One code, plenty of opportunities: with the Trustbadge technology, online shop owners can integrate the Trusted Shop products in their websites – whether they use the customer and product reviews, or the Trustmark.
On this website, you will find documentation of the technical process which takes place during an order placement with the standard integration of the Trustbadge in the online shop. If the Trustbadge technology is not integrated correctly, there is the risk that certain features (e.g. verification whether the customer is already known to Trusted Shops) will not work properly. However, no personal data are collected beyond the scope described herein.
If additional Trustbadge features offered by Trusted Shops are activated or used alongside the standard functions, the software might also not function as intended. Please contact us directly if you have any questions about the technical process in such cases. The Trustbadge standard features include the differentiation between customers who have already visited and registered with Trusted Shops and those who are new to Trusted Shops (customers are differentiated after placing an order) as well as the offer of the relevant Trusted Shops products integrated by the online shop (Buyer Protection / guarantee and/or reviews) based on said customer differentiation. Non-standard features include Auto-Collect and Review Collector.
Privacy Policy Template
First things first: Trusted Shops offers a privacy policy template. The information provided below exceeds the scope of your information duties. In the Trusted Shops Privacy Policy, Trusted Shops informs users of all cases in which Trusted Shops is responsible for the processing of their data.
The scope of data processed by Trusted Shops is restricted to the absolute minimum necessary for achieving the intended purpose. Trusted Shops processes data exclusively for the purposes agreed upon under the joint controllership, and also in order to provide the services agreed upon in the membership agreement as follows:
Areas of responsibility under the Joint Controllership
For activities which Trusted Shops performs as the processor of your data and which under data protection law are based on overriding legitimate interests in accordance with of Article 6 (1) (f) GDPR, Trusted Shops offers a tool for keeping your records of processing activities up-to-date and for documenting the balancing of interests. You will find it on the following websites:
- Data protection guideline – displaying the Trusted Shops Widgets
- Data protection guideline – recognition of registered Trusted Shops customers
- Data protection guideline – provision of the required order data
- Data protection guideline – Review Collector, AutoCollection and API
- Data protection guideline – Generation of review links via API
| Operation | Trusted Shops | Customer |
|---|---|---|
| Use of the B2B online system |
Sole controller |
|
| Use of the B2C online system |
Sole controller |
|
| Use of the review system |
Sole controller |
|
| Content of the Widgets / Use of Trusted Shops services |
Joint controller |
Joint controller |
| Display of the Widgets in the shop |
Joint controller |
Joint controller |
| Review Collector |
Joint controller |
Joint controller |
| Auto-Collect |
Joint controller |
Joint controller |
| Application programming interface (API) |
Joint controller |
Joint controller |
Visiting an online shop with the Trustbadge
If the Trustbadge technology is fully integrated in an online shop, the Trustbadge will be visible as soon as the buyer visits the homepage.
The Trustbadge will also be visible on all other pages.
When the user opens the website of the online shop, the browser will send the entered web address to the web server, which will transfer the website to the browser as an HTML document. The browser's interpreter will then interpret the HTTP of the page and display the website. This request for a resource sent to a web server is called an HTTP request. Such a request is made whenever a file or a script whose content is not yet in the browser cache is to be loaded (for example, content from any previous visits to the website). The response from the server and the related stream of data is simply called the response.
Every request is recorded by the web server [to which such a request is sent] and stored in its log files. Such a log entry has a standard format. It contains information on the browser client of the website visitor (date, time, referrer, IP address of the client, user agent, ...). These data are called usage data and are generated whenever data are transferred online. The IP address is anonymized immediately.
The same process applies to third-party content integrated into the website of an online shop. The Trustbadge is based on such third-party content delivered by the relevant web servers after the corresponding HTTP request is made. This is why a web server log entry is generated when the Trustbadge is called up.
The Trustbadge is provided with the help of AWS as a CDN provider in the context of data processing on our behalf. However, the data is processed exclusively on servers in Europe. Art. 44 et seq. GDPR on the transfer of personal data to a third country are hence not applicable. The ECJ Schrems II ruling therefore has no direct impact on the processing.
Whenever the Trustbadge is used, the web server automatically saves a so-called server log file which, for example, contains the IP address, the date and time of the request, the volume of data transferred and the requesting provider (access data), and documents the request. The IP address is anonymized immediately.
If an order is placed with the online shop, the order number will also be stored. This serves the verification of subsequent customer reviews or orders if any complaints about damaged products are made by registered buyers, whereas such complaints must always quote the order number. Among other things, this helps prevent the processing of duplicate order numbers.
