Separate your product catalog from commerce.

Privacy policy.

Last updated — 10.28.2020

Welcome to the website (the "Site") of Commerce Layer, Inc. ("Commerce Layer," "we," "us," or "our"). Commerce Layer provides a headless ecommerce platform and order management system (collectively, including the Site, the "Service").

This privacy policy explains what Personal Information (defined below) we collect, how we use and share that information, and your choices concerning our information practices. This Privacy Policy is incorporated into and forms part of our Terms of Service.

Before using the Service or submitting any Personal Information to Commerce Layer, please review this Privacy Policy carefully and contact us if you have any questions. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not access the Site or otherwise use the Service.

1 — Personal information we collect

We collect information that alone or in combination with other information in our possession could be used to identify you ("Personal Information") as follows:

Personal information you provide

We collect the following categories of Personal Information from you when you provide it to us in connection with the Services:

  • Account Information — We collect your name, email address, personal details and contact information when you register an account to use the Services.
  • Communication Information — We may collect information when you contact us with questions or concerns and when you voluntarily respond to questionnaires, surveys or requests for market research seeking your opinion and feedback. Providing communication information is optional to you.

Internet activity information

When you visit, use, and interact with the Service, we may receive certain information about your visit, use, or interactions. For example, we may monitor the number of people that visit the Service, peak hours of visits, which page(s) are visited, the domains our visitors come from (e.g.,,, etc.), and which browsers people use to access the Service (e.g., Chrome, Firefox, Microsoft Internet Explorer, etc.), broad geographical information, and navigation pattern. In particular, the following information is created and automatically logged in our systems:

  • Log Information — Information that your browser automatically sends whenever you visit the Site. Log Information includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interacted with the Site.
  • Cookies Information — Please see our Cookie Policy to learn more about how we use cookies.
  • Device Information — Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.
  • Usage Information — We collect information about how you use our Service, such as the types of content that you view or engage with, the features you use, the actions you take, and the time, frequency, and duration of your activities.
  • Location Information — We may derive a rough estimate of your location from your IP address.

Personal information we process on behalf of our business customers

In order to provide the Service to our business customers, we may collect personal information on our business customers’ behalf. We process that information pursuant to our Terms of Service and other agreements with our business customers. We have no direct relationship with the individuals whose Personal Information we process on behalf of our business customers. If you are such an individual and would no longer like your information to be used by one of our business customers that use our Service or you would like to access, correct, or request deletion of your information, please contact the business customer that you interact with directly.


We use Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses cookies to help us analyze how users use the Site and enhance your experience when you use the Site. For more information on how Google uses this information, click here.

Online tracking and do not track signals

We and our third party service providers may use cookies, pixels, or other tracking technologies to collect information about your browsing activities over time and across different websites following your use of the Site and use that information to send targeted advertisements. Our Site currently does not respond to "Do Not Track" ("DNT") signals and operates as described in this Privacy Policy whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will update this Privacy Policy to describe how we do so.

2 — How we use personal information

We may use Personal Information for the following purposes:

  • to provide our headless ecommerce platform and order management system;
  • to respond to your inquiries, comments, feedback, or questions;
  • to send administrative information to you, for example, information regarding the Service and changes to our terms, conditions, and policies;
  • to analyze how you interact with our Service;
  • to maintain and improve the Service;
  • to develop new products and services;
  • to prevent fraud, criminal activity, or misuses of our Service, and to ensure the security of our IT systems, architecture, and networks; and
  • To comply with legal obligations and legal process and to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.

Aggregated information

We may aggregate Personal Information and use the aggregated information to analyze the effectiveness of our Service, to improve and add features to our Service, and for other similar purposes. In addition, from time to time, we may analyze the general behavior and characteristics of users of our Service and share aggregated information like general user statistics with prospective business partners. We may collect aggregated information through the Service, through cookies, and through other means described in this Privacy Policy.


We may use your Personal Information to contact you to tell you about products or services we believe may be of interest to you. For instance, if you elect to provide your email or telephone number, we may use that information to send you special offers. You may opt out of receiving emails by following the instructions contained in each promotional email we send you. In addition, if at any time you do not wish to receive future marketing communications, you may contact us. If you unsubscribe from our marketing lists, you will no longer receive marketing communications but we will continue to contact you regarding management of your account, other administrative matters, and to respond to your requests.

