Judge.me & GDPR

Judge.me is a data processor. We will process personal data of your buyers and reviewers on the behalf of you, the merchant as a data controller.

As a data controller, you are obliged to fulfill Data Subject Rights (DSR) of Data Subjects that are EU residents. Data Subject Rights specify how Data Subjects can get control over the Personal Data that you control and process.

As a data processor, we will help you with your DSR Requests. We have built self-serving tools and processes that allow you to:

  • Send all data to your reviewer that you have collected and processed (right of access)
  • Edit individual review content with the consent of the reviewer (right to rectification)
  • Delete all data of a reviewer that you have collected and processed (right to be forgotten
  • Provide all personal data in a structured and machine-readable format (right to data portability)

We are referring to users of your store as reviewers as most of Judge.me's functionalities are dealing with reviews. In a few cases, we will also process data you have provided to us that is not from (potential) reviewers.

Personal Data is connected to the email address of the respective data subject.

Data Processing Addendum (DPA)

As a data processor, we provide you with a Data Processing Addendum (DPA) that serves as a record of Judge.me's processing activities. You can download an example DPA here. Similarly, Judge.me has signed DPAs with those companies that further process Personal Data (sub-processors) provided by the data controller.


We have to inform you when we change our sub-processors and allow you sufficient time to object.

We are working with the following 3rd-parties as Sub-processors:

  • Postmark: All transactional email sending, e.g. reviewer emails
  • Mailerlite: General e-mail communication with our merchants
  • Imgix: Hosting review pictures
  • MaxMind: Understanding location data based on IP addresses
  • Papertrail: IP addresses in server logs.
  • Amazon Web Services (AWS), Heroku: Server infrastructure
  • Tarsnap: Backup
  • Tawk.to: Customer Support Chat
  • Hotjar: Understand web and mobile site visitors' behavior

Furthermore, you may choose to integrate with other Shopify apps that you are already using. In this case, personal data of your reviewers will be processed by these apps that you are already a user of.

Additionally, we may provide you with a Product Reviews XML Feed for your Google Merchant Center. You can submit this XML file inside your Google Merchant Center. In this case, personal data of your reviewers (e.g. name), maybe processed by Google Shopping.

Security and Location of our servers

We are running on Heroku and Amazon Web Service (AWS) technology itself. Please note that under GDPR, it is not required to have physical servers within the EU.

Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Privacy by Design

Judge.me only collects the data that is essential for running our review collection service and supporting you in providing the best possible experience to your reviewers.