This guide presents an overview of VTEX's approach towards data privacy. Read the following sections to understand how our platform's resources can help merchants and developers protect shopper's personal data.

VTEX follows the principle of data minimization, which refers to collecting, processing, and storing only the information essential to achieving a specific purpose. This means we limit the personal data we collect and keep, thus reducing the risk associated with excessive information processing.

VTEX processes shoppers’ personal data only when strictly necessary, following the requirements of each platform module to carry out ecommerce operations. Our platform may process personal data of the following types, as described in our Data Processing Addendum (DPA):

• Name
• Email address
• IP address
• Browsing information (cookies)
• Cart information
• Order information and history
• Delivery address
• ID number (when required by the country in which the store operates)
• Gift card history
• Unused cart
• Conversation Tracker information
• Session passwords (encrypted)
• Generated tokens

VTEX does not sell, monetize, enrich, or transfer shoppers' personal data to other companies. See the Privacy & Contracts section of our website to learn more about our approach to data privacy, including certifications, internal policies, and commitments.

Learn more about the definition of personal data and our role in data protection in the Data and privacy track on VTEX Help Center.

All data on the platform has a life cycle from creation to deletion, divided into four phases: Creation, Storage, Processing, and Disposal. This flow is illustrated below:

1. Creation: Process for creating or collecting data.
2. Storage: Data that will be reused is stored.
3. Processing: Data is processed and used to achieve the tenant's business objectives. During this stage, data can be refined, merged, or aggregated.
4. Disposal: When the data is no longer needed, we dispose of it permanently.

Data retention limits define the duration for which data can be stored within our platform. These limits are influenced by different factors, such as legal and compliance requirements, data privacy considerations, and costs. By establishing data retention limits, we aim to ensure compliance with regulations, protect user privacy, and maintain efficient resource allocation.

VTEX stores the shopper's personal data for the duration of the Master Services Agreement (MSA). In the event of termination of the contract with VTEX, the merchant must ensure that the data is extracted from the Master Data within thirty (30) days before the date of termination of the MSA, under Clause 7 of the DPA.

Merchants are responsible for complying with local laws and regulations. This includes defining and respecting data retention periods, which may vary depending on the specific legislation to which each store is subject.

VTEX offers tools for merchants to assist shoppers with requests related to data subject rights, including access and portability, rectification, consent, and erasure. Learn more in Data subject rights. For details on the data exclusion procedure, see the Erasing customer data.

VTEX is not responsible for personal data stored by systems integrated with your store, such as ERPs, third-party marketplaces, third-party sellers, third-party applications available in the VTEX App Store or customizations implemented by your development team. You must map this data and ensure the enforceability of the rights of personal data subjects in these instances, in addition to the processes described below.

Data in transit is protected by the TLS 1.2 security standard. Connections that use older and less secure encryption methods are denied.

When working with storage or data at rest, VTEX can use one of the following algorithms to support applications that need to encrypt data:

• Two-way encryption:
  • RSA with keys of 2048 bits or more
  • AES-256
• One-way encryption:
  • PBKDF2 based on SHA-256

All relevant systems make daily automatic backups by default, but this can be adjusted as necessary to ensure data integrity and availability.

In addition, we have implemented strict information security processes and access controls to ensure that only authorized persons have access to the data.

Learn more about our Security practices in the Security guide.

The hosting provider used by VTEX is Amazon Web Services (AWS), which stores data in the Northern Virginia region of the United States. The AWS platform has important certifications such as ISO 27001, PCI DSS, CSA, and NIST. For a detailed list of certifications, go to AWS Compliance Programs. Authorization for storing data on AWS can be found in our DPA.

VTEX has privacy and data protection policies, which are reviewed annually. The External Privacy Notice can be accessed on the VTEX website.

Merchants should add their own privacy policies to their websites to comply with local privacy regulations.

VTEX is committed to complying with all applicable data protection regulations, including GDPR and LGPD. The tools provided by our platform, through Admin and our APIs, allow merchants to comply with GDPR and local regulations. Learn more about our policies, contracts, and commitment to data protection compliance in the Privacy & Contracts section of our website.