External Privacy Notice

INTRODUCTION

This Privacy Notice (“Notice”) allows you to know how VTEX, including our affiliated companies as pointed at the end of this Notice, acting as the controller of your Personal Data (“VTEX”, “We”) process your Personal Data, how you can exercise your rights regarding the same and describes our practices regarding the Personal Data collected on VTEX website and platform, applications or software and HTML-formatted e-mail messages (collectively, referred to as “Services”).

The term “you” or “your” as used throughout this Notice refers to you, as the data subject, the Personal Data concerning you being obtained either directly from you by VTEX (e.g., when you access and use our Platform as an administrator) or indirectly through VTEX business customers (“Customers”) by means of the offer and provision of VTEX Services. VTEX acts as a data controller regarding the processing of its business customers data but as data processor of the Customers data processed by VTEX for the provision of the Services.

This Notice applies to the conditions of processing of Personal Data on the website and platform (together, “Platform”) and through all products and services offered by VTEX, mainly when VTEX acts as a controller.

We at VTEX know that you care about how your Personal Data is processed and shared and, therefore, we take your privacy seriously. Please read the following to get to know more about how your Personal Data is handled by VTEX.

Please be reminded that the use of the VTEX Services is always subject to VTEX Agreements. Any terms we use in this Notice without defining them herein have their definitions assigned in the Terms and Conditions.

Services may provide links or the ability to connect to websites (“platforms”), services, social networks, or apps that do not belong to and are not under the control of VTEX. Clicking on such links or activating such connections will allow third parties to collect or share information about you. These third-party platforms or services are not under VTEX control. Thus, VTEX strongly advises you to check the privacy notices and the terms of use of such third -parties before providing your information to them.

We do not collect nor intentionally request Personal Data concerning people under 18, in accordance with the Service ordered. If you are under 18, please do not try to register in our Services and do not send us any Personal Data about you. If we are notified about the fact that Personal Data of a person under 18 has been provided to VTEX, we will delete such information as soon as possible. If you believe that a person under 18 may have accessed or used VTEX Services somehow, please contact us by the link https://vtex.com/us-en/privacy-and-agreements/data-subject-request/.

VTEX WILL KEEP THIS PRIVACY NOTICE ALWAYS UPDATED, MAY CHANGE IT AT ANY TIME, IN COMPLIANCE WITH APPLICABLE LAWS

We are constantly seeking to improve our Services, so maybe it is also necessary to alter this Privacy Notice from time to time. Whenever this occurs, we will alert you about the changes by placing a notice on the app, sending you an email and/or by some other means, allowing the greatest possible transparency. Please note that, if you have chosen to not receive our legal notice emails (or have not provided us with your email address), these legal notices will still govern the use of Services and you will still be responsible for reading and understanding them.

1. PERSONAL DATA AND OTHER ADDITIONAL DATA WE COLLECT ABOUT YOU AND HOW

A. VTEX as data controller

VTEX may collect Personal Data through your interaction and use of the platform and the Services, including when you sign up for the Services, contact us or request information about our Services. Personal Data is information that identifies an individual or becomes an identifiable individual. VTEX and our third-party service providers will collect Personal Data and additional data directly from you and indirectly, from a variety of sources, such as:

(a) Information you provide to us: We may receive information directly from you, when necessary, for the registration and use of our Services. Such information may include, for example:

● Identification and registration data, such as but not limited to your full name, user name, address, zip code, information about the Customer you represent, and other information necessary to provide our Services;
● Information about your company or that you may represent; and
● Financial information, such as bank account and payment instructions.

(b) Information about your use of the Services: Through the use of our Services, VTEX collects information about how and when you visited our platform or used the Services, store it in log files or other types of files associated with your account and link it to other information that we collect about you. This kind of information helps us improve our Services. We may collect the following information: Navigation data, Internet Protocol Address (“IP address”) and information derived from your IP address, time, date, browser used and actions you performed within the application or platform.

(c) Cookies and tracking: We and our business partners use cookies or similar technologies, including web beacons, on our platform to analyze trends, manage the platform, track user’s movement through the platform and collect demographic information about our user’s database, to provide you with personalized content and advertising. This processing may result in the collection of information about:

● Behavioral data and/or demographic attributes, when linked to personal identifiers.

For more information regarding our use of cookies and similar technologies, please read our Cookie Notice.

B. VTEX as data processor

In the context of operating, providing and maintaining its Services to Customers, VTEX acts as a data processor. In that respect, VTEX collects and processes information related to data subjects whose processing is carried out on behalf of the Customers, including as the case may be Personal Data, only in accordance with the Customers instructions and as necessary to provide the Services requested by the Customers.

