Data Compliance Document
GDPR & CCPA Compliance Framework
gr8grocersja.comEffective Date: April 4, 2026
This document sets out the data compliance obligations and procedures adopted by Gr8 Grocers JA in respect of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) as amended by the California Privacy Rights Act ("CCPA/CPRA"). It is intended as an internal reference and may also be shared with regulators and supervisory authorities.
Part A — General Framework
A.1 Roles & Responsibilities
Data Controller: Gr8 Grocers JA is the data controller for all personal data processed in connection with the Site.
Data Protection Officer (DPO): Where required, a DPO or privacy point of contact can be reached at privacy@gr8grocersja.com.
Processors: Third-party service providers acting under written data processing agreements (see Schedule 1).
A.2 Principles of Processing
All personal data is processed in accordance with the following principles:
- Lawfulness, fairness, and transparency
- Purpose limitation — data collected only for specified, explicit, and legitimate purposes
- Data minimisation — only data adequate, relevant, and limited to what is necessary
- Accuracy — reasonable steps taken to keep data accurate and up to date
- Storage limitation — retained no longer than necessary
- Integrity and confidentiality — appropriate security measures in place
- Accountability — documented policies and training to demonstrate compliance
Part B — GDPR Compliance
B.1 Lawful Basis Register
The following table summarises the lawful bases relied upon for key processing activities:
| Processing Activity | Lawful Basis |
|---|---|
| Order fulfilment | Contract performance (Art. 6(1)(b)) |
| Account management | Contract performance (Art. 6(1)(b)) |
| Marketing emails | Consent (Art. 6(1)(a)) — opt-in required |
| Fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Tax & legal records | Legal obligation (Art. 6(1)(c)) |
| Analytics (non-essential cookies) | Consent (Art. 6(1)(a)) |
B.2 Data Subject Rights Procedures
- Right of Access (Art. 15): Requests fulfilled within 30 days via privacy@gr8grocersja.com. Identity verification required.
- Right to Rectification (Art. 16): Users may update most data via account settings; remaining corrections handled within 14 days.
- Right to Erasure (Art. 17): Requests assessed against retention obligations; erasure confirmed or grounds for refusal communicated within 30 days.
- Right to Restriction (Art. 18): Processing restricted pending resolution of accuracy or legitimacy disputes.
- Right to Data Portability (Art. 20): Data provided in CSV or JSON format within 30 days.
- Right to Object (Art. 21): Objections to direct marketing and legitimate-interest processing accepted at any time.
- Rights re Automated Decision-Making (Art. 22): No solely automated decisions with legal or significant effect are currently made.
B.3 Consent Management
Marketing consents are collected via explicit opt-in checkboxes at registration and checkout. Consent records (timestamp, method, version of consent text) are stored in our consent management platform. Consent may be withdrawn at any time by unsubscribing or contacting privacy@gr8grocersja.com. Non-essential cookies require consent via our cookie banner before placement.
B.4 Data Breach Response
In the event of a personal data breach we will: (1) Contain the breach immediately; (2) Assess the risk to data subjects; (3) Notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms; (4) Notify affected data subjects without undue delay where the breach is likely to result in a high risk.
An internal breach log is maintained recording all incidents, their scope, and remedial actions taken.
B.5 International Transfers
Where personal data is transferred outside the EEA/UK, we ensure adequate safeguards via: Standard Contractual Clauses (SCCs) approved by the European Commission; UK International Data Transfer Agreements (IDTAs) as applicable; or adequacy decisions where available. A Record of Processing Activities (RoPA) documenting all such transfers is maintained internally.
B.6 Privacy by Design
Privacy considerations are embedded into new product and feature development. Data Protection Impact Assessments (DPIAs) are conducted for processing activities likely to result in high risk to individuals.
Part C — CCPA / CPRA Compliance
C.1 Applicability
The CCPA/CPRA applies to for-profit businesses that collect personal information of California residents and meet one or more of the following thresholds: annual gross revenues exceeding $25 million; annually buying, selling, or sharing for commercial purposes the personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenues from selling consumers' personal information. We comply with the CCPA/CPRA to the extent applicable and extend equivalent rights to all users as a matter of good practice.
C.2 Categories of Personal Information Collected
Within the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers (name, email address, IP address, account username)
- Commercial information (purchase history, products considered)
- Internet/network activity (browsing history on our Site, interactions with our ads)
- Geolocation data (derived from IP address; approximate only)
- Inferences drawn from the above to create a profile of consumer preferences
We do not collect sensitive personal information as defined by the CPRA beyond what is necessary for order fulfilment and payment processing.
C.3 Purpose of Collection
Personal information is collected and used to: fulfil orders; operate and improve the Site; prevent fraud; comply with legal obligations; and, with consent, deliver personalised marketing.
C.4 Sale and Sharing of Personal Information
We do not sell personal information for monetary consideration. We may share personal information with advertising partners for cross-context behavioural advertising; consumers may opt out via the 'Do Not Sell or Share My Personal Information' link in our Site footer or by emailing privacy@gr8grocersja.com.
C.5 California Consumer Rights
California residents have the following rights under the CCPA/CPRA:
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected, the purposes of collection, and the categories of third parties with whom it is shared.
- Right to Delete: Request deletion of personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of personal information for targeted advertising.
- Right to Limit Use of Sensitive Personal Information: Limit use of sensitive personal information to specified permitted purposes.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a verifiable consumer request, email privacy@gr8grocersja.com. We will respond within 45 days (extendable by a further 45 days where reasonably necessary).
C.6 Authorised Agents
California residents may designate an authorised agent to exercise their rights on their behalf. We will require written proof of authorisation and may verify the consumer's identity directly.
Part D — Retention Schedule
| Data Category | Retention Period |
|---|---|
| Customer account data | Duration of account + 7 years |
| Order and payment records | 7 years (tax & legal compliance) |
| Marketing consent records | Until consent is withdrawn + 3 years |
| Fraud and security logs | 2 years |
| Analytics data (aggregated) | 26 months |
| Support correspondence | 3 years from case closure |
Part E — Third-Party Processor Summary (Schedule 1)
The following categories of processors are engaged under appropriate data processing agreements:
- Payment processors (e.g. Stripe, PayPal) — PCI-DSS compliant
- Cloud hosting & infrastructure providers
- Email service providers (transactional and marketing)
- Analytics platforms (with IP anonymisation enabled)
- Fraud detection and identity verification services
- Customer support platforms
A full processor register is maintained internally and available to supervisory authorities upon request.
Part F — Policy Review & Training
This compliance document is reviewed at least annually, or following any significant change in processing activities, applicable law, or regulatory guidance. All staff with access to personal data receive training on data protection obligations at onboarding and annually thereafter.
Contact & Escalation
Data Protection / Privacy Enquiries: privacy@gr8grocersja.com
Supervisory Authority (Jamaica): Office of the Information Commissioner — oic.gov.jm
Supervisory Authority (EEA users): Your local Data Protection Authority
California Privacy Rights: privacy@gr8grocersja.com — Subject line: "CCPA Request"
Disclaimer: This document is published for transparency and is intended to inform users about how Gr8 Grocers JA handles personal data in compliance with applicable law. It does not constitute legal advice. If you have questions about your data rights or wish to make a formal request, contact us at privacy@gr8grocersja.com. California residents wishing to opt out of data sharing may do so by emailing us with the subject line "Do Not Sell or Share My Personal Information."