Skip to content
Dynamic Commerce Group
Legal

Data Processing & GDPR.

Last updated: 16 June 2026. How Dynamic Commerce Group processes personal data, the sub-processors we rely on, the safeguards we apply, and the rights you can exercise.

This Data Processing & GDPR notice explains how Dynamic Commerce Group (“DCG”, “we”, “us”, or “our”) handles personal data in two capacities: as a data controller for our own website and business operations, and as a data processor when we operate platforms or systems on behalf of our clients. DCG is registered as an Individual Entrepreneur in Georgia and operates from Batumi, serving clients worldwide.

This notice complements our Privacy Policy with the additional detail expected by the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar regimes.

1. Our roles

Depending on the engagement, DCG acts in one of two roles:

  • Controller — for our own website, marketing, sales, and contracting activities. We decide the purposes and means of processing the personal data of website visitors, prospects, clients, and our team.
  • Processor — for platforms, applications, and systems we operate on behalf of a client. The client is the controller and decides why and how the personal data is processed. We process the data on the client's documented instructions, as set out in the engagement contract or a separate data-processing addendum.

2. Categories of personal data

Depending on the service, the personal data we process may include:

  • contact details (name, email, phone, company, job title);
  • account and authentication data (login identifiers, hashed passwords, session tokens);
  • business-content data the client or their users submit to a hosted platform;
  • communication data (messages, attachments, support tickets);
  • usage and technical data (IP address, device and browser identifiers, page views, event logs, performance metrics);
  • billing and transaction data, where applicable (collected by our payment processors).

We do not seek to collect special-category data (health, biometric, political opinions, etc.) and ask clients not to submit such data to systems we operate unless the contract explicitly contemplates it.

3. Purposes and lawful bases

As a controller, our lawful bases include:

  • Contract — to provide the services you have requested and fulfil our obligations;
  • Consent — for optional cookies, marketing emails, and similar opt-in features;
  • Legitimate interests — to operate, secure, and improve our site and services, prevent abuse, and grow our business in a measured way;
  • Legal obligation — to comply with tax, accounting, and other applicable laws.

As a processor, we process data on the client's instructions and within the scope of the engagement. The lawful basis for that processing is the client's — not ours — and the client is responsible for establishing it.

4. Sub-processors

We rely on a small set of trusted providers to deliver our services. Categories of sub-processors typically include:

  • Cloud hosting and CDN: providers that host the infrastructure on which our platforms and your sites run.
  • Database and storage: managed database and object-storage services that hold application data and backups.
  • Email delivery: transactional-email services that send sign-up, notification, and account messages.
  • Analytics and product telemetry: privacy-respecting analytics tools that help us understand usage and improve services.
  • Payment processing: PCI-DSS compliant payment processors that handle card and bank-transfer payments.
  • Customer support and CRM: tools used to manage support tickets, proposals, and client relationships.

Each sub-processor is bound by contract to confidentiality and to security measures consistent with this notice. We review the list of sub-processors used in your engagement periodically. A current list is available on written request and may also be included in your data-processing addendum.

5. International transfers

Because our infrastructure and sub-processors are global, personal data may be processed outside your country of residence, including outside the European Economic Area (EEA) and the United Kingdom. Where such transfers occur, we put appropriate safeguards in place — for example, standard contractual clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or provider-level certification frameworks — to give your data a similar level of protection. Where adequacy decisions apply (for example, transfers to jurisdictions recognised as providing essentially equivalent protection), we rely on those.

6. Data subject rights

Subject to applicable law, individuals whose personal data we hold have the right to:

  • Access the personal data we hold about them;
  • Rectify inaccurate or incomplete information;
  • Erase personal data, where there is no overriding legal basis to retain it;
  • Restrict certain processing while a concern is being resolved;
  • Receive their data in a portable format;
  • Object to processing based on legitimate interests, including profiling;
  • Withdraw consent at any time, where processing is based on consent.

7. How to exercise your rights

Where DCG is the controller of your data, contact us at info@dynamiccommercegroup.com with a short description of your request. We may need to verify your identity before acting. We will respond within one month, with a possible extension of two further months for complex requests.

Where DCG processes your data on behalf of one of our clients (we are the processor), please contact that client directly — they are the controller and the right party to action your request. If you are unsure who the controller is, write to us and we will help route the request.

You also have the right to lodge a complaint with your local data-protection authority.

8. Security measures

We apply reasonable technical and organisational measures to protect personal data, including:

  • transport encryption (HTTPS/TLS) for data in transit;
  • encryption at rest for managed databases and storage where the provider supports it;
  • role-based access controls and least-privilege principles for our team;
  • separation of production, staging, and development environments;
  • routine application and infrastructure patching;
  • application and network logging for accountability and incident investigation;
  • internal review of access, configurations, and security practices.

No system is perfectly secure, however, and we cannot guarantee absolute protection of information transmitted over the internet.

9. Data retention and deletion

We retain personal data only for as long as necessary to provide our services, to meet our legal and accounting obligations, and to resolve disputes or enforce agreements. When personal data is no longer needed, it is securely deleted or anonymised. For client engagements where we act as processor, we delete or return personal data at the end of the engagement in line with the client's instructions and any applicable retention requirements.

10. Breach notification

If we become aware of a personal-data breach affecting your data, we will assess its scope and impact without undue delay. Where DCG is the controller, we will notify the relevant supervisory authority within 72 hours where the GDPR requires us to, and we will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms. Where DCG is the processor, we will notify the affected client controller without undue delay so the controller can meet its own notification obligations.

11. Client / controller responsibilities

Where a client uses our services as a controller, the client is responsible for:

  • having a lawful basis for the processing they direct us to perform;
  • providing the appropriate notices and obtaining any consents required from their own users;
  • responding to data-subject requests directed at their service;
  • configuring features in line with their own privacy obligations (for example, retention periods, role-based access, audit settings).

We support our clients in meeting these obligations and will provide reasonable assistance where required by applicable law.

12. Relationship to the Privacy Policy

This notice complements — and does not replace — our Privacy Policy. The Privacy Policy describes our overall data-handling practices for website visitors and prospects; this notice provides additional detail on processing roles, sub-processors, transfers, and GDPR-specific rights. Where the two appear to conflict, this notice prevails for GDPR and similar-regime topics.

13. Changes

We may update this notice from time to time to reflect changes in our sub-processors, our security practices, or applicable law. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated through reasonable means (typically email to active clients) before they take effect.

14. Governing law

This notice is governed by the laws of Georgia, without prejudice to mandatory data-protection rights that apply to individuals under the GDPR, UK GDPR, or other applicable regimes. Any disputes that cannot be resolved by good-faith negotiation will be submitted to the competent courts of Batumi, Georgia, unless your contract with DCG specifies a different forum.

15. Contact us

For privacy questions, data-subject requests, or sub-processor information, contact us at info@dynamiccommercegroup.com or via our contact page.