Such Personal Data will be processed in accordance with the applicable Customer’s privacy notice and the conditions of the Data Processing signed by VTEX with the Customer.

2. STORAGE OF PERSONAL DATA

We will retain the Personal Data we collect from you or process on behalf of our Customers for as long as you are registered with VTEX and as necessary to provide our Services or comply with our legal obligations, resolve disputes, prevent abuse, exercise our rights, and enforce our contracts.

The Personal Data we process as Data Controller is kept as long as your account, as Customer is active and as long as necessary to provide you with our Services. Once your account is closed, the data may be kept for the applicable statute of limitation depending on the applicable law, notably to comply with our legal obligations, resolve disputes and defend our rights. In such a case the data will be kept in an archive and be accessible only for such purpose in a restricted manner.

The Personal Data we process on behalf of the Customers will be subject to said Customers applicable retention policy.

3. USE AND DISCLOSURE OF PERSONAL DATA

VTEX uses and shares the Personal Data of employees, third parties and the customers of the Customers. The processing of Customers Personal Data (unless otherwise prohibited by applicable law), is carried out in order to fulfil the following purposes:

(a) Operation and provision of our Services: VTEX may process Personal Data in the context of operating and providing its Services, including activities such as registration and billing, communicate with our Customers about their account and provide support about requests and complaints, and also to send system alert messages about temporary or permanent changes in our Services (e.g., scheduled shutdowns, new features, updates, releases and, as previously mentioned, changes in our Privacy Notice).

VTEX also processes Customers Personal Data (including those of Customers data subject’s personal data processed as processor) in order to develop tools and algorithms that help us prevent and report breaches and frauds.

VTEX may rely on the following legal bases under the GDPR in respect of the different purposes of the processing it carries out:

● Performance of the contract with our Customer or a contract to which you are a party; and
● VTEX legitimate interests to operate and provide our Services, including to evaluate and improve our products, services, marketing, experiences, and customer relationships as well as ensure the safety and security thereof.

(b) Compliance with applicable laws, responses to enforcement authorities, defense of VTEX rights and VTEX development: As a company, VTEX is subject to compliance with applicable law and may have to process your Personal Data to ensure such compliance.

VTEX may also have to process your Personal Data (i) to respond to legal demands, court orders, law enforcement requests, or (ii) in the context of due diligences, mergers and/or acquisitions (iii) or to enforce our Agreements and applicable law.

VTEX may rely on the following legal bases under the GDPR in respect of this purpose:

● The processing is necessary for VTEX to comply with applicable legislation;
● The processing is necessary for the performance of the contract with our Customer or a contract to which you are a party; and
● The processing is necessary because VYEX has a legitimate interest to defend its rights and respond to enforcement authorities’ requests.

(c) Marketing and promotional content: We may process Personal Data in order to send you promotional content, for example, in the case you visit our platform but do not sign up for any of the Services and just choose (“opt in”) to receive promotional content. In that case, VTEX will process your Personal Data to send you our promotional emails.

If you sign up to any of our Services or if you already use our Services, unless you choose to opt out, we will send you our promotional content, and if we think you may benefit from another Service we offer, we may email you about this.

You have the right to object from receiving our promotional emails at any time (“opt-out”) by following the unsubscribe instructions included in all emails we send.

Subject to your consent, VTEX may use your Personal Data to connect with you in third-party social networks. VTEX’s interactions with you on any third-party social network will be subject to the privacy notices and terms of use of that respective network and be subject to your consent to interact with such social network through the Cookie Notice.

To promote our Services, we may, at some point, upload Customer’s testimonials about our Services. Before that and if necessary, we will obtain your consent to use your name and testimony, if required as a legal basis for the processing.

If you have any testimony made available by VTEX and want to delete it, please contact us by the link https://vtex.com/us-en/privacy-and-agreements/data-subject-request.

VTEX may rely on the following legal bases under the GDPR in respect of this purpose:

● VTEX may rely on its legitimate interests to market and promote its Services and content relating thereto; and
● Your consent, when applicable legislation mandates such consent (notably when using cookies or sending marketing e-mails as required by applicable law). In such a case, you may withdraw your consent at any time without affecting the lawfulness of any processing based on your consent prior to its withdrawal.

4. THIRD PARTIES

We will disclose Personal Data to the following categories of third parties (together, “Third Parties”) for the purposes described in this Privacy Notice:

(a) IT Service Providers: Our Platform is hosted by a third-party service provider. VTEX has a service agreement in place and a data processing agreement signed with such a service provider. VTEX ensured that there will be no access to the Personal Data processed on the Platform by the Service Provider, unless strictly necessary for its functioning as presented by the Data Processing Agreement.

