With GDPR law becoming effective on May 25, 2018, and increased awareness for global privacy rights and compliance we at Trekksoft are aspiring to comply with it and this article is to help our customers understand where we stand with GDPR.
What is the GDPR?
The General Data Protection Regulation (the “GDPR”) is a European data protection and privacy law adopted April 14, 2016, which became officially enforceable beginning on May 25, 2018.
The GDPR is an EU data protection law aimed to enhance individual rights and freedom, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and erase personal data.
To whom does GDPR apply?
The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
How does the GDPR work?
There are many principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure a full understanding of its requirements and how they may apply to your organization. While the GDPR covers many important areas, here are a few that we believe are particularly relevant to Trekksoft and our customers:
- Expansion of scope: The GDPR applies to all organizations established in the EU or processing data of Data Subjects, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.
- Expansion of definitions of personal data and special categories of data.
- Expansion of individual rights: Data Subjects have several important rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. Your organization must ensure that it can accommodate these rights if it is processing the personal data of Data Subjects.
- Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
- Right to object: An individual may prohibit certain data uses.
- Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Right of access: Individuals have the right to know what data about them is being processed and how.
- Right of portability: Individuals may request that personal data held by one organization be transported to another.
4. Stricter consent requirements: Consent is one of the fundamental legal bases of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s requirements. Your organization will need to obtain consent from its subscribers and contacts for every usage of their personal data unless it can rely on a separate legal basis. The route to compliance is to obtain explicit consent. Keep in mind that:
- Consent must be specific to distinct purposes.
- Silence, pre-populated boxes, or inactivity do not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data.
- Separate consent must be obtained for different processing activities, which means your organization must be clear about how the data will be used when consent is obtained.
5. Strict processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their Personal Data, including:
- Contact details for the data controller.
- Purpose of the data: This should be as specific (“purpose limitation”) as possible. Your organization should carefully consider what data it is being collected and why, and be able to validate that to a regulator.
- Retention period: This should be as short as possible (“storage limitation”).
- Legal basis: An organization cannot process personal data just because it wants to. It must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”
What data we are collecting from you and how we process it?
At Trekksoft we collect and process the following information that you provide us in order to use our services:
Account and Profile Information
When you sign up, create a profile, set your preferences, or pay for your subscription, Trekksoft collects your name, username, password, email, address, company information.
We use this information to correctly identify you, communicate with you, and provide you with customer support. We also use this contact information for accounting and administrative purposes, for transactional emails including app and billing notifications, and to notify you about new features, releases and blog posts.
User Created Content
While using our services and uploading content about your activities that you provide, Trekksoft stores the content you create, send, receive, and share. This includes any assets you upload to Trekksoft WebBuilder, such as images, icons, or logos.
We use this information to securely store your work, and provide access to your team members and the collaborators you designate.
Device Information and Log Data
We collect information about the type of device you use to access Trekksoft services, as well as your device settings, operating system, browser information, connection type, IP address, and the URLs of referring pages. Additionally, we log the date and time you access our services, as well as any error or crash data.
We use device and location information to help us optimize performance, provide accurate billing information, understand user demographics, and improve overall user experience. Your log data helps us troubleshoot errors, analyze performance, resolve reliability issues.
Our payment processors collects billing details such as credit or debit card information, banking information, and billing addresses. When payment is processed trough our payment processors, we receive only partial information about your card, and Trekksoft doesn’t store cardholder information on our servers.
We use your payment information in order to fulfil, track, and manage your bookings.
When you reach out to Trekksoft support, you may contact our team through the service of a third-party support platform. The information you provide to our team, including any troubleshooting documentation or screen shots, are saved as part of your support history.
We use this information to resolve any issues you are having, relay feedback to our team, respond to your comments and requests. We also use this data to provide you with security alerts and technical notices.
Feedback and correspondence
Trekksoft collects and stores feedback that you provide us trough different channels (e.g. support surveys, website surveys, meetings).
We use this information in order to improve our services and provide you with better and more usable product.
How do we store, secure, and transfer information
Third Party Service Providers
Trekksoft contracts with third party service providers. These services may require access to your information in order to help us operate, market, and support our services. For example, Trekksoft uses third party services to provide hosting, maintenance, backup, virtual computing, storage, payment processing, customer support, data analytics, advertising, marketing, and other services. Our contracts with these services provide for the maintenance, confidentiality, security, and integrity of the information we share with them.
Trekksoft takes data security very seriously and implements the industry’s best practices and policies. We take all reasonable measures to protect your information, and to prevent any kind of unauthorized access, misuse, loss, or disclosure.
The third-party service providers that we use for infrastructure and payment processing are ISO certified and PCI compliant, and they adhere to the same privacy and security principles as we do.
While no system is infallible, we strive to keep our systems secure and constantly updated.
Trekksoft stores your information for as long as your account is active, and for a reasonable period thereafter, in case you decide to use our services again. Trekksoft may also retain certain information for as long as necessary in order to support business operations, or as required by law.
International Data Transfers
Trekksoft collects information internationally, and uses hosting and cloud computing infrastructure located primarily in the EU region (Ireland), process and store information. In order to provide you with our service, we may also transfer your data to third-party services. Please refer to the List of data sub-processors for more information about why we use those third-party services, and where they are located.
List of data sub-processors
|Name||Entity Location||Data Processing Purpose|
|Amazon AWS||USA||Cloud Storage Services, Cloud Email Sending Services, Cloud Infrastructure Provider|
|Experience Bank||Switzerland||Channell manager|
|Google inc||USA||Analytics, Online Advertising, Cloud Drive Integration, Authentication Provider|
|Elastic (Kibana)||USA||Cloud Storage Services|
|Microsoft Azure||USA||Cloud services|
|New Relic||USA||Performance Monitoring Services|
|Vonage||USA||Cloud Email Service|
|Pagerduty||USA||Incident Response Platform|
|Pandadoc||USA||Document Management Software|
|Sendgrid (Twilio)||USA||Cloud SMS Service|
|Zapier||USA||3rd party tools integrator|
Q: Who is the owner of data that is shared/uploaded to Trekksoft services?
A: Owner of the data is merchant, Trekksoft only processes and store the data for them.
Q: Who has access to the data?
A: All the data is secured and only authorised people (Trekksoft employees and Trekksoft services users with the right permissions) as well as some 3rd party sub-processing tolls has access to it.
Q: Where is the data stored?
A: At Trekksoft we are using AWS cloud servers to process and store the data. Those servers are located in the EU (Ireland).
Q: Is Trekksoft PCI compliant?
A: Yes, you can obtain our PCI compliancy certificate here.
Q: Can you insert a GDPR compliant Cookies Consent on your website?
A: Yes, you can do so without a help of a developer by following this guide.