3 — Sharing and disclosure of personal information

Commerce Layer does not sell your Personal Information. In certain circumstances we may share the categories of Personal Information described above without further notice to you, unless required by the law, with the following categories of third parties:

Vendors and service providers

To assist us in meeting business operations needs and to perform certain services and functions, we may share Personal Information with vendors and service providers, including providers of hosting services, cloud services, and other information technology services providers, email communication software and email newsletter services, advertising and marketing services, payment processors, customer relationship management and customer support services, and analytics services. Pursuant to our instructions, these parties will access, process, or store Personal Information in the course of performing their duties to us. We take commercially reasonable steps to ensure our service providers adhere to the security standards we apply to your Personal Information. Some of the service providers that we currently use are:

  • Intercom, Inc. — To allow users to interact via live chat. Further information here.
  • Google and GitHub — To allow the users to log into the Services using external platforms' accounts. Further information here (Google) and here (GitHub).
  • Stripe — To manage payments through external platforms that collect payment data without allowing Commerce Layer or our business customers to access it. Further information here.
  • ConvertKit — To contact you using e-mails containing commercial and promotional information concerning our Services. Further information here.

Business transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider (collectively a "Transaction"), your Personal Information and other information may be shared in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.

Legal requirements

If required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, including to meet national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect the personal safety of users of the Service, or the public, or (v) protect against legal liability.


We may share Personal Information with our current and future affiliates, meaning an entity that controls, is controlled by, or is under common control with Commerce Layer. Our affiliates may use the Personal Information we share in a manner consistent with this Privacy Policy.

4 — Processing of personal information

The Processing of Personal Information is performed with paper, IT and/or digital tools, with methods of organizations and with logics strictly related to the indicated purposes.

In certain cases, subjects other than Commerce Layer who are involved in the organization of Commerce Layer (such as personnel management, sales personnel, system administrators employees, etc.) or who are not (as IT companies, service providers, postal couriers, hosting providers, etc.) may access to Personal Information. These subjects, will be appointed, where necessary, as Data Processors by Commerce Layer and will have access to Personal Information whenever required, and shall be contractually obliged to keep it confidential.

Personal Information is processed in our offices and in any other place in which the parties involved in the Data processing are located. For further information, you may contact the Us at noted below.

Personal Information may be transferred to Countries outside the EU to the United States of America. With respect to these Countries, an adequacy decision by the European Commission exists or, in the absence of such decision, it is possible to request further information to the Us regarding any adopted appropriate safeguards as well as the means to obtain a copy of Personal Information or the exact location where they have been stored.

5 — Data retention

We keep Personal Information for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a business need to do so, or as required by law (e.g. for tax, legal, accounting, or other purposes), whichever is longer.

6 — California privacy rights disclosure

Where provided for by law and subject to any applicable exceptions, California residents may have the right:

  • to know the categories of Personal Information that Commerce Layer has collected about you, the business purpose for collecting your Personal Information, and the categories of sources from which the Personal Information was collected;
  • to access the specific pieces of Personal Information that Commerce Layer has collected about you;
  • to know whether Commerce Layer has disclosed your Personal Information for business purposes, the categories of Personal Information so disclosed, and the categories of third parties to whom we have disclosed your Personal Information;
  • to have Commerce Layer, under certain circumstances, delete your Personal Information;
  • to instruct businesses that sell Personal Information to stop doing so – Commerce Layer, however, does not sell Personal Information; and
  • to be free from discrimination related to the exercise of these rights.

If you would like to exercise any or all of these rights, you may do so by contacting us. After we receive your request, we may request additional information from you to verify your identity. Your authorized agent may submit requests in the same manner, although we may require the agent to present signed written permission to act on your behalf, and you may also be required to independently verify your identity with us and confirm that you have provided the agent permission to submit the request.

Please contact us with questions or to request access to an alternative format of this Privacy Policy.

