GDPR Compliance
GDPR Compliance
GDPR Compliance
GDPR Compliance
Last updated on January 16, 2026
This page describes how Crosslist supports customers and users with EU GDPR and UK GDPR requirements. It is intended for individuals in the EEA, the UK, and Switzerland, and for customers whose use of the Service is otherwise subject to GDPR or UK GDPR.
Controller and processor roles
Depending on how you use the Service, Crosslist may act as a data controller and/or a data processor.
Controller: when we process account administration, billing, security, marketing, and website analytics for Crosslist’s own purposes.
Processor: when we process marketplace and listing-related data on your behalf to provide cross listing and inventory functionality.
Data Processing Agreement (DPA)
Where we act as a processor, we provide a Data Processing Agreement (DPA) on request.
The DPA covers the topics typically required under GDPR for processor contracts, including processing instructions, confidentiality, security measures, assistance with data subject requests, breach notification, subprocessors, and deletion or return of data at the end of the provision of services.
To request a DPA, contact hello@crosslist.com.
Subprocessors
We use trusted service providers to help deliver the Service, for example for payments, hosting and infrastructure, support tooling, email delivery, analytics and measurement, affiliate tracking, and payout processing.
We maintain an internal, up-to-date list of key subprocessors. Where required, we make relevant subprocessor information available to customers under the DPA, including how customers can be notified of material changes and how they can object where applicable.
Security measures
We implement reasonable technical and organizational measures designed to protect personal data. Measures may include access controls, encryption in transit (HTTPS/TLS), secure credential handling, logging and monitoring, and regular maintenance designed to reduce risk.
No system is completely secure. We continuously work to improve the security and reliability of the Service.
Personal data breaches
We have processes to detect, investigate, and respond to suspected personal data breaches.
Where we act as a controller, we follow GDPR requirements for notifying the relevant supervisory authority when required, generally within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms.
Where we act as a processor, we notify the relevant controller without undue delay after becoming aware of a breach and provide information reasonably needed to support the controller’s obligations.
Data retention and deletion
We retain personal data only as long as necessary for the purposes described in our Privacy Policy, including security, fraud prevention, compliance, billing, tax, and dispute resolution.
As described in our Privacy Policy, listing content and related listing data are deleted 30 days after cancellation for storage and operational reasons. Certain account-level information may be retained after cancellation for legitimate business and compliance purposes.
International data transfers
Because Crosslist and its service providers may operate globally, personal data may be processed in countries outside the EEA or the UK.
Where required by applicable law, we rely on appropriate safeguards for cross-border transfers, such as the European Commission’s Standard Contractual Clauses and the UK’s recognized transfer mechanisms, or other lawful transfer mechanisms that apply to the relevant transfer.
Data subject rights
Individuals in the EEA, the UK, and Switzerland may have rights such as access, correction, deletion (in certain circumstances), objection, restriction, and data portability.
If you want to exercise a right or have a GDPR-related question, contact hello@crosslist.com. We may need to verify your identity before processing a request.
Contact
For GDPR and privacy questions, or to request a DPA, contact hello@crosslist.com.
Last updated on January 16, 2026
This page describes how Crosslist supports customers and users with EU GDPR and UK GDPR requirements. It is intended for individuals in the EEA, the UK, and Switzerland, and for customers whose use of the Service is otherwise subject to GDPR or UK GDPR.
Controller and processor roles
Depending on how you use the Service, Crosslist may act as a data controller and/or a data processor.
Controller: when we process account administration, billing, security, marketing, and website analytics for Crosslist’s own purposes.
Processor: when we process marketplace and listing-related data on your behalf to provide cross listing and inventory functionality.
Data Processing Agreement (DPA)
Where we act as a processor, we provide a Data Processing Agreement (DPA) on request.
The DPA covers the topics typically required under GDPR for processor contracts, including processing instructions, confidentiality, security measures, assistance with data subject requests, breach notification, subprocessors, and deletion or return of data at the end of the provision of services.
To request a DPA, contact hello@crosslist.com.
