Sellerbase
MerchantsPricing
Search 763,165 merchants⌘K
Sign inStart free

SELLERBASE DATA PROTECTION ADDENDUM

Version: 1.0 Effective Date: January 12, 2026

1. INTRODUCTION AND SCOPE

1.1 Purpose

This Data Protection Addendum ("DPA") forms part of the Agreement between Sellerbase Ltd ("Sellerbase") and the customer identified in the Order Form ("Customer") and sets out the parties' obligations regarding the processing of personal data in connection with Sellerbase's services.

1.2 Incorporation

This DPA is incorporated into and forms part of the Sellerbase Terms of Service. In the event of any conflict between this DPA and other provisions of the Agreement regarding data protection, data security, or international data transfer obligations, this DPA shall prevail.

1.3 Definitions

In addition to terms defined in the Terms of Service, the following definitions apply:

"Applicable Data Protection Laws" has the meaning given in Section 1 of the Terms of Service, and additionally includes the Swiss Federal Act on Data Protection.

"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Data Subject" means an identified or identifiable natural person to whom personal data relates.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, whether or not by automated means, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

"Processor" means a natural or legal person which processes personal data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914.

"Sub-processor" means any third party engaged by Sellerbase to process personal data on its behalf.

2. RELATIONSHIP STRUCTURE

2.1 Controller-to-Controller Relationship (Primary)

For Sellerbase's provision of its database to Customer:

Party Role
Sellerbase Independent data controller for its database
Customer Independent data controller when using Data

This is a controller-to-controller data sharing relationship. Sellerbase does not process Data "on behalf of" Customer; rather, Sellerbase provides its independently compiled database which Customer then uses for Customer's own purposes and under Customer's own controllership.

2.2 Processor Relationship (Add-ons Only)

The following add-ons create a processor relationship where Sellerbase processes Customer's personal data on Customer's behalf and under Customer's instructions:

Add-on Sellerbase Role Customer Role
CRM Synchronization Processor Controller
Customer List Enrichment Processor Controller
Custom Data Processing As specified in Order Form As specified in Order Form

When these add-ons are activated (as indicated in the Order Form), Section 8 (Processor Terms) of this DPA applies to that processing.

3. LEGAL BASIS (CONTROLLER-TO-CONTROLLER)

3.1 Sellerbase's Legal Basis

Sellerbase collects and provides B2B contact data under the legitimate interest legal basis pursuant to Article 6(1)(f) of the GDPR, having conducted a balancing assessment considering:

  • The business context (B2B contact information relating to individuals' professional roles);
  • The public availability of source data;
  • The reasonable expectations of data subjects in business contexts;
  • Implementation of opt-out/objection mechanisms;
  • Data minimization and accuracy practices; and
  • Appropriate safeguards including suppression list management.

A summary of Sellerbase's legitimate interest assessment is available upon request.

3.2 Customer's Legal Basis

Customer is independently responsible for determining and maintaining their own legal basis for processing Data, which may include:

  • Legitimate interest (subject to Customer's own balancing assessment);
  • Consent; or
  • Other applicable legal bases depending on Customer's specific use case and applicable laws.

3.3 No Representations

Sellerbase makes no representation that:

  • Legitimate interest is sufficient for all Customer use cases;
  • Data includes consent or opt-in for any particular purpose; or
  • Customer's intended processing is lawful under Applicable Data Protection Laws.

Customer acknowledges that direct marketing activities may be subject to additional requirements under the ePrivacy Directive and national anti-spam laws, and that Customer is solely responsible for determining compliance with such requirements.

4. CUSTOMER OBLIGATIONS (CONTROLLER-TO-CONTROLLER)

Customer agrees to:

4.1 Lawful Processing

Use personal data only for lawful purposes and in compliance with Applicable Data Protection Laws.

4.2 Legal Basis

Maintain an appropriate legal basis for all processing activities involving Data.

4.3 Data Subject Rights

Respond promptly to data subject requests (access, rectification, erasure, restriction, portability, objection) concerning personal data in Customer's systems.

