- My business
- Media Library
- Scheduling product visibility
- Image Auto-sizing and Aspect Ratio
- How to add a product
- Editing full product description
- Stocked product variants
- Importing Products from CSV - Evance 4
- Importing Products from CSV - Evance 5
- Adding products to categories
- Adding related products
- Duplicating a product
- Discontinuing a product
- Adding a product supplier
- Scheduling product price changes
- Quantity based pricing
- Access role based pricing
- How to disable a product
- Adding product stock settings
- Managing product photos
- Locating products with low stock
- Adding product specifications
- Adjusting product weight
- Adding a product to a category
- Reactivating a product
- Shipping and handling
- Order desk
- Your Website's Terms
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.
What is Evance doing about GDPR?
We take our responsibilities under GDPR seriously. That’s why we’ve embarked on a programme to identify which measures we need to implement to be compliant with GDPR, and are working to implement them.
- We have thoroughly researched areas of our product and how our business is impacted by GDPR. Following an audit, we created an internal roadmap to work towards compliance with GDPR.
- Granular communication preference capabilities for Forms and checkout processes are now available.
- Evance now tracks Privacy and Terms versioned consent allowing new agreements if either change when users access protected pages.
- We have improved checkout processes to gain explicit Terms agreement and granular communication preferences.
Please note this is a living article and may be updated without notice.
Understanding key definitions
Before understanding what you need to do it is important to understand some of the GDPR terminology and how it relates to you and to Evance:
In Evance a "data subject" may be a visitor or a Contact. Evance stores personally identifiable information for various types of Contact.
Contacts are broken down into the following affected classifications:
At Evance we regularly review how data subjects are created and maintained by our platform. This will include the security and integrity of the data associated with all data subject types above.
It's you. As a tenant of Evance, you determine the purpose of your website and the use of facilities on our platform. You have control over the collection of personal data via checkout, newsletter subscriptions, registration processes or online forms. As such it is your responsibility to ensure data is collected and controlled ethically and in accordance with GDPR. Evance has a number of facilities to assist in your compliance.
That's us (and any other third parties you use). We process information on your behalf. This includes implementing facilities for the collection, storage and backing up of all data including personally identifiable information. Much like our commitment to PCI Compliance we're committed to secure and ethical privacy practices. Evance may not be your only data processor and you should evaluate any apps, add-ons or plugins individually (e.g. Google Analytics, Hotjar etc.).
GDPR applies to all data subjects within the European Union. Evance will be adopting GDPR compliant requirements and practices for all data subjects, regardless of their location.
We have broken data subjects' "Right to be informed" down into the following sub-sections:
GDPR and ePrivacy regulations require granular opt-in consent for using an individual's data in marketing campaigns and for each delivery method.
We have added support for granular consent to Email (email marketing), Phone (telesales), SMS (text messaging) and Post (direct mail) based campaigns/lists. This differentiation is possible within Recipient List management features. However, displaying granular consent may vary depending on your website:
- At checkout
All types of consent will be displayed during checkout. This is because all associated fields are available including email, address, mobile and phone number.
- User registration
We can only permit email based consent at registration because additional fields required for other options are unavailable at registration.
- Newsletter subscriptions
Only email consent will be permitted as our newsletter subscription system is concerned only with email-based subscriptions.
Only email consent will be permitted in forms built using our Form Builder. This is because Form Builder is not yet able to determine whether an address block or mobile phone is associated with the form. Once this is possible we shall include SMS and Post consent as appropriate. In this event you may be required to update your Forms.
Evance sets a number of cookies which are operational and do not require granular consent. You are required to inform visitors that such cookies are in use and that use of your website implies acceptance of these cookies. Evance includes a generic Cookie Consent bar on all version of Evance from version 4 and up (Evance Malachite (standalone) and Evance Razzmatazz (cloud)). However, our generic cookie consent bar is not capable of dealing with granular consent of non-operational cookies which identify individuals (not anonymous) for the purpose of marketing or advertising targeting. If you require such controls over your cookies then you should switch our generic cookie consent bar off and have your web developer implement appropriate functionality to accommodate your specific requirements.
If you are using Google Analytics with re-marketing features turned off our generic Cookie Consent bar will suffice. However, if you have re-marketing tools turned on you may need to have a custom cookie consent facility.
We use the different cookies to run Evance websites.