Subprocessors
We use trusted service providers to help deliver the Service, for example for payments, hosting and infrastructure, support tooling, email delivery, analytics and measurement, affiliate tracking, and payout processing.
We maintain an internal, up-to-date list of key subprocessors. Where required, we make relevant subprocessor information available to customers under the DPA, including how customers can be notified of material changes and how they can object where applicable.
Security measures
We implement reasonable technical and organizational measures designed to protect personal data. Measures may include access controls, encryption in transit (HTTPS/TLS), secure credential handling, logging and monitoring, and regular maintenance designed to reduce risk.
No system is completely secure. We continuously work to improve the security and reliability of the Service.
Personal data breaches
We have processes to detect, investigate, and respond to suspected personal data breaches.
Where we act as a controller, we follow GDPR requirements for notifying the relevant supervisory authority when required, generally within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms.
Where we act as a processor, we notify the relevant controller without undue delay after becoming aware of a breach and provide information reasonably needed to support the controller’s obligations.
Data retention and deletion
We retain personal data only as long as necessary for the purposes described in our Privacy Policy, including security, fraud prevention, compliance, billing, tax, and dispute resolution.
As described in our Privacy Policy, listing content and related listing data are deleted 30 days after cancellation for storage and operational reasons. Certain account-level information may be retained after cancellation for legitimate business and compliance purposes.
International data transfers
Because Crosslist and its service providers may operate globally, personal data may be processed in countries outside the EEA or the UK.
Where required by applicable law, we rely on appropriate safeguards for cross-border transfers, such as the European Commission’s Standard Contractual Clauses and the UK’s recognized transfer mechanisms, or other lawful transfer mechanisms that apply to the relevant transfer.
Data subject rights
Individuals in the EEA, the UK, and Switzerland may have rights such as access, correction, deletion (in certain circumstances), objection, restriction, and data portability.
If you want to exercise a right or have a GDPR-related question, contact hello@crosslist.com. We may need to verify your identity before processing a request.
Contact
For GDPR and privacy questions, or to request a DPA, contact hello@crosslist.com.
Last updated on January 16, 2026
This page describes how Crosslist supports customers and users with EU GDPR and UK GDPR requirements. It is intended for individuals in the EEA, the UK, and Switzerland, and for customers whose use of the Service is otherwise subject to GDPR or UK GDPR.
Controller and processor roles
Depending on how you use the Service, Crosslist may act as a data controller and/or a data processor.
Controller: when we process account administration, billing, security, marketing, and website analytics for Crosslist’s own purposes.
Processor: when we process marketplace and listing-related data on your behalf to provide cross listing and inventory functionality.
Data Processing Agreement (DPA)
Where we act as a processor, we provide a Data Processing Agreement (DPA) on request.
The DPA covers the topics typically required under GDPR for processor contracts, including processing instructions, confidentiality, security measures, assistance with data subject requests, breach notification, subprocessors, and deletion or return of data at the end of the provision of services.
To request a DPA, contact hello@crosslist.com.
Subprocessors
We use trusted service providers to help deliver the Service, for example for payments, hosting and infrastructure, support tooling, email delivery, analytics and measurement, affiliate tracking, and payout processing.
We maintain an internal, up-to-date list of key subprocessors. Where required, we make relevant subprocessor information available to customers under the DPA, including how customers can be notified of material changes and how they can object where applicable.
Security measures
We implement reasonable technical and organizational measures designed to protect personal data. Measures may include access controls, encryption in transit (HTTPS/TLS), secure credential handling, logging and monitoring, and regular maintenance designed to reduce risk.
No system is completely secure. We continuously work to improve the security and reliability of the Service.
Personal data breaches
We have processes to detect, investigate, and respond to suspected personal data breaches.
Where we act as a controller, we follow GDPR requirements for notifying the relevant supervisory authority when required, generally within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms.
Where we act as a processor, we notify the relevant controller without undue delay after becoming aware of a breach and provide information reasonably needed to support the controller’s obligations.
