Trustbadge documentation for online retailers

One code, plenty of opportunities: with the Trustbadge technology, online shop owners can integrate the Trusted Shop products in their websites – whether they use the customer and product reviews or the Trustmark.

On this website, you will find documentation of the technical process which takes place during an order placement with the standard integration of the Trustbadge in the online shop. If the Trustbadge technology is not integrated correctly, there is the risk that certain features (e.g. verification whether the customer is already known to Trusted Shops) will not work properly. However, no personal data are collected beyond the scope described herein.

If additional Trustbadge features offered by Trusted Shops are activated or used alongside the standard functions, the software might also not function as intended. Please contact us directly if you have any questions about the technical process in such cases. The Trustbadge standard features include the differentiation between customers who have already visited and registered with Trusted Shops and those who are new to Trusted Shops (customers are differentiated after placing an order) and the offer of the relevant Trusted Shops products integrated by the online shop (Buyer Protection  and/or reviews) based on said customer differentiation. Non-standard features include Auto-Collect and Review Collector.

Privacy Policy Template

First things first: Trusted Shops offers a privacy statement template. The information provided below exceeds the scope of your information duties. In the Trusted Shops Privacy Policy, Trusted Shops informs users of all cases in which Trusted Shops is responsible for the processing of their data.

The scope of data processed by Trusted Shops is restricted to the absolute minimum necessary to achieve the intended purpose. Trusted Shops processes data exclusively for the purposes agreed upon for processors and also as part of providing services agreed upon in the membership agreement as follows:

Trusted Shops as controller vs. processor

For activities which Trusted Shops performs as the processor of your data and which under data protection law are based on overriding legitimate interests in accordance with of Article 6 (1) (f) GDPR, Trusted Shops offers a tool for keeping your records of processing activities up-to-date and for documenting the balancing of interests. You will find it on the following websites:

Operation Controller Processor
Use of the B2B online system Trusted Shops  
Use of the B2C online system Trusted Shops  
Use of the review system Trusted Shops  
Content of the Trustbadge / Use of Trusted Shops services Trusted Shops  
Display of the Trustbadge in the shop Online shop Trusted Shops
Review Collector Online shop Trusted Shops
Auto-Collect Online shop Trusted Shops
Application programming in­terface (API) Online shop Trusted Shops

Differentiation

Display of the Trustbadge, Review Collector, Auto-Collect, API

Online shop owners are controllers because they decide independently on the purposes and means of data processing. They obtain consent forms from data subjects and, based on those, they send Trusted Shops review requests, which are treated as advertisements.

Trustbadge

Trusted Shops is responsible for the content of the Trustbadge and the data processing taking place via the Trustbadge when using the Trusted Shops services (Trusted Shops buyer membership, Trusted Shops Buyer Protection, review reminders for members).

Visiting an online shop with the Trustbadge

If the Trustbadge technology is fully integrated in an online shop, the Trustbadge will be visible as soon as the buyer lands on the homepage.

Trustbadge being displayed in the bottom right corner of an online shop

The Trustbadge will also be visible also on all other pages.

When the user calls up the website of the online shop, the browser will send the entered web address to the web server, which will transfer the website to the browser as an HTML document. The browser's interpreter will then interpret the HTTP of the page and display the website. This request for a resource sent to a web server is called an HTTP request. Such a request is made whenever a file or a script whose content is not yet in the browser cache is to be loaded (for example, content from any previous visits to the website).  The response from the server and the related stream of data is simply called the response.

Every request is recorded by the web server [to which such a request is sent] and stored in its log files. Such a log entry has a standard format. It contains information on the browser client of the website visitor (date, time, referrer, IP address of the client, user agent, ...). These data are called usage data and are generated whenever data are transferred online.

The same process applies to third-party content integrated into the website of an online shop. The Trustbadge is based on such third-party content delivered by the relevant web servers after the corresponding HTTP request is made. This is why a web server log entry is generated when the Trustbadge is called up.

The Trustbadge is also provided in the context of data processing by a CDN provider acting as the processor on our behalf. Data are processed exclusively on servers in Europe. Trusted Shops GmbH, however, also uses the services of U.S.-based providers. An appropriate level of data protection is guaranteed (Privacy Shield certification + standard contractual clauses).

Whenever the Trustbadge is used, the web server automatically saves a so-called server log file which, for example, contains the IP address, the date and time of the request, the volume of data transferred and the requesting provider (access data), and documents the request. Individual pieces of access data are stored in a security database for the analysis of security vulnerabilities. The log files are automatically erased no later than 90 days of the date created.

