Catalog facilitates the necessary sharing of shipping PII for order fulfillment in a secure manner. We rely on contractual agreements with Brands to ensure they handle this data responsibly and solely for its intended purpose. Partners also have tools like email anonymization to further control data sharing.
Why is shipping information shared?
When a customer purchases a Brand's product through a Partner's storefront powered by Catalog, the Brand needs the customer's shipping information (like name and address) to physically send the product. This is the core function of the dropshipping model facilitated by Catalog. Sharing this information is essential for fulfilling the order and has a lawful basis under data privacy regulations such as GDPR.
What information is shared
Typically, the information required for fulfillment includes customer name, shipping address, phone number (if provided for shipping purposes), and customer email address (see email anonymization below).
How is information shared securely?
Catalog acts as a secure conduit for this information:
- Secure transfer: Order details, including shipping information, are passed from the Partner's system to the Brand's system via Catalog's secure integrations. Data is encrypted during transit.
- Platform integration: Brands typically receive this information directly into their existing e-commerce backend, which has its own security protocols.
- Catalog's security: Catalog employs robust security measures, including data encryption at rest and in transit, strict access controls, and adherence to industry best practices. Catalog is SOC2 Type 2 compliant.
Brand responsibilities and data handling
Brands using the Catalog platform agree to Terms of Service that include strict provisions regarding the handling of customer PII:
- Purpose limitation: Brands must use the customer's shipping information solely for fulfilling the specific order.
- No unauthorized use: Brands are prohibited from using this information for unrelated marketing, selling the data, or sharing it with unauthorized third parties.
- Data security: Brands are expected to handle the data securely within their own systems.
- Retention: Brands should not retain the PII longer than necessary for fulfillment, returns processing, and any legal record-keeping requirements.
Partner controls: Email anonymization
Catalog offers an email anonymization feature to address concerns about Brands potentially using customer emails for marketing:
- Partners can enable this setting in partnership terms or settings.
- When enabled, Catalog masks the customer's actual email address before sending order details to the Brand.
- This provides an additional layer of privacy control, preventing the Brand from directly obtaining the customer's email address via the Catalog order flow.