GDPR Compliance
Spectra has built-in tools for GDPR compliance — customer data export, right-to-be-forgotten, consent tracking.
What's covered
- Consent banner — Consent Management
- Data export — customers can request a full export of their data
- Data deletion — customers can request account anonymization
- Audit log — all data access logged
- Encryption at rest — sensitive fields (TINs, API credentials) encrypted
- Data minimization — only collect what's needed
Scope
Applies to:
- Customer accounts (
commerce__customers) - Saved addresses (
commerce__customer_addresses) - Order history (with anonymization on delete)
- Reviews, wishlist, returns
- Cart data
- Gift cards
- Marketing consent preferences
What you need to do as an admin
- Publish your privacy policy (
privacy_urlin tenant config) - Ensure cookie consent is enabled for EU traffic (enabled by default)
- Designate a data protection officer + contact
- Respond to data requests within 30 days (GDPR requirement)
Where to manage requests
Admin: /commerce/gdpr — see pending export and deletion requests
Export flow
See Data Export.
Deletion flow
- Customer requests via
/account/privacy - Admin reviews in
/commerce/gdpr - Click Process Deletion → anonymizes personal data
Anonymization (not hard delete):
email→deleted-{id}@anonymized.localfirst_name,last_name,phone→ NULL- Orders retained for financial records but PII scrubbed
- Reviews hidden
- Wishlist + cart deleted
Legal basis
Orders are retained (not deleted) because:
- Tax law requires financial record retention (7 years in most jurisdictions)
- Fraud prevention requires transaction history
Customers are informed of this before confirming deletion.