4.4 Security Measures

Implement appropriate technical and organizational security measures to protect personal data processed by Customer.

4.5 Lawful Use

Not use personal data in ways that would violate data subjects' rights or Applicable Data Protection Laws.

4.6 Suppression Compliance

Honor suppression/opt-out notifications from Sellerbase in accordance with Section 6 of this DPA.

4.7 Compliance Records

Maintain records demonstrating compliance with Applicable Data Protection Laws and provide such records to Sellerbase upon reasonable request in connection with a regulatory inquiry or complaint.

4.8 Marketing Compliance

When using Data for lead generation or marketing:

  • Implement functional unsubscribe/opt-out mechanisms;
  • Maintain suppression lists;
  • Honor do-not-contact requests; and
  • Comply with all applicable ePrivacy, anti-spam, and direct marketing laws.

5. SELLERBASE OBLIGATIONS (CONTROLLER-TO-CONTROLLER)

Sellerbase agrees to:

5.1 Security Measures

Maintain appropriate technical and organizational security measures to protect its database.

5.2 Data Subject Requests

Process data subject requests directed to Sellerbase concerning its database in accordance with Applicable Data Protection Laws.

5.3 Breach Notification

Notify Customer without undue delay (and in any event within 72 hours) after becoming aware of any personal data breach affecting Customer's account data.

5.4 Records

Maintain records of processing activities as required by Applicable Data Protection Laws.

5.5 Sub-processor Information

Provide information about sub-processors and service providers upon reasonable request.

5.6 Suppression Management

Maintain and communicate suppression/opt-out lists in accordance with Section 6 of this DPA.

5.7 Privacy Notice

Maintain a publicly accessible privacy notice addressing Article 14 GDPR requirements regarding the information provided to data subjects.

5.8 Transfer Information

Upon request, provide information necessary for Customer to conduct transfer risk assessments, including a description of applicable technical and organizational security measures.

6. SUPPRESSION/OPT-OUT PROPAGATION

6.1 Sellerbase Suppression Obligations

Sellerbase shall:

  • (a) Maintain a suppression list of individuals who have exercised objection or erasure rights with Sellerbase;
  • (b) Apply suppressions to its database within a reasonable timeframe;
  • (c) Provide Customer with suppression updates via one of the following methods (as available):
    • Monthly suppression list updates;
    • API access to suppression data; or
    • Upon Customer's written request.

6.2 Customer Suppression Obligations

Customer shall:

  • (a) Apply suppression updates received from Sellerbase to Customer's systems within 14 days of receipt;
  • (b) Not re-contact suppressed individuals using Data;
  • (c) Maintain Customer's own suppression mechanisms for Customer's outreach activities; and
  • (d) Honor direct opt-out requests received by Customer and not rely solely on Sellerbase suppressions.

6.3 Suppression Survival

Customer's obligation to honor suppressions survives termination of the Agreement.

7. INTERNATIONAL TRANSFERS

7.1 Sellerbase Location

Sellerbase is established in Mauritius, which does not have an adequacy decision from the European Commission under Article 45 of the GDPR.

7.2 Transfer Mechanisms

When personal data subject to the GDPR, UK GDPR, or similar laws is transferred to or from Sellerbase, the parties shall implement appropriate transfer mechanisms as set forth in this Section 7.

7.3 Applicable Transfers

Scenario Applicable Mechanism
EU/EEA Customer receiving Data from Sellerbase Controller-to-Controller SCCs (Module One)
UK Customer receiving Data from Sellerbase UK Addendum to SCCs (Module One)
EU/EEA Customer sending personal data to Sellerbase (e.g., admin contacts, support data) Controller-to-Controller SCCs (Module One)
Add-ons involving Customer personal data Controller-to-Processor SCCs (Module Two)

7.4 SCC Incorporation

Where Customer is established in the EU/EEA or UK (as indicated in the Order Form), the applicable SCC modules are incorporated by reference into this DPA. The parties agree that:

For Module One (Controller-to-Controller) transfers:

  • Data exporter: Customer (when receiving Data) or Sellerbase (when receiving Customer contact/support data), as applicable
  • Data importer: Sellerbase (when providing Data) or Customer (when providing contact/support data), as applicable
  • Annex I: As set forth in Annex I to this DPA
  • Annex II: As set forth in Annex II to this DPA

For Module Two (Controller-to-Processor) transfers (Add-ons only):

  • Data exporter: Customer
  • Data importer: Sellerbase
  • Annex I: As set forth in Annex I to this DPA
  • Annex II: As set forth in Annex II to this DPA

7.5 UK Transfers

For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum") issued by the UK Information Commissioner under S119A(1) of the Data Protection Act 2018 shall apply to such transfers.

7.6 Swiss Transfers

For transfers subject to the Swiss Federal Act on Data Protection, the SCCs shall apply with the modifications necessary to comply with Swiss law.

7.7 Supplementary Measures

Sellerbase applies supplementary technical and organizational measures appropriate to the risk to protect transferred personal data, as further described in Annex II.

7.8 Transfer Risk Assessment

Upon request, Sellerbase will provide Customer with information reasonably necessary to conduct transfer risk assessments, including:

  • Description of technical and organizational security measures;
  • Information about relevant laws in Mauritius affecting data protection; and
  • Details of any government access requests received (to the extent permitted by law).

8. PROCESSOR TERMS (ADD-ONS ONLY)

This Section 8 applies when Sellerbase acts as a Processor under Section 2.2 of this DPA. These terms are provided to satisfy the requirements of Article 28 of the GDPR.

8.1 Processing Instructions

Sellerbase shall:

  • (a) Process Customer personal data only on Customer's documented instructions, including with respect to transfers to third countries, unless required to do so by applicable law (in which case Sellerbase shall inform Customer of such legal requirement before processing, unless prohibited by law);
  • (b) Process Customer personal data only for the purposes specified in the Order Form and this DPA.

8.2 Confidentiality

Sellerbase shall ensure that persons authorized to process Customer personal data:

  • (a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
  • (b) Process Customer personal data only on instructions from Sellerbase.

8.3 Security

Sellerbase shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • (a) Pseudonymization and encryption of personal data;
  • (b) Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems;
  • (c) Measures to restore availability and access to personal data in a timely manner following an incident; and
  • (d) Regular testing and evaluation of security measures.

Security measures are described in Annex II to this DPA.

8.4 Sub-processors

8.4.1 Authorization. Customer provides general authorization for Sellerbase to engage Sub-processors for the processing of Customer personal data.

8.4.2 Sub-processor List. A current list of Sub-processors is available upon request.

8.4.3 Changes. Sellerbase shall notify Customer of any intended changes to Sub-processors at least 30 days before the change takes effect by email to Customer's billing contact or by posting on the Sellerbase website.

8.4.4 Objections. Customer may object to a new Sub-processor on reasonable grounds by notifying Sellerbase in writing within 30 days of receiving notice. The parties shall work in good faith to resolve the objection. If the parties cannot resolve the objection within 30 days, Customer may terminate the affected add-on services.

8.4.5 Sub-processor Contracts. Sellerbase shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

8.5 Data Subject Rights Assistance

Sellerbase shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to data subject requests.

8.6 Compliance Assistance

Sellerbase shall assist Customer in ensuring compliance with Customer's obligations under Articles 32-36 of the GDPR, taking into account the nature of processing and the information available to Sellerbase.

8.7 Audit Rights

8.7.1 Information. Sellerbase shall make available to Customer all information necessary to demonstrate compliance with this Section 8.

8.7.2 Audits. Sellerbase shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to:

  • (a) Reasonable advance notice of at least 30 days;
  • (b) Confidentiality obligations binding the auditor;
  • (c) Conduct during normal business hours with minimal disruption; and
  • (d) Customer bearing the costs of the audit.

8.7.3 Third-Party Reports. Sellerbase may satisfy audit requests by providing:

  • (a) Relevant third-party certifications (e.g., ISO 27001); or
  • (b) Reports from third-party auditors.

