Instructions & Guidelines

Data privacy guidelines

As you’ll have access to customer information which includes personal data, it’s important how you store and handle the data. Personal data is sensitive and in many cases regulated by applicable laws. Listed below are best practices you should follow, in addition to the Terms of Use, when developing the add-on on the CAKE.com marketplace.

Clearly explain your data privacy practices

When submitting your add-on for review you are required to provide a Privacy policy which should explain to the users how you plan on using their data. The privacy policy should clearly explain to the user what data the add-on will collect, how that data will be used, who will have access to the data and explain the user’s choice.

Minimize the data you collect

Collect data only where you need it. Do not collect the data because you think it may be useful later. Where personal data is involved, consider de-identifying it. Also consider deleting user data when they request it or when they uninstall your add-on. Have in mind that you don’t need to store data indefinitely, put some data retention schemes in place.

Get consent for certain data use

When submitting an add-on for review you’ll have to check which data you collect in the permissions tab. You should only collect the data you checked in that tab. In this way users consent to the usage of their data when installing an add-on, but only for the purpose of an add-on. Using data for marketing, sharing data with third-parties and other data use cases not strictly required to support the operation of your add-on may require a separate consent from the user before collecting or using the data. As a general rule of thumb, you should always get consent if the user would not expect their data to be used or shared in a particular way given the purpose of your add-on.

Consent may not be embedded in a privacy policy. Instead, it must be collected from the user directly. You are responsible for collecting and maintaining all such consents, either through the add-on itself or through direct communication with the add-on user.

Note, regardless of whether you obtain consent, some data use cases may be prohibited by the Terms of Use. You are responsible for reviewing and complying with those terms.

Provide access, modification and erasure of personal data

Applicable laws and data management best practices require that you make it easy for users to get a copy of, correct and delete their personal data. This means, if you are storing personal data, you need to know where that personal data is at all times and be able to update it or remove it upon request. 

Offer additional data processing terms

If you are accessing, storing or otherwise processing personal data of EEA residents, users may request that you sign and comply with additional data protection terms, consistent with Article 28 of the General Data Protection Regulation (“GDPR”). You are responsible for understanding and complying with the terms required under Article 28 of the GDPR as it relates to the user data you access, store or otherwise process in connection with the user’s consent to install and share data with your add-on.

Invest in data security

You must take reasonable steps to protect user data shared with you and collected by your add-on, including user device information. We recommend you to follow our Security guidelines for a more comprehensive list for securing your add-on. 

In the event your add-on or suppliers experience a data security breach, you are responsible for communicating with users and regulators, as required by applicable law. It’s also important to let us know of the incident by emailing to support@cake.com.