If an order is placed with the online shop, the order number will also be stored. This serves the verification of subsequent customer reviews or orders if any complaints about damaged products are made by registered buyers, whereas such complaints must always quote the order number. Among other things, this helps prevent the processing of duplicate order numbers.

Other than that, just visiting a shop's website in which the Trustbadge is integrated does not trigger any automatic transfer of personal data (e.g. name, e-mail address etc.) to Trusted Shops or their storage by Trusted Shops.

Display of the Trustbadge

Processed personal data IP address, order number
Recipient Trusted Shops; infrastructure provider. Encrypted transfer (SSL)
Purpose Presentation of the Trustbadge to display the Trusted Shops Trustmark; presentation of collected reviews, if any, and the offering of Trusted Shops services for buyers after they place an order

Trusted Shops does not use the usage data described herein to generate any usage profiles.

Placing an order with a shop using the Trustbadge / The order completion process flow

If a visitor places an order with a shop using the Trustbadge, data will be transferred depending on whether the buyer has already actively used Trusted Shops products and has agreed to the collecting of their data, or whether the buyer decides to use the Trusted Shops products directly after placing the order, on the order confirmation page.

In any case, as a rule, only the minimum scope of data required for using the Trusted Shops products is collected. The process flow here is as follows:

Recognition of registered Trusted Shops members

First, it is checked whether the customer has already registered for Trusted Shops products (Trusted Shops buyer membership, money-back guarantee (Buyer Protection) and automatic review reminders).

Here, the Trustbadge initially makes sure that the email address of the shopper is available in the source code of the order confirmation page in a DIV container and that it is correct in terms of the syntax. It will always be correct if the Trustbadge is integrated on the website correctly.

If an email address is available, then, before it is transmitted, it is hashed in the browser of the visitor using a cryptographic one-way hash function, with the hash value being impossible for Trusted Shops to decrypt. Non-hashed email addresses are not transmitted. After a check for a match, the parameter is automatically deleted. The transmitted hash value can be assigned to a registered e-mail address only if the customer previously used that e-mail address to register for Trusted Shops products. The hash value is anonymous for users not registered for the services.

Recognition of already registered Trusted Shops users

Processed personal data One-way hash of the email address (MD5 function)
Recipient Trusted Shops; infrastructure provider. Encrypted transfer (SSL)
Purpose Fulfilment of Trusted Shops user agreements

Performance of Trusted Shops services

The second step is based on the result of activities performed as part of the first step. The further course of the procedure depends on the products which Trusted Shops offers in the shopper’s country and which the shop has activated.

Already registered shoppers

If the shop is certified and the shopper has already registered for Trusted Shops buyer membership, the following data are collected through a second DIV query from the source code of the order confirmation page and transferred to Trusted Shops:

  • the order date
  • the order number
  • existing customer number, if any
  • the total amount of the order
  • the currency
  • the expected delivery date, if applicable
  • the payment type
  • the e-mail address

If the shop's website has enabled product reviews, also the following data will be transferred:

  • the URL of the product and of the product image
  • the product name
  • the product SKU
  • the product GTIN
  • the product MPN
  • manufacturer details

The customer will see a displayed Trustcard for registered buyers showing that their order can be secured up to a purchase value of EUR 100,- (Membership Basic) or up to a purchase value of EUR 20,000,- (Membership Plus).

If the customer is registered as the Basic member and the amount of their order exceeds EUR 100,-, the customer will see a confirmation of their free Buyer Protection, and will be offered an option of the full protection of the total amount of the order.

Image from 15.04.2019

If the customer is only registered for automatic review requests or if the online shop is not certified and, thus, does not offer buyer, the procedure is as described above, except only the order number, the order date and the email address, or –in the case of product reviews– also the URL of the product and of the product image, the product name, the product SKU, GTIN and MPN as well as the manufacturer must be provided and are collected.

The obtained data are stored internally only for the purpose of handling the concluded contracts and until the contract is fulfilled by both Parties. After that, the data will be blocked from further use and finally erased once all retention periods arising from commercial and tax law expire.

If the customer decides not to use the Trusted Shops products for buyers and leaves the website, no data will be transmitted to or stored, or processed by Trusted Shops.

