Data Processing Addendum
Standard terms governing how business contact data is shared between StoreRadar Limited and a customer who purchases a matched list. No signature is required. Placing an order after the date below constitutes acceptance. A countersigned copy is available on request to legal@storeradar.co.
Data Processing Addendum
This addendum forms part of the Terms of Service between StoreRadar Limited ("StoreRadar", "we") and the customer purchasing a matched list ("Customer", "you"). It exists to answer the GDPR questions a buyer's compliance team usually has before approving the purchase.
1. Relationship of the parties
StoreRadar is an independent data controller for the business contact data it aggregates. StoreRadar's processing is carried out on the basis of legitimate interests under UK/EU GDPR Article 6(1)(f). StoreRadar does not process this data on the Customer's instructions and is therefore not a processor under Article 28.
On purchase, StoreRadar transfers a defined extract of that data to the Customer. From that point, the Customer is an independent controller of the data received, for its own outbound purposes as described in Section 4. StoreRadar is not liable for the Customer's subsequent use of the data. The Customer bears that responsibility as its controller, on the same basis as it would for a list assembled by its own personnel.
2. Data StoreRadar shares with you
Each matched-list row may contain, where available:
- Merchant domain, business/store name, and public storefront details.
- Decision-maker name, job title, and business phone number.
- A business contact email address, ranked personal → business → support.
- Catalog, pricing, tech-stack, and SEO signals about the business (not personal data).
We do not include personal data unconnected to a business role, and we do not sell consumer data. Full detail on what's collected and why is in the Privacy Policy.
3. Legal basis for StoreRadar's collection
Business contact information is sourced from pages the business itself made public (storefront, contact, about, and legal-disclosure pages), under UK/EU GDPR Article 6(1)(f), legitimate interests. We do not access admin areas, login-gated content, or anything not published by the business itself.
4. Customer's obligations as controller
On receipt of the data, the Customer is responsible as sender for compliant outbound communication under CAN-SPAM, PECR, or the applicable local equivalent, including unsubscribe handling, a physical-address footer, suppression-list management, and honouring opt-outs. StoreRadar provides matched list and contact data only. StoreRadar does not provide an outbound sending tool and is not responsible for how the Customer contacts the businesses on the list.
5. Data subject rights and removal requests
A data subject may request removal at any time by emailing legal@storeradar.co. StoreRadar actions removal requests directly against its own index. If a removal request is sent to the Customer instead of StoreRadar for data StoreRadar supplied, the Customer should forward it to the same address. The Customer is not required to maintain its own suppression logic for StoreRadar's removal obligations under this Section, separate from its own sending obligations under Section 4.
6. Security measures
Data in transit is encrypted using HTTPS/TLS. Access to production systems is restricted to StoreRadar personnel who require it. Card payment data does not touch StoreRadar's servers; it is handled entirely by Stripe. StoreRadar does not currently hold formal certifications such as ISO 27001 or SOC 2. This addendum will be updated if that changes.
7. Sub-processors and data flow
StoreRadar uses the following providers to operate the service. None of them receive card payment data.
- Render: application hosting and database (EU/US regions).
- Stripe: payment processing and billing. Stripe is an independent controller for payment data.
- Google (Gemini API): parses the Customer's offer and ICP description into search filters. Does not receive matched contact data.
- Email delivery provider: sends the Customer's access link and CSV. Transactional only, not a marketing list.
8. International transfers
StoreRadar Limited is registered in England & Wales. Where a sub-processor above stores or processes data outside the UK/EEA, transfers rely on that provider's Standard Contractual Clauses or an equivalent adequacy mechanism, consistent with UK/EU GDPR Chapter V.
9. Retention
We retain aggregated business contact data for as long as it remains publicly available and relevant to the service, or until a removal request is honoured. Customer account and order records are retained per the Privacy Policy.
10. Term, liability, and governing law
This addendum runs alongside your StoreRadar order or subscription and ends when it does. Each party is liable for its own compliance with GDPR as an independent controller under this addendum; nothing here creates joint-controller liability between StoreRadar and the Customer. This addendum is governed by the laws of England & Wales, matching the Terms of Service.
11. Contact
Questions from your legal, procurement, or compliance team, or requests for a countersigned copy: legal@storeradar.co. We respond within 5 business days.