8.8 Return and Deletion

Upon termination of the processor relationship:

  • (a) Sellerbase shall, at Customer's election, return or delete Customer personal data within 30 days of termination; and
  • (b) Sellerbase shall delete existing copies unless applicable law requires retention.

8.9 Breach Notification

Sellerbase shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer personal data processed under this Section 8.

9. SUB-PROCESSORS AND SERVICE PROVIDERS

9.1 Categories

Sellerbase uses the following categories of service providers:

Category Purpose
Cloud hosting providers Infrastructure and data storage
Analytics providers Platform performance monitoring
Support tooling providers Customer support delivery
Payment processors Payment processing
Email service providers Communications

9.2 Sub-processor List

A current list of specific Sub-processors is available upon request at contact@sellerbase.net.

10. DATA SUBJECT RIGHTS

10.1 Responsibility Allocation

Request Type Responsible Party
Requests concerning Sellerbase's database Sellerbase
Requests concerning data in Customer's systems Customer
Suppression propagation Sellerbase notifies; Customer implements

10.2 Cooperation

Each party shall reasonably cooperate with the other party in responding to data subject requests that relate to the other party's processing activities.

10.3 Referrals

If a party receives a data subject request that relates to the other party's processing activities, it shall promptly refer the data subject to the appropriate party.

11. CONTACT INFORMATION

11.1 Sellerbase Contact

For data protection inquiries:

Sellerbase Ltd 20 Foot Road, Grand Baie, Mauritius Email: contact@sellerbase.net

ANNEX I - TRANSFER DETAILS

A. LIST OF PARTIES

Data Exporter(s):

  • Name: As specified in the Order Form
  • Address: As specified in the Order Form
  • Contact: As specified in the Order Form
  • Role: Controller

Data Importer(s):

  • Name: Sellerbase Ltd
  • Address: 20 Foot Road, Grand Baie, Mauritius
  • Contact: contact@sellerbase.net
  • Role: Controller (for database provision) / Processor (for add-ons, where applicable)

B. DESCRIPTION OF TRANSFER

Module One (Controller-to-Controller):

Element Description
Categories of data subjects Individuals whose business contact details have been published in a business-contact context (for example, on a company "contact us" page), such as company representatives. The database is focused on businesses and companies; most records do not identify an individual.
Categories of personal data Limited business contact details, which may include a name, a business email address, and a business phone number. Most contact details are generic, role-based company details (for example, info@ or contact@ a company domain) and organization-level information that do not identify an individual.
Sensitive data None
Frequency of transfer Continuous (on-demand access)
Nature of processing Making available, storage, transmission
Purpose Provision of B2B data services for Customer's business analysis, market research, and lead generation
Retention period Duration of Agreement; post-termination per Section 14 of Terms of Service

Module Two (Controller-to-Processor) - Add-ons only:

Element Description
Categories of data subjects As specified by Customer in connection with add-on services
Categories of personal data As specified by Customer in connection with add-on services
Sensitive data None (unless specified by Customer)
Frequency of transfer As required by add-on services
Nature of processing As specified in Order Form
Purpose Provision of add-on services (CRM sync, enrichment, etc.)
Retention period Duration of add-on services

C. COMPETENT SUPERVISORY AUTHORITY

For EU data exporters: The supervisory authority of the EU Member State in which the data exporter is established.

For UK data exporters: The Information Commissioner's Office (ICO).

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES

Sellerbase maintains technical and organizational measures appropriate to the nature of the data and the risks involved, and keeps them under review. These measures address the following areas:

  • Access control — authentication and role-based access to systems that hold personal data, with access limited to those who require it.
  • Data protection — encryption of personal data in transit over public networks, and data minimization.
  • Infrastructure security — network protections, including segregation of systems that hold personal data from public networks.
  • Operational security — incident response and business continuity procedures, and staff awareness of data protection responsibilities.
  • Sub-processor management — due diligence on sub-processors and service providers.
  • Data subject rights — procedures for handling data subject requests.

Further detail on the measures applicable to a particular processing activity is available to Customer on request.

End of Data Protection Addendum Version 1.0