Use of Trusted Shops services

Processed personal data for review reminders Order date, order number, email address
Additional data for Buyer Protection (Opt.) customer number, order amount, currency, (opt.) expected delivery date, payment type
Additional data for product reviews Product URL, (opt.) product image URL, product name, (opt.) product SKU, GTIN and MPN, (opt.) manufacturer
Recipient Trusted Shops; infrastructure provider. Encrypted transfer (SSL)
Purpose Fulfilment of Trusted Shops user agreements

Non-registered shoppers

If the customer has not registered for the Trusted Shops products, the Trusted Shops Checkout Card will be displayed showing the content designed for new shoppers. Depending on what products are used by the online retailer, this content will include the offer to register for Trusted Shops buyer membership and a review reminder. Such a Trustcard can look, for example, as follows:

Image from 15.04.2019

If a shopper who is new to Trusted Shops then clicks on the button in the Trustcard to use a Trusted Shops product for the first time (Trusted Shops buyer membership or, if the shop is not certified, review reminder), the following alternatives will be offered depending on which Trusted Shops products are used by a given online shop:

  1. The customer can enable review reminders.
  2. The customer can register for Trusted Shops buyer membership (Basic or Plus) (Automatic review reminders and Trusted Shops Buyer Protection (for Basic members), or Buyer Protection (for Plus members) after every purchase from certified Trusted Shops members in Germany).

If the customer decides to register for Trusted Shops buyer membership and clicks on the relevant button in the Trustcard, then they agree to the processing of the necessary data by concluding their own contract with Trusted Shops. The registration takes place immediately (visible as a revolving Trusted Shops logo in the tab). In this process, data such as the order date for the current order, the order number, existing customer number, if any, the amount of the order, the currency, the expected delivery date, if applicable, the payment type and the e-mail address or, if product reviews are integrated into the shop's website, also the URL of the product and of the product image, the product name, the product SKU, GTIN and MPN, as well as manufacturer details, are collected through a second DIV query from the source code of the order confirmation page and transferred to Trusted Shops. Next, a new tab will automatically open up, confirming the registration for buyer membership and the insurance of the current order:

Image from 15.04.2019

Depending on the amount of the order, the customer will also be offered to register for membership Plus. If the customer decides to register and clicks on the appropriate button, they will be referred to a Trusted Shops form where they must enter further data by themselves.

Image from 15.04.2019

If the necessary data are not provided by the online shop or the shop system, the customer can click on the button in the Trustcard and will be referred to a registration form on the Trusted Shops website in a new tab.

Registration form for Trusted Shops buyer membership (membership form)

This registration form contains empty text fields to be filled out by the customer. If certain data have already been provided, the relevant form fields will already be pre-filled.

The entered data will be transmitted to Trusted Shops only if the customer ultimately registers for the Trusted Shops buyer membership Plus, i.e. when the customer clicks again on the corresponding button in the form.

If the customer does not register for the product and leaves the website, the data contained in the filled-out form fields will not be stored by Trusted Shops.

Buyer Protection form

If the registration for Trusted Shops Services is not enabled in a given country, or the necessary data are not provided by the online shop, a form for creating a contract for Trusted Shops Services will open up, with individual fields being already pre-filled, if the online shop provides only certain data.

Nevertheless, at this point, no personal data relevant to data protection law have been transferred to Trusted Shops yet.

On the order confirmation page, the data provided when filling out the Buyer Protection form are already contained in the source code. When the shopper clicks the button on this page or in the tab, a link will be generated from the website’s source code with the appropriate parameters (e.g. the amount of the order, email address etc.); the link will call up the pre-filled registration form.

Although the form is on a Trusted Shops page, pre-filling is triggered by the generated link and serves solely the purpose of improved user experience.

The data contained in the link are transferred to or stored by Trusted Shops only if the customer ultimately registers for the respective Trusted Shops product, i.e. when the customer once again clicks on the appropriate button in the form. By clicking on the button, however, the customer concludes a new legal transaction with Trusted Shops subject to the appropriate terms of use and consents to the processing of the data required for this purpose.

If the customer does not register for any Trusted Shops product and leaves the website, the data contained in the pre-filled form fields will not be stored by Trusted Shops.

Summary

Only if the customer ultimately decides to register for a Trusted Shops product will their personal data be collected and processed. But this is what the customer agrees to.

If the customer does not conclude a contract with Trusted Shops and leaves the website, no data, e.g. those contained in the pre-filled fields, will be stored by Trusted Shops.

Glossary

Online retailer / Member An entity which operates an online shop and is Trusted Shops client / member (an enterprise)
Online retailer / Member An entity which operates an online shop and is Trusted Shops client / member (an enterprise)
Shop visitor / Visitor A person who visits the website of an online shop but is not its customer yet, i.e. browses the website and has not placed any order (individuals, may act as a consumer or entrepreneur)
Shopper / Customer / Buyer A person who places an order with the online shop and registers as a member for this purpose or places the order as a guest (individuals, may act as a consumer or entrepreneur)
Buyer registered as member A person who has registered for Trusted Shops buyer membership (Basic or Plus)

Was this article helpful?

0 out of 0 found this helpful