Free Setup For All Plans – during April only!
Use promo code: APRILFREE at checkout.
Book A Demo

GDPR & Data Protection Policy

Last updated: 24th October 2025
 
1. Purpose
This policy explains how Click Lab Digital Ltd (T/A Commergic) (“we”, “us”, “our”) complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 when handling personal data relating to customers, website visitors and users of our AI chatbot service for WooCommerce.
We are committed to protecting the rights and freedoms of individuals and to collecting and processing data fairly, lawfully, transparently, and securely.
 
2. Who We Are
 
Data Controller: Click Lab Digital Ltd (T/A Commergic)Registered in England & Wales – Company No. [insert]Registered Address: [insert address]Data Protection Contact: info@commergic.comDepending on the situation, we may act as:
  • Data Controller for data we collect directly (e.g. accounts, billing, marketing, analytics); and
  • Data Processor for data our customers process through the Commergic chatbot (e.g. end-user messages).
 
3. Data Protection Principles
We adhere to the seven UK GDPR principles:
  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability
 
4. Lawful Bases for Processing
We only process personal data when at least one lawful basis applies:
  • Contract – to deliver the Service you requested.
  • Legitimate interests – to improve our products and maintain security.
  • Consent – for marketing or non-essential cookies.
  • Legal obligation – to meet tax and regulatory requirements.
 
5. Personal Data We Process
We process the types of data set out in our Privacy Policy, including:
  • Contact and account information
  • Payment and billing details (handled via third-party processor Stripe)
  • Support and communication records
  • Usage and analytics data
  • Chatbot conversation logs submitted by end-users of our customers

6. Our Roles and Responsibilities

As Controller
When we collect data directly, we determine the purposes and means of processing and are responsible for demonstrating compliance.
As Processor
When acting on behalf of customers, we:
  • process data only on documented instructions from the customer;
  • ensure confidentiality of authorised personnel;
  • implement appropriate security measures;
  • assist customers in responding to data-subject requests;
  • support data breach notification and impact assessments;
  • delete or return data after the contract ends; and
  • maintain records of processing activities.
 
7. Data Retention
 
  • Customer account data – kept for subscription duration + 12 months.
  • Chat logs – retained for up to 90 days (unless deleted earlier by customer).
  • Billing and financial records – kept for 6 years for HMRC compliance.
  •  Data is securely deleted or anonymised after these periods.
 
8. Data Security
We apply industry-standard technical and organisational measures, including:
  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular patching and vulnerability scanning
  • Network firewalls and intrusion monitoring
  • Data backup and disaster recovery
  • Staff training and confidentiality agreements

9. Sub-Processors and Third Parties

We use carefully vetted sub-processors for hosting, infrastructure, AI inference, email delivery, analytics and support.

All sub-processors operate under written data-processing agreements and appropriate safeguards.

A current list is maintained on our Sub-Processors page.

10. International Data Transfers

Where data is transferred outside the UK or EEA, we use approved safeguards such as the EU Standard Contractual Clauses (SCCs) and the UK Addendum.

Copies of relevant clauses may be requested by contacting info@commergic.com.

11. Data Subject Rights
Individuals have the right to:
  • access their personal data;
  • request rectification or erasure;
  • restrict processing or object to certain uses;
  • receive data in a portable format;
  • withdraw consent at any time.
 
Requests can be sent to info@commergic.com. We respond within one month and may verify identity before acting.
 
12. Data Breaches
We have procedures to detect, report and investigate data breaches.
If a breach is likely to pose a risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours and affected customers without undue delay.
 
13. Training & Accountability
All employees receive training on data protection and security awareness.
 
We maintain records of processing activities and conduct regular reviews to ensure ongoing compliance.
 
14. Complaints and Contact
If you have concerns about our data handling practices, contact us first at info@commergic.com.
 
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.