Are we GDPR compliant?
Last modified 2020
General Data Protection Regulation(GDPR) compliance
Yes, we are GDPR compliant.
GDPR(General Data Protection Regulation) aims to strengthen data privacy and data protection for European Union(EU) citizens and must be followed by all companies that have customers from the EU. GDPR will come into effect in May 25th, 2018 and if you have EU customers, you will need to become compliant.
Is CreditSavvi GDPR compliant?
Yes. CreditSavvi achieved compliance with GDPR prior to May 25th, 2018.
Affiliate tracking, consent and GDPR
One of the biggest changes produced by GDPR is the requirement for obtaining explicit consent for processing and storing personal data. In the next paragraphs we will provide more details about how CreditSavvi tracking works and when consent is required.
CreditSavvi does the tracking in three steps:
1. tracking referral visitors and setting up the cookie
2. tracking referral leads and signups
3. tracking referral sales and commissions/rewards
We will examine these three steps individually and explain how and if they are affected by GDPR.
1. Tracking referral visitors and setting up the cookie
When someone clicks on a referral link, our script sends the referral ID(taken from the link) and a randomly generated ID to our server. After we register the visitor ID successfully, we set up a cookie containing that ID. The cookie is NOT a third party cookie (like the ones set by Facebook or Ad networks), so you can handle the consent for it just like you handle all your other cookies (your own cookies, Google Analytics cookies, etc). You should add CreditSavvi cookies _fprom_track, _fprom_code, _fprom_signup to your cookie policy.
We DO NOT STORE the IP address of the visitor or any other personal identifiable data at this step. The random ID used to track the visit can not be associated with any individual(directly or indirectly) until they sign up to your service and the signup is tracked by CreditSavvi (at which point you should already have the consent). If the visitor does not sign up, that visitor record remains anonymous meaning it is not affected by GDPR regulations.
2. Tracking referral leads and signups
If an affiliate cookie is set(visitor clicked a referral link) and you implemented our signup tracking script or signup Tracking API, when a sign up occurs, CreditSavvi will receive some information about the lead(or user) that generated the signup. By default, the information consists of the visitor ID(saved in the cookie), the IP(used only for fraud analysis), the email(optional) and another ID(called "uid").
In this case, CreditSavvi works like any data processor you use (CRM, marketing automation tools, etc). Assuming the user gives you consent to process their data(including from third party data processors) when they sign up for the trial or makes a purchase, there are no other steps to take.
Note: We DO NOT send any emails, social media messages or other notifications to the leads registered in CreditSavvi. We also DO NOT SHARE or RESELL the data we store about the leads to any third parties.
Eventually, you can avoid sending us the email address associated with the user, if is not really required by your affiliate program setup. You can send only the "uid"(without email), which is the identifier required to track the sales and commissions generated by that customer.
3. Tracking referral sales and commissions/rewards
If you already have data processing consent from the user on signup(see previous step), this step doesn't require any other consent from the user. We do not store any other personal data, besides the data sent when the user signed up. We do store order/charge ID and sale amount + calculated commission, but this information is not subject to GDPR.
Information we hold
There are three type of entities we store personal data for:
our customers email
- first and last name
- profile picture(taken from public sources)
- company name
- company website
our customers' affiliates, partners and/or brand ambassadors(promoters)
- first and last name
- profile picture(taken from public sources)
- website
- *URLs to public social media accounts(optional and only if they are provided by the user or through the API)
leads/customers referred by our customer's affiliates/promoters
- email(not always required)
- uid
- *first and last name(currently optional, but they will be removed completely after May 25th)
* for all three parties we do store the IP address for fraud analysis and data security to:
- detect and block fraudulent sign ups
- ban IPs with suspicious behavior
- rate limit API requests and mitigate DDOS attacks associated to certain users
Data security and data breaches
We take data protection and security very seriously at CreditSavvi. We constantly monitor for security flaws and unauthorized access and we will take action immediately if something suspicious is been detected. In an unlikely case of a data breach, we will notify all of our customers within 72 hours after the breach was detected.
Some of the preventive measures we take include:
- encrypted HTTPS communication layers for all data transfers
- isolated data containers and data network
- powerful firewalls to prevent and mitigate different types of attacks and data leaks
- multiple encrypted backups at database and disk level, stored for one week
- data retention for expired trial and cancelled users of 2 years and 5 years for the rest
Data subject rights
All individual rights regarding GDPR will be enforced by our CreditSavvi team. We already have API endpoints and functions in the UI that covers most requests, however you can email us here support (at) creditsavvi.com and exercise your GDPR rights including:
- Right To Be Informed: for the parties where we act as a controller, we inform our users what we do with their data
- Right To Access: we can show all data stored of leads, customers or promoters/affiliates and how it is being used(use the form above)
- Right To Be Object: you can use the form above for any objection you or a user has about how CreditSavvi is processing your/their personal data
- Right To Be Forgotten: we can erase data we hold about any individual either manually(use the form above) or by API
- Right To Data Portability: we can export data held by an individual as a CSV on request(use the form above)
- Right To Rectification: a person's data can be updated either by API, from the user account or manually by us on request(use the form above)
Data Processing Agreements
We act as a data processor for our customers(see "Information we hold") which means we need to provide a signed Data Processing Agreement on request. If you are a customer(paid user) of CreditSavvi and you need the DPA, please contact us via Intercom chat widget(bottom right) and we'll send it to you ASAP.
We also requested and signed DPAs from our sub-processors and made sure they are GDPR compliant.
GDPR-ready Privacy and Cookie Policy
We updated our privacy policy and cookies policy/term & Conditions to be GDPR compliant. We also added cookie consent plugins to our website to make sure we store cookies only after consent is given.
Consent handling for our customers' promoters
As you probably know, CreditSavvi can send notification and engagement emails to your promoters(affiliates, partners and/or brand ambassadors) on your behalf, based on the rules set by you. Even though these emails can be considered as non-marketing related, we decided to add a marketing consent checkbox field to the sign up forms and "marketing_consent" parameter to the Promoters API.
Since you are the data controller, you are responsible for getting the consent or decide if it is required or not. We give you the option to disable this checkbox if you consider the consent is not required and the emails will be sent as usual(giving the promoter the option to opt-out).
This field is not added by default to existing campaigns sign up forms (prior to May 23th, 2018), so for the campaigns created before this date you need to login to CreditSavvi, go to Campaigns > Configure promoter dashboard > Signup page and check the "Marketing consent" checkbox on "Required fields" section. On the "GDPR & Marketing Consent" section you can edit the label of the checkbox and include a link if required.
From the same place, you can enable "Affiliate privacy and terms of service agreement" checkbox. Like on the marketing consent checkbox, you can edit the checkbox label and link to your own affiliate terms and privacy pages(these documents are not provided by us).
Other changes we made
Besides many internal changes, increased security and the ones already presented, there are two other major changes we made to help with GDPR compliance:
- we removed first and last name columns from leads and customers. We consider that first and last name fields are not really required since you can easily identify the customers/leads on your database through email or uid. If you send first and last name via the signup tracking script, you can remove them because we don't store them anymore.
- "email" field to track signups becomes optional if you provide the "uid". If you already pass the "uid" parameter in the signup tracking script, you have the option to safely remove the "email" parameter.