7 — EU privacy rights disclosure

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:

  • We need it to provide or operate the Services, including to provide customer support and process your orders, requests, questions and concerns;
  • It satisfies another legitimate interest that is not overridden by your data protection interests, including our interest in:
    • collecting product usage, analytics and performance data relating to our Site and the Services, in order to maintain, analyze, develop, update, and improve our products and services;
    • maintaining records of bugs, customer support requests and similar requests you file, and our response to these requests;
    • using information to personalize content and features on our Sites and the Services;
    • detecting, investigating and preventing activities that may violate our policies or applicable laws (such as fraud detection and prevention);
    • maintaining corporate or business records consistent with our retention policies and applicable laws;
    • protecting against activities that may threaten the security, integrity, or availability of our or another party’s products, systems, and services; and
    • for marketing and selling our products and services, consistent with applicable laws.
  • We are processing your information to protect our legal rights;
  • You give us consent to process your Personal Information;
  • We need to process your data to comply with a legal obligation, such as a lawful subpoena or law-enforcement request or to fulfill the lawful instructions of our customers (when they are acting as the controller); and/or
  • We have another lawful basis for processing in accordance with applicable EU laws.

If you have consented to our use of their personal information, and our processing is based on that consent, you have the right to withdraw their consent in accordance with the General Data Protection Regulation ("GDPR"), but this will not affect any processing that has already taken place. If you object to or restrict processing, you may not be able to use the Sites and Services or certain features any longer.

As a E.U. resident, You may exercise specific rights with respect to Personal Information under GDPR. In particular, You have the right to:

  • withdraw its consent at any time;
  • object to the processing of your Personal Information;
  • access your Personal Information;
  • monitor and request the rectification of Personal Information;
  • obtain a restriction of Processing of your Personal Information;
  • obtain the erasure or deletion of your Personal Information;
  • receive your Personal Information or obtain the transfer to a different data controller;
  • lodge a complaint before the supervisory authority for the protection of Personal Information or start legal proceedings.

Where Commerce Layer is acting as a controller, you can initiate a request to exercise your rights by contacting us as specified in the "Contact Us" section below. Please note that these requests apply only to information that Commerce Layer holds as a "controller." If your request relates to the Personal Information collected through one of our customer’s websites or digital products, you should direct your request to the owner of that website or product. Please note that you must verify your identity and request before Commerce Layer will process your request. You may be required to provide email confirmation or other information in order for us to verify your identity.

8 — Children

Our Service is not directed to children who are under the age of 16. Commerce Layer does not knowingly collect Personal Information from children under the age of 16. If you have reason to believe that a child under the age of 16 has provided Personal Information to Commerce Layer through the Service please contact us and we will endeavor to delete that information from our databases.

9 — Links to other websites

The Service may contain links to other websites not operated or controlled by Commerce Layer, including social media services ("Third Party Sites"). The information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third Party Sites and not by this Privacy Policy. By providing these links we do not imply that we endorse or have reviewed these sites. Please contact the Third Party Sites directly for information on their privacy practices and policies.

10 — Security

You use the Service at your own risk. We implement commercially reasonable technical, administrative, and organizational measures to protect Personal Information both online and offline from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from us may not be secure. Therefore, you should take special care in deciding what information you send to us via the Service or e-mail. Please keep this in mind when disclosing any Personal Information to Commerce Layer via the Internet. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third party websites.

11 — Your choices

In certain circumstances providing Personal Information is optional. However, if you choose not to provide Personal Information that is needed to use some features of our Service, you may be unable to use those features. You can also log in to your account or contact us to request updates or corrections to your Personal Information.

12 — Changes to the privacy policy

The Service and our business may change from time to time. As a result we may change this Privacy Policy at any time. When we do we will post an updated version on this page, unless another type of notice is required by the applicable law. By continuing to use our Service or providing us with Personal Information after we have posted an updated Privacy Policy, or notified you by other means if applicable, you consent to the revised Privacy Policy and practices described in it.

13 — Contact us

If you have any questions about our Privacy Policy or information practices, please feel free to contact us at our designated request address:

Our contact information

Commerce Layer, Inc. — with registered office in 2965 Woodside Road, Woodside CA 94062 - USA, e-mail

Our EU representative

Commerce Layer Srl. — with registered office in Via del Carmine 11, 59100 Prato, Tax Code / VAT code IT02382940977, e‑mail

Our data protection officer (DPO)

Our Data Protection Officer is Massimo Scardellato — Via Dandolo 4C, 31050, Ponzano Veneto (TV), Tax Code SCRMSM67P04L407Z, e-mail