(b) Service Providers: We use third-party Service Providers to provide and support features of our Services. For example, if it is necessary to provide something you have requested (like activating a feature), so we share your Personal Data with a Service Provider for this purpose. In this sense, you can request the name of our Service Providers at any time. As with the other third parties we work with, these third-party Service Providers, we have entered into a contract requiring them to use your Personal Data in a consistent manner with this Privacy Notice. Unless we tell you otherwise, our Service Providers are not entitled to use the Personal Data we share with them in a manner contrary with our instructions or beyond what is necessary to assist us.

(c) Advertising partners: We will partner with third parties to display advertising on our platforms or manage our advertising on other platforms and we will share Personal Data with them for this purpose. All third parties with whom we share such information sign a contract with us requiring them to use your information in a manner consistent with this Privacy Notice. We or our third-party partners will use technologies, such as cookies for example, to collect information on your activities in our platforms and other ones, to offer you advertising based on your browsing activities and interests. You may choose not to share your Personal Data with our Advertising partners by adjusting your cookies settings, as explained in more details in our Cookie Notice. For more information regarding our use of cookies, please read our Cookie Notice.

In case you have privacy concerns about accessing or correcting your Personal Data, please contact us by the link https://vtex.com/us-en/privacy-and-agreements/data-subject-request

5. PUBLIC DATA AND THIRD-PARTY PLATFORMS

(a) Blog: We may, at some point, have public blogs on our platforms. Any information you include in a comment in our blog is public and may be read, collected, and used by anyone. If your Personal Data appears on our blogs and you want to remove them, please contact us.

(b) Social media platforms and widgets: Our platforms may include social media features, such as Facebook’s “Like” button. These features will collect data about you (e.g., your IP address and which page you are visiting on our platform, being able to set a cookie to ensure that the feature works correctly. Social media features and widgets are either hosted by a third party or directly on our platform. We will also keep a presence in social media platforms, including without limitation Facebook, Twitter, and Instagram. Any submission of information, communications, or materials you make through a social media platform is at your own risk. We cannot control the actions of other users of these platforms, nor the actions of the platforms themselves. Your interactions with these features and platforms are governed by the privacy notices of the companies providing them and we encourage you to read them.

(c) Links to third-party platforms: Our platforms include links to other platforms, whose privacy practices may differ from VTEX. If you submit Personal Data to any of these platforms, your data will be governed by the privacy notices of those platforms. We encourage you to carefully read the privacy notice of any platform you visit.

6. ACCURACY OF INFORMATION

We do our best to keep your Personal Data accurate and up to date. If your Personal Data changes (for example, in case you have a new email address), please notify us of these changes as soon as possible.

7. SAFETY

Security of your Personal Data is extremely important for VTEX. We use physical, electronical, and administrative safeguards that are designed to protect them from loss, misuse and unauthorized access, disclosure, alteration, and destruction.

In addition, VTEX uses standard security protocols and mechanisms to exchange the transmission of confidential data, such as credit card data. When you enter confidential Personal Data, such as your credit card number on our platform, we encrypt it using Transport Layer Security (TLS) technology.

VTEX accounts require a username and password to login. You must keep your username and password safe and never reveal them to any third parties. Account passwords are irreversibly encrypted, which means that we cannot see or access them. We also cannot resend forgotten passwords, i.e., we can only reset them.

VTEX also offers other user authentication means which dismiss the need for a static password. This feature issues a temporary token and sends it to the user’s email to be used as a password. We recommend using this authentication option as preferred. However, another means of user authentication provided by VTEX is integration with external identity providers (Login via Google, Facebook, Apple ID, custom Identity Providers, etc.).

8. NOTICE OF DATA SECURITY INCIDENT

If a security breach or incident causes an unauthorized intrusion into our system that affects your Personal Data or that of other users of the Services, VTEX will comply with its legal obligations to notify such breach to the competent supervisory authority and as required by applicable data protection and privacy laws, to notify you as soon as possible and subsequently inform you of the measures we have taken in response.

9. DATA SUBJECT RIGHTS

Data Subjects have the following rights regarding their Personal Data, in accordance with and subject to the limitations under applicable privacy and data protection laws.

