GDPR Policies

GDPR Policies

Lawful Basis

Users of Gateway CPP & OMS lawful basis for processing personal data is a contractual obligation to fulfil customer orders placed on either their own or their customers eCommerce sites (for which they are either a data controller if the website owner or a processor if managing fulfilment

Gateway OMS only collects enough customer personal information to be able to fulfil the order (i.e. shipping address and contact details).

Data Retention

An individual's identifying data (name, contact details and address) will be deleted from our backend systems 6 months after an order has been completed or once the order is older than 6 months.

Postcode and country code will be retained for statistical purposes.

*An order is deemed to be completed once it has reached a “Dispatched” status.

Personal details will not be deleted from websites (unless requested by the customer) as websites have a legitimate reason for keeping customer details on file (reorders for example).

Note: The data retention period can be changed on a per company basis as some workflows will legitimately require personal details to be stored for longer. GDPR/Data Protection only require data to be deleted if retaining it can no longer be justified.

Individual Rights

Note: In addition to the email address, individual sites may have their own email addresses listed in the sites individual privacy policy.

Note: Data controllers who are using Custom Gateway as a data processor, may also use the email address for delegating requests.


Right to be Informed

Right of Access and Data Portability

An individual can request their personal data from Custom Gateway via a support email to

In order to prove their identity, the request must include:

  • Full name
  • First line of address
  • Postcode
  • An order number

A member of the support team can verify the individual’s details and perform a lookup using the “Order Manager” search too.

The request will be be satisfied within 30 days.


Right to Rectification

An individual can request rectification of their data via a support email to

Proof of identity must be supplied in the same manner as with “Right to Access”.

A member of the support team can then amend any personal details using the “Order Manager” tool.

The request will be satisfied within 30 days.


Right to Erasure, Restricted Processing and Objection

An individual can request erasure of their data via a support email to

Proof of identity must be supplied in the same manner as with “Right to Access”.

A member of the support team can then remove any personal details using the “Order Manager” tool.

The request must be satisfied within 30 days.


Additional Useful Resources

The following links may also be useful for reference

- Custom Gateway Ltd Privacy Policy -

- An Overview of CPP and OMS Security -

- GDPR Data Processor Example Contract - Click Here


    • Related Articles

    • What Security Policies do you have in place for Gateway Sites?

      1. Hosting - Gateway Sites are hosted with UKFast who are one of the UKs leading Tier 1 Hosting Providers on our own dedicated servers   They fully-own, manage and operate carbon and carrier-neutral data centres, which offers over 30,000 sq ft of ...
    • Virtual Product Warehouse Shopify App - FAQ

      Q - I have installed the app, what happens next? A - Emails will automatically be sent out to the suppliers in the dropship network who will be in touch to agree terms with you, when they have your account with them will be activated and you will see ...
    • Overview of Gateway CPP & OMS Platform Security

      Gateway CPP (Custom Product Platform) and OMS (Order Management System) are entirely cloud based so there is no access other then via secure login through a web browser at any fulfilment centre to customer data The software is hosted at UKFast on ...
    • Facebook HTTP/HTTPS permission errors.

      If you have clients that are experiencing permission / SSL errors when visiting the embedded application, the user can temporarily use the Facebook page in standard HTTP (Non-SSL mode) by following the procedure below. The SSL options can be turned ...