Evance stores a number of cookies exclusively to make feature use and recall a better experience on our websites.
For example, we store recently viewed and saved cart information in cookies for user convenience (
These cookies allow our websites to remember information that changes the way the site behaves or looks, such as your preferred locale. Blocking such cookies may make the website experience less functional but should not prevent it from working.
We collect information about how users interact with a website. This may include the pages a user has visited and whether users get error messages such as bugs on certain pages. We use session state cookies to help us improve Evance.
We use security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorised parties.
We use various domains to set cookies:
Your own preferred domain will also be used to set cookies.
Terms & Conditions acceptance
Agreement to terms may either be implied by clicking the "continue" to payment button, or explicit by including an "I agree to the Terms & Conditions" switch at the Summary page. We strongly recommend you create a Terms page and configure it within your Legal Settings.
- How to Add Terms acceptance at checkout
- How to add "I agree to the Terms" on Forms
- How to request users agree to changes in your Terms
ePrivacy Statement acceptance
This applies to checkout and Forms where granular control for communication preferences may be configured at required.
- How to gain granular communication consent at checkout
- How to gain granular communication consent on Forms
- How to request users agree to changes in your Privacy
Right to access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format (if requested).
Evance Users have access to their account information, however Guests aren't currently able to obtain such information without your assistance. We do not have any planned changes to accommodate this functionality yet.
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which
they have previously provided in a 'commonly use and machine readable format' and have the right to transmit
that data to another controller.
Currently, there are no planned dates to accommodate export of all data on data subjects. This must be done manually upon request until further notice.
Right to be forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Evance's opt-out functionality is adequate for Recipients who wish to be forgotten. This functionality is already available. If you are using Evance's email sign-up functionality you must provide an opt-out link in your emails. We are reviewing all automated emails that apply.
Guests and/or users
Currently, we do not have self-service facilities in place for Guests or Users to be forgotten. We are still evaluating the impact on operational requirements for e-commerce orders, receipts and shipments. However, your visitors may request you soft-delete their information from within Evance. When a Contact is deleted their order history will remain archived however their details cannot be processed.
Privacy by design
Both security and privacy are high on our agenda. Because we handle financial data, Evance regularly undergoes security reviews and scans to ensure we maintain PCI Compliance. This meets with or exceeds GDPR compliance.
Data breaches & notifications
At Evance we take security extremely seriously. We break down data breaches into the following:
A breach limited to a single User.
This applies to Users of your website with a password protected account that has been compromised.
Whilst we regularly review security to protect Users at a technical level, users must take responsibility for using your website securely.
A User's account may be breached through a number of attack vectors such as social engineering, saving passwords on a shared computer, or via malware.
You should assist a User as appropriate in the event of such a breach but do not need to report it.
A breach limited to your tenant Account with Evance.
This applies to Users with administrative access to Evance.
We regularly review Account integrity and security protocols at a technical level to ensure Accounts are safeguarded against cross-account security and integrity violations. However, it is the responsibility of Tenants to ensure each User with administrative access to your Account is doing so securely and responsibly. An administrative User's account may be breached through the same attack vectors a User faces, but may also deliberately or accidentally compromise data.
A breach of your Account compromises the privacy of all data subjects directly associated with your Account.
In the event an Account breach has been identified, it is the responsibility of you as our Tenant to:
The most serious type of breach is at a Platform level affecting all data subjects across one or more tenant Accounts. This may be the result of a technical fault or a vulnerability exploit.
Security and privacy are of utmost importance to Evance. We regularly review and maintain Evance security from infrastructure to software.
Our team does not have direct access to information on data subjects within Accounts, unless you have invited a member of our team to access your Account with administrative privileges.
In the event of a Platform breach it is our responsibility as your data processor to:
As part of you own compliance you'll have some questions for us which may include:
- Where does Evance store customer data?
We use a data hosting provider (HA247) with servers located within the UK to host our online services.
- How does Evance comply with EU data export restrictions?
All data is located and processed within the UK. When we need to export data in other territories, like the United States, we ensure "appropriate safeguards" are in place prescribed by GDPR. This may include entering into the European Commission's Standard Contractual Clauses with trusted partners where data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to the US based organisations).
- What security measures do you have in place to protect data?
Security is of paramount concern to Evance. We regularly review, monitor and update security from our infrastructure through to our software. We do this to ensure we meet or exceed the requirements of GDPR and PCI Compliance.