  1. Access: You have the right to know if we carry out any Processing with your Personal data and what Personal data we Process and access such data;
  2. Rectification: You have the right to ask that we correct incomplete, inaccurate or outdated Personal data;
  3. Erasure: You have the right to ask that we delete your Personal data that is unnecessary in relation to the purposes for which it has been collected, that has been unlawfully Processed or that VTEX must deleted to comply with the legal obligations to which we are subject;
  4. Portability: Where the Processing of your Personal data is based on your consent or on a contract to which we are a party with you, and such Processing has been carried out using automated means, you have the right to receive the Personal data concerning you that you have provided to VTEX, in a structured, commonly used and machine-readable format and have the right to transmit or request that we transmit such Personal data to another company;
  5. Limitation: You have the right to obtain from VTEX the restriction of the Processing of your Personal data where one of the following applies:

a. You contest the accuracy of your Personal data, for a period enabling VTEX to verify the accuracy of the Personal data;

b. The Processing of your Personal data is unlawful, you oppose the erasure of the Personal data and you request the restriction of their use by VTEX instead;

c. VTEX no longer needs your Personal data for the purposes of the Processing in accordance with this Notice, but you require them for the establishment, exercise or defence of legal claims; or

d. You have objected to Processing, pending the verification whether the legitimate grounds of VTEX override yours.

  1. Objection: You have the right to object, on grounds relating to your particular situation and at any time, to the Processing of your Personal data which is based on the legitimate interests pursued by VTEX or by a third party, including profiling. VTEX shall no longer Process the Personal data unless we demonstrate compelling legitimate grounds for the Processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
  2. Consent withdrawal: When the Processing activity requires your consent, you can withdraw it at any time, without affecting the lawfulness of the Processing prior to such withdrawal.

To exercise your rights, you can contact our Data Protection Officer (“DPO”) through the direct channel https://vtex.com/us-en/privacy-and-agreements/data-subject-request.

We will endeavour to address any concern or request you may send regarding your data subject rights within 30 days of any request. In certain circumstances, responding to you request may take a longer period of time and we will notify you in that respect.

There is usually no charge for a data subject to exercise their rights in respect of their Personal Data.

Please note that most of times, VTEX acts as Data Processor, performing the processing of Personal Data on behalf of the Controller (e.g., the Customer) and in strict compliance with its instructions. In such cases, you must exercise your rights directly with the Data Controller.

10. TRANSFERS OF PERSONAL DATA

Your personal data may be transferred outside your country of residence, including outside the European Union (EU) or the European Economic Area (EEA), to countries that do not provide a similar level of data protection as the EEA, for instance Brazil and the USA.

We implement appropriate data transfer mechanisms as required by applicable personal data regulations, including the European Commission’s standard contractual clauses and additional safeguards as necessary to ensure the lawfulness of such transfers. These mechanisms and safeguards can be made available by contacting VTEX using the contact details available below.

11. SPECIAL RULES FOR CHILDREN

Due to the laws regarding the privacy and protection of Personal Data, in many countries we do not have permission to intentionally collect any Personal Data of children (as such term is defined by applicable laws) without the consent of their parents or legal guardians, where such consent is required by applicable laws.

The statements in this Privacy Notice about our collection and use of Personal Data also apply to the processing of Personal Data of children, whenever the processing of data on people in this age group is identified.

Some elements of our Services, such as signing up for our Services, demand the presentation of a card number for payment, along with Personal Data related to the purchase; other elements of our Services demand the presentation of Personal Data to access or use the Services. Except in some cases where limited contact information may be collected and not retained, such elements of our Services are not available to children.

In case the processing of Personal Data of a child occurs, to which we have not received the parents or legal guardian’s consent, when trying to use one of our Services that is not available to children, they will not be able to access it and will receive a message, stating that they are not eligible for such feature.

12. PRIVACY IN CALIFORNIA

In accordance with California Law, California residents have the right to request in writing from companies with whom they have an established business relationship:

(a) a list of Personal Data categories, such as name, email and mailing address and the type of service provided to the customer, that a company has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for third-party direct marketing purposes; and

(b) names and addresses of all these third parties.

To request the aforesaid information, please contact us through our contact form or at the addresses above.

13. PRIVACY IN BRAZIL

For Data Subjects, whose Data processing is subject to Brazilian Law, VTEX has prepared an Addendum to the Privacy Notice.

Click here to consult the Addendum.

14. CLAIMS – COMPLAINTS

In case you have any complaints regarding our Personal Data practices or this Privacy Notice, please contact VTEX first. We will investigate and try to resolve the complaints and disputes related to the use and disclosure of your Personal Data in accordance with this Notice.

