f.) GDPR or Art. 6 (1) lit. b) GDPR. This data will be deleted when the purpose of the processing no longer applies, e.g., the enquiry has been conclusively answered. You can object to the processing of your personal data at any time by contacting us, using our contact form or via email to

    Use of Customer Data for Direct Marketing Purposes

    If you have provided us with your e-mail address when using our Services, we reserve the right to regularly send you e-mail offers for similar services. We do not need to obtain your separate consent for this. In this respect, processing personalized data for direct advertising is carried out solely on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f.) GDPR. If you initially objected to the use of your e-mail address for this purpose, we will not send you any e-mails.

    You are entitled to object at any time to the future use of your e-mail address for the aforementioned advertising purpose by using our contact form , or via email to After we receive your objection, we will immediately stop the use of your e-mail address for advertising purposes. If you wish to object to the use of your data for statistical evaluation purposes, you must unsubscribe from such marketing.


    We use cookies on our web sites. Cookies are small text files that are stored on your device. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. Cookies can contain data that make it possible to recognize the device used. In some cases, however, cookies may have certain settings which only collect or contain information that cannot be related to a specific person.

    We use session cookies and permanent cookies on our web sites. This processing is carried out on the basis of Art. 6 (1) lit. f.) GDPR, to optimize and adapt the presentation of our website, and to enable user guidance. You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent for you. You can also delete cookies at any time using the appropriate browser settings and prevent the setting of new cookies. Please note that cookie deletion may prevent optimal display of our web site and may cause some functions to not be technically available.

    If you give consent to cookies in accordance with Art. 6 (1) lit. f.) GDPR, we use cookies and other technologies from third-party providers on our web site. If our purpose for data collection ends, and we accordingly end the use of the related technology, the data collected in this context will be deleted. You can revoke your consent at any time with immediate future effect. For further information on the cookies we use, please refer to our Cookie Policy.

    Disclosure of Personal Data to Third Parties

    Your personal data will only be shared by us if there is a legal obligation to do so, or to service provider companies that have been selected by us in advance, and which selection contractually obligates us to comply with applicable data protection law.

    a) Disclosure within service supplier companies pursuant to Art. 6 (1) lit. b GDPR

    We will share your personal data to contract software service providers, who may or will process it as part of their work performance for us. If you contact us with questions and/or complaints, they may or will have access to your data in order to allow them to process your request.

    b) Disclosure to service providers according to Art. 6 (1) lit. b and f GDPR

    For the operation and optimization of our website and our services, and for the processing of contracts, various service companies may from time-to-time work for us, e.g., we may share data (e.g., name, address) required for the fulfillment of the task, including cloud data storage, central IT services, hosting our website, the delivery of various services, and the dispatch of newsletters.

    Some of these companies act for us by way of commissioned processing and may therefore use the data provided exclusively in accordance with our instructions. Accordingly, we are legally responsible for appropriate data protection precautions at such companies. We therefore specify data security measures thatthese companies must have, and we monitor them regularly.

    c) Disclosure to other third parties pursuant to Art. 6 (1) lit. c and f GDPR

    We will disclose your data to third parties or government agencies within the framework of existing data protection laws, when we are legally obliged to do so, e.g., due to court or other official or similar orders, or if we are entitled to do so, e.g., when necessary for the prosecution of criminal offences, or for the exercise and enforcement of our rights and claims.

    Data Transfer to Third Countries

    As a company based in Canada, we take additional measures to ensure an adequate level of data protection for the transfer of personal data in accordance with Art. 44 of the GDPR and thus ensure that the transfer is generally permissible and that the special requirements for a transfer to a third country are met (e.g., by concluding EU standard contracts and additional guarantees, supplementary technical and organizational measures such as encryption or anonymization).

    General Technical Organizational Measures

    We have taken appropriate security measures to adequately protect your personal data. All information held by us is protected by physical, technical, and procedural measures that limit access to data to persons specifically authorized in accordance with our Privacy Policy and this Statement.

    Our website is behind a software firewall to prevent access to our website by other websites and networks on the Internet. In addition, employees’ access to data is limited to personally identifiable data related to and required for the performance of a specific task by that employee. These employees are trained in security and privacy practices, and are required to treat your information confidentially.

    The transmission of your personal data during any processing is encrypted using industry standard Secure Socket Layer ("SSL") technology, (SSL encryption version 3).


    This Policy Statement and our commitment to protecting the privacy of your personal data can result in changes to this Policy Statement. Please review this policy regularly to keep up to date with any changes.

    Queries and Complaints

    Any comments or queries on this Policy Statement should be directed to us. If you believe that we have not complied with this Policy Statement or acted in any manner notin accordance with data protection law, you should notify us using our contact form or via email to