Other than that, just visiting a shop's website in which the��Trustbadge is integrated does not trigger any automatic transfer of personal data (e.g. name, e-mail address etc.) to Trusted Shops or their storage by Trusted Shops.
Display of the Trustbadge
| Processed personal data | IP address (immediately anonymized), order number |
| Recipient | Trusted Shops; infrastructure provider. Encrypted transfer (TLS) |
| Purpose | Rendering of the Trustbadge to display the Trusted Shops Trustmark; display of collected reviews, if any, and the offering of Trusted Shops services for buyers after they place an order |
Trusted Shops does not use the usage data described herein to generate any usage profiles.
Placing an order with a shop using the Trustbadge / The order completion process flow
If a visitor places an order with a shop using the Trustbadge, data will be transferred depending on whether the buyer has already actively used Trusted Shops products and has agreed to the collecting of their data, or whether the buyer decides to use the Trusted Shops products directly after placing the order, on the order confirmation page.
In any case, as a rule, only the minimum scope of data required for using the Trusted Shops products is collected. The process flow here is as follows:
Recognition of registered Trusted Shops members
As a first step, the customer is checked as to whether they have already registered for Trusted Shops products (Trusted Shops buyer membership, money-back guarantee (Buyer Protection) and automatic review invite emails).
This is done by the Trustbadge which verifies that the email address of the shopper is available in the source code of the order confirmation page, in a so-called DIV container, and that it is correct in terms of the syntax. It will generally always be correct if the Trustbadge is integrated on the website correctly.
If an email address is available, it is hashed in the website visitor’s browser using a cryptographic one-way hash function before it is transmitted. Non-hashed email addresses are not transmitted. After a check for a match, the parameter is automatically deleted. The transmitted hash value can be assigned to a registered email address only if the customer previously used that email address to register for a Trusted Shops product. The hash value is anonymous for users not registered for the services.
Recognition of already registered Trusted Shops users
| Processed personal data | One-way hash of the email address (MD5 function) |
| Recipient | Trusted Shops; infrastructure provider. Encrypted transfer (SSL) |
| Purpose | Fulfilment of Trusted Shops user agreements |
Performance of Trusted Shops services
The second step is based on the result of activities performed as part of the first step. The further course of the procedure depends on the products which Trusted Shops offers in the shopper’s country and which the shop has activated.
Already registered shoppers
If the shop is certified and the shopper has already registered for Trusted Shops buyer membership, the following data are collected through a second DIV query from the source code of the order confirmation page and transferred to Trusted Shops:
- the order date
- the order number
- existing customer number, if any
- the total amount of the order
- the currency
- the expected delivery date, if applicable
- the payment type
- the e-mail address
If the shop's website has enabled product reviews, also the following data will be transferred:
- the URL of the product and of the product image
- the product name
- the product SKU
- the product GTIN
- the product MPN
- manufacturer details
The customer will see a displayed Trustcard for registered buyers showing that their order can be secured up to a purchase value of EUR 100,- (Membership Basic) or up to a purchase value of EUR 20,000,- (Membership Plus).
If the customer is registered as the Basic member and the amount of their order exceeds EUR 100,-, the customer will see a confirmation of their free Buyer Protection, and will be offered an option of the full protection of the total amount of the order.
If the customer is only registered for automatic review requests, or if the online shop is not certified and, thus, does not offer buyer protection, the procedure is as described above, except only the order number, the order date and the email address, or –in the case of product reviews– also the URL of the product and of the product image, the product name, the product SKU, GTIN and MPN as well as the manufacturer must be provided and are collected.
The obtained data are stored internally only for the purpose of handling the concluded contracts and until the contract is fulfilled by both Parties. After that, the data will be blocked from further use and finally erased once all retention periods arising from commercial and tax law have expired.
If the customer decides not to use the Trusted Shops products and leaves the website, no data is transmitted to Trusted Shops or stored or processed by Trusted Shops, with the exception of data that must be technically processed for the display of the Trustbadge (see the relevant section).
