MerchantDesk

GDPR Compliance

MerchantDesk's commitment to the General Data Protection Regulation (EU) 2016/679.

Last updated: April 2, 2026

1. Overview

MerchantDesk Inc. is committed to compliance with the General Data Protection Regulation (GDPR), which applies to the processing of personal data of individuals in the European Economic Area (EEA). This page outlines our GDPR compliance measures and your rights as a data subject.

For the purposes of GDPR, MerchantDesk acts as both a Data Controller (for data we collect directly from you) and a Data Processor (for data you process through our platform on behalf of your customers).

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

Contractual Necessity (Art. 6(1)(b))

Processing required to fulfill our contract with you — account creation, service delivery, billing, and support.

Legitimate Interests (Art. 6(1)(f))

Processing for fraud prevention, security, platform improvement, and analytics, where your interests do not override ours.

Legal Obligation (Art. 6(1)(c))

Processing required to comply with applicable laws, including tax regulations and law enforcement requests.

Consent (Art. 6(1)(a))

Processing for marketing communications and non-essential cookies, which you may withdraw at any time.

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

Right to Rectification (Art. 16)

You have the right to have inaccurate personal data corrected or incomplete data completed.

Right to Erasure / Right to be Forgotten (Art. 17)

You have the right to request deletion of your personal data where there is no compelling reason for its continued processing.

Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict processing of your personal data in certain circumstances.

Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Art. 21)

You have the right to object to processing of your personal data for direct marketing or where processing is based on legitimate interests.

Rights Related to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

4. Data Transfers Outside the EEA

MerchantDesk is headquartered in the United States. When we transfer personal data from the EEA to the United States or other third countries, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where the receiving country has been deemed to provide adequate protection.
  • Binding Corporate Rules where applicable.

5. Data Protection Officer

MerchantDesk has appointed a Data Protection Officer (DPO) responsible for overseeing our GDPR compliance. You can contact our DPO directly at:

Data Protection Officer

MerchantDesk Inc.

340 Pine Street, Suite 800

San Francisco, CA 94104, United States

[email protected]

6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

7. Supervisory Authority

If you are located in the EEA and believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

8. Data Processing Agreement

If you use MerchantDesk to process personal data of your own customers (acting as a Data Controller), you may require a Data Processing Agreement (DPA) with us as your Data Processor. Please contact us at [email protected] to request a DPA.

Contact Us

If you have any questions about this policy, please contact our legal team at [email protected] or write to us at: MerchantDesk Inc., 340 Pine Street, Suite 800, San Francisco, CA 94104, United States.