If you are in the European Union, you have the right to lodge a complaint with a supervisory authority, including that of your country of residence, place of work or place of alleged infringement of applicable data protection laws. The list of European supervisory authorities is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

15. HOW YOU CAN CONTACT US

If you have any questions or complaints about how we process your Personal Data or this Notice, please contact our DPO by the channel https://vtex.com/us-en/privacy-and-agreements/data-subject-request and we will do our best to assist.

CODE NAMECORPORATE NAMECOUNTRYADDRESS
VTEX ARGVTEX Informática S.A.ArgentinaAv. Chiclana 3578 – Piso 4 . Distrito Tecnológico – C.A.B.A.- Zipcode: 1002
VTEX BRAVTEX Brasil Tecnologia para E-commerce LTDABrazilBRIGADEIRO FARIA LIMA AVENUE, 4440, 10th floor, Itaim Bibi, Sao Paulo – Brazil Postal code: 04.538-132
VTEX DAYVTEX Publicidade e Eventos EireliBrazilBRIGADEIRO FARIA LIMA AVENUE, 4440, 10th floor, Itaim Bibi, Sao Paulo – Brazil Postal code: 04.538-132
CIASHOPCiashop Soluções para Comércio Eletrônico S.ABrazilPREFEITO ANGELO FERRARIO LOPES street, 1528, Hugo Lange, Curitiba – Brazil Postal Code: 80.040-252
VT COMÉRCIOVT Comércio Digital S.A.BrazilRua Desembargador Euclides Silveira, 232, Casa Verde, São Paulo – SP – CEP 02511-010 Brasil
DLIEVEDlieve Tecnologia S.A.BrazilBRIGADEIRO FARIA LIMA AVENUE, 4440, 10th floor, Itaim Bibi, Sao Paulo – Brazil Postal code: 04.538-132
LOJA INTEGRADALoja Integrada Tecnologia para Software LTDABrazilBRIGADEIRO FARIA LIMA AVENUE, 4440, 10th floor, Itaim Bibi, Sao Paulo – Brazil Postal code: 04.538-132
VTEX CHIVTEX SpAChileAvenida Apoquindo 5950, Piso 3, oficina 124, comuna de Las Condes, ciudad de Santiago, Chile
VTEX COLVTEX Colombia Tecnologia para Ecommerce S.A.S.ColombiaCalle 93 # 18-28 – Oficina 603 – Bogotá, Colombia
VTEX ESPVTEX Ecommerce Platform LimitedSpainCalle Juan de Mena 10 Planta 1, Puerta IZ, 28014 Madrid,
España
VTEX USAVTEX Commerce Cloud Solutions LLCUnited States of America501 E Las Olas Blvd, 3rd floor – Fort Lauderdale, FL 33301
UNITEUUniteU Technologies, Inc.United States of America12 Pine Cone Drive,
Pittsford, New York 14534
WEBLINCWeblinc CorporationUnited States of America22 South 3rd Street, 2nd Floor, Philadelphia, PA 19106 – United States
VTEX CAYVTEXCayman Islands4th Floor, Harbour Place, 103 South Church Street, PO Box 10240
Grand Cayman, KY1-1002, Cayman Islands
VTEX UKVTEX Ecommerce Platform LimitedEnglandWeWork Aviation House, 125 Kingsway, London, England – WC2B 6NH
EICOMEICOM LimitedEnglandWeWork Aviation House, 125 Kingsway, London, England – WC2B 6NH
VTEX ITAVTEX Ecommerce Platform Limited – Sede SecondariaItalyWeWork Aviation House, 125 Kingsway, London, England – WC2B 6NH // Via Copernico 38 Milano (MI) CAP 20125
VTEX MEXVTEX México Soluciones en Ecommerce S. de R.L. de C.V.MexicoMiguel de Cervantes Saavedra #169 Int 11-103 y 105, Col. Granada, C.P. 11520, Delegación Miguel Hidalgo, Ciudad de México,México
Escuela de InternetEI Education S.A.P.I de C.V.MexicoBlvd. Manuel Ávila Camacho #118 Lomas de Chapultepec, CDMX, CP. 11000
VTEX PORVTEX Ecommerce Platform Limited – Sucursal em PortugalPortugalAvenida Marechal Gomes da Costa, 19, 1o. andar, 1800-255, Lisboa, Portugal
VTEX ROMVTEX Ecommerce Platform Limited London Sucursala BucurestiRomania6 Iuliu Maniu Boulevard, 011886, Campus 6 Building, floor 2, Bucharest – Romania

It is possible that other more specific Privacy Notices apply to a particular platform, application or service. In such cases, the provisions of that specific Privacy Notice will override that of this Notice, in the event of a conflict or discrepancy.