Use of Trusted Shops services
| Processed personal data for review reminders | Order date, order number, email address |
| Additional data for Buyer Protection | (Opt.) customer number, order amount, currency, (opt.) expected delivery date, payment type |
| Additional data for product reviews | Product URL, (opt.) product image URL, product name, (opt.) product SKU, GTIN and MPN, (opt.) manufacturer |
| Recipient | Trusted Shops; infrastructure provider. Encrypted transfer (TLS) |
| Purpose | Fulfilment of Trusted Shops user agreements |
Non-registered shoppers
If the customer has not registered for the Trusted Shops products, the Trusted Shops Checkout Card will be displayed showing the content designed for new shoppers. Depending on what products are used by the online retailer, this content will include the offer to register for the Trusted Shops buyer membership, or a review reminder. This Trustcard may look as in the following example:
If a shopper who is new to Trusted Shops then clicks on the button in the Trustcard to use a Trusted Shops product for the first time (Trusted Shops buyer membership or, if the shop is not certified, review reminder), the following alternatives will be offered depending on which Trusted Shops products are used by a given online shop:
- The customer can enable review reminders.
- The customer can register for Trusted Shops buyer membership (Basic or Plus) (Automatic review reminders and Trusted Shops Buyer Protection (for Basic members), or Buyer Protection (for Plus members) after every purchase from certified Trusted Shops members in Germany and other European countries).
If the customer decides to register for Trusted Shops buyer membership and clicks the respective button in the Trustcard, then they agree to the processing of the necessary data by concluding their own contract with Trusted Shops. The registration takes place immediately (visible as a revolving Trusted Shops logo in the tab). In this process, data such as the order date for the current order, the order number, existing customer number, if any, the amount of the order, the currency, the expected delivery date, if applicable, the payment type and the e-mail address or, if product reviews are integrated into the shop's website, also the URL of the product and of the product image, the product name, the product SKU, GTIN and MPN, as well as manufacturer details, are collected through a second DIV query from the source code of the order confirmation page and transferred to Trusted Shops. Next, a new tab will automatically open, confirming the registration for the buyer membership and the insurance of the current order:
Depending on the amount of the order, the customer will also be offered to register for a Plus membership. If the customer decides to register and clicks the respective button, they will be referred to a Trusted Shops form where they must enter further data themselves.
If the necessary data are not provided by the online shop or the shop system, the customer can click on the button in the Trustcard and will be referred to a registration form on the Trusted Shops website in a new tab.
Registration form for Trusted Shops buyer membership (membership form)
This registration form contains empty text fields that have to be filled out by the customer. If certain data have already been provided, the respective form fields will already be pre-filled.
The entered data will be transmitted to Trusted Shops only if the customer ultimately registers for the Trusted Shops buyer membership Plus, i.e. when the customer again clicks the respective button in the form.
If the customer does not register for the product and leaves the website, the data contained in the filled-out form fields will not be stored by Trusted Shops.
Buyer Protection form
If the registration for the Trusted Shops Services is not enabled in a given country, or the necessary data are not provided by the online shop, a form for creating a contract for Trusted Shops Services will open up. Individual form fields may already be pre-filled, if the online shop only provides certain data.
Nevertheless, at this point, no personal data relevant to data protection law have been transferred to Trusted Shops yet.
On the order confirmation page, the data provided when filling out the Buyer Protection form are already contained in the source code. When the shopper clicks the button on this page or in the Trustcard, a unique link to the pre-filled registration form will be generated from the website’s source code by using the respective parameters (e.g. the amount of the order, email address etc.).
Although the form is on a Trusted Shops page, the pre-filling is triggered by the generated link and serves solely the purpose of improved user experience.
The data contained in the link are transferred to, or stored by Trusted Shops only if the customer ultimately registers for the respective Trusted Shops product, i.e. when the customer once again clicks on the respective button in the form. By clicking on the button, however, the customer concludes a new contract with Trusted Shops subject to the corresponding terms of use and consents to the processing of the data required for this purpose.
If the customer does not register for any Trusted Shops product and leaves the website, the data contained in the pre-filled form fields will not be stored by Trusted Shops.
Summary
The customer’s personal data will only be collected and processed if they actually decide to register for a Trusted Shops product. By doing so, however, they agree to the collection and processing of the data.
If the customer does not conclude a contract with Trusted Shops and leaves the website, no data, e.g. those contained in the pre-filled fields, will be stored by Trusted Shops.
Glossary
| Online retailer / Member | An entity which operates an online shop and is Trusted Shops client / member (an enterprise) |
| Shop visitor / Visitor | A person who visits the website of an online shop but is not its customer yet, i.e. browses the website and has not placed any order (individuals, may act as a consumer or entrepreneur) |
| Shopper / Customer / Buyer | A person who places an order with the online shop and registers as a member for this purpose or places the order as a guest (individuals, may act as a consumer or entrepreneur) |
| Buyer registered for Trusted Shops services | A person who has registered for Trusted Shops buyer membership (Basic or Plus) |