Data retention and deletion
We retain personal data only as long as necessary for the purposes described in our Privacy Policy, including security, fraud prevention, compliance, billing, tax, and dispute resolution.
As described in our Privacy Policy, listing content and related listing data are deleted 30 days after cancellation for storage and operational reasons. Certain account-level information may be retained after cancellation for legitimate business and compliance purposes.
International data transfers
Because Crosslist and its service providers may operate globally, personal data may be processed in countries outside the EEA or the UK.
Where required by applicable law, we rely on appropriate safeguards for cross-border transfers, such as the European Commission’s Standard Contractual Clauses and the UK’s recognized transfer mechanisms, or other lawful transfer mechanisms that apply to the relevant transfer.
Data subject rights
Individuals in the EEA, the UK, and Switzerland may have rights such as access, correction, deletion (in certain circumstances), objection, restriction, and data portability.
If you want to exercise a right or have a GDPR-related question, contact hello@crosslist.com. We may need to verify your identity before processing a request.
Contact
For GDPR and privacy questions, or to request a DPA, contact hello@crosslist.com.
Last updated on January 16, 2026
This page describes how Crosslist supports customers and users with EU GDPR and UK GDPR requirements. It is intended for individuals in the EEA, the UK, and Switzerland, and for customers whose use of the Service is otherwise subject to GDPR or UK GDPR.
Controller and processor roles
Depending on how you use the Service, Crosslist may act as a data controller and/or a data processor.
Controller: when we process account administration, billing, security, marketing, and website analytics for Crosslist’s own purposes.
Processor: when we process marketplace and listing-related data on your behalf to provide cross listing and inventory functionality.
Data Processing Agreement (DPA)
Where we act as a processor, we provide a Data Processing Agreement (DPA) on request.
The DPA covers the topics typically required under GDPR for processor contracts, including processing instructions, confidentiality, security measures, assistance with data subject requests, breach notification, subprocessors, and deletion or return of data at the end of the provision of services.
To request a DPA, contact hello@crosslist.com.
Subprocessors
We use trusted service providers to help deliver the Service, for example for payments, hosting and infrastructure, support tooling, email delivery, analytics and measurement, affiliate tracking, and payout processing.
We maintain an internal, up-to-date list of key subprocessors. Where required, we make relevant subprocessor information available to customers under the DPA, including how customers can be notified of material changes and how they can object where applicable.
Security measures
We implement reasonable technical and organizational measures designed to protect personal data. Measures may include access controls, encryption in transit (HTTPS/TLS), secure credential handling, logging and monitoring, and regular maintenance designed to reduce risk.
No system is completely secure. We continuously work to improve the security and reliability of the Service.
Personal data breaches
We have processes to detect, investigate, and respond to suspected personal data breaches.
Where we act as a controller, we follow GDPR requirements for notifying the relevant supervisory authority when required, generally within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms.
Where we act as a processor, we notify the relevant controller without undue delay after becoming aware of a breach and provide information reasonably needed to support the controller’s obligations.
Data retention and deletion
We retain personal data only as long as necessary for the purposes described in our Privacy Policy, including security, fraud prevention, compliance, billing, tax, and dispute resolution.
As described in our Privacy Policy, listing content and related listing data are deleted 30 days after cancellation for storage and operational reasons. Certain account-level information may be retained after cancellation for legitimate business and compliance purposes.
International data transfers
Because Crosslist and its service providers may operate globally, personal data may be processed in countries outside the EEA or the UK.
Where required by applicable law, we rely on appropriate safeguards for cross-border transfers, such as the European Commission’s Standard Contractual Clauses and the UK’s recognized transfer mechanisms, or other lawful transfer mechanisms that apply to the relevant transfer.
Data subject rights
Individuals in the EEA, the UK, and Switzerland may have rights such as access, correction, deletion (in certain circumstances), objection, restriction, and data portability.
If you want to exercise a right or have a GDPR-related question, contact hello@crosslist.com. We may need to verify your identity before processing a request.
Contact
For GDPR and privacy questions, or to request a DPA, contact hello@crosslist.com.