loader

What is GDPR?

The General Data Protection Regulation is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data. In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies scramble to adapt.

The GDPR enforcement puts the control of personal data, collected by businesses, in the hands of the individuals it belongs to, protecting the rights of EU residents.The regulation delineates individuals’ rights to access, rectify, and restrict the processing of personal data, among other key provisions, and aims to unify privacy and security laws for all organizations operating within the EU.

In the context of this document, we will be focused on how to implement the different rights once invoked by the Data Subjects.

NOMENCLATURE

  • Data Subject: End Users
  • Data Controller: Upshot.ai Customers
  • Data Processor: Upshot.ai

Contractual Obligations

  1. Updated Terms of Use
  2. Updated Privacy Policy

Data Subject Rights

Right to Erase

  1. What is it?
    This right allows end users to delete all information about them from Upshot.ai servers.
  2. Upshot.ai Implementation –
    “Please refer to SDK and Enterprise API document”.
    NOTE: When profile of a user is deleted, no future data is tracked about the user. If the data subject wants to start sending the data again then Data Controllers have to ensure that the appropriate APIs / methods in the SDK or the Enterprise APIs are invoked. If this is not done, Upshot.ai will never receive ANY data of the said user again.
  3. Access Control
    Data controller can issue Disable / Enable/ Opt-out / Opt-in calls on behalf of data subjects via SDK/ Enterprise APIs. Data subjects should not invoke these APIs directly.
  4. Implications
    1. Data controller will have to stop sending future data of the profile thus suppressed
      • Once a data subject hits delete for a profile, all data coming from any device associated to the data subject will also have to be stopped. Upshot.ai SDKs have the information on which data subject has invoked the delete request, and makes a best case effort to NOT send any data about that data subject to Upshot.ai servers from any device the subject uses.
    2. Unreachable on Marketing Channels
      • Since the data of the data subject is deleted, there is no way to reach out to the data subject on marketing communication channels.
    3. Dashboard Implications
      • You will not be able to view the profile page of the said user post delete.
      • You cannot roll back erase, once called. There is no way to get the information back, once delete function is invoked.
      • The actual erasure can happen anytime within 30 days of the request, but this usually get honoured within 24hrs in most scenarios.
      • Funnels, segments, campaign stats, reports and other analytics will be impacted as the numbers may show some data inconsistency.
      • Users cannot download the profile information of the said user from anywhere on the dashboard.
  5. Default state
    Profile will be erased only on explicitly calling the appropriate method in the SDK or the enterprise API.

Right to Modify/Rectify

  1. What is it?
    This right allows users to modify/rectify any profile data stored about them.
  2. Upshot.ai Implementation
    1. API Upshot.ai has provided this API which allows Data Controllers to upload profile information of their users. Hence, if a Data Subject requests for a profile change, the Data controller can upload the profile data of the user via the API
    2. Via SDK Data controller can also use the existing SDK methods to update the profile info of the data subject.
  3. Access Control
    Enterprise API can be accessed by any entity that has access to the credentials. The responsibility of safeguarding the API credentials solely lies with the Data controller.
  4. Implication
    The old profile information will be overridden with the new profile for the given user identifier. Data controllers can only update the user profile information of an existing data subject and no new profiles can be created.
  5. Default State
    Profile will be modified only on explicitly calling it via API/ the appropriate method in the SDK.

Right to Access

  1. What is it?
    This right allows users to access data which has been captured/ received about them by the Data controllers and Data Processors (On behalf of data controllers).
  2. Upshot.ai Implementation
    a. API Download
    This API allows data controllers to invoke data download requests about specific users via identities( AppUIDs)
  3. Access Control
    Enterprise API can be accessed by any entity that has access to the credentials. The responsibility of safeguarding the API credentials solely lies with the Data controller.
  4. Implication
    Download will download the latest profile of the said user.
  5. Default State
    Profile will be downloaded on explicitly calling the download API

Right to Data Suppress (Opt Out)

  1. What is it?
    This right allows users to opt out of sharing any data with Data Processors.
  2. Upshot.ai Implementation
    1. Via the latest SDK (v 1.4)
      • In this scenario data controller should set the data Opt-out flag in the SDK for the appropriate user.Refer to SDK documentation for more details.
      • Data controller can still send campaigns to these users based on the past data captured prior to this request.
      • If data subject is logging in from multiple devices data controllers needs to ensure that this flag is set appropriately across all devices.
      • If multiple data subjects login to the same device Data controller needs to validate the user’s identify and ensure that this flag is set appropriately across all logins.
  3. Access Control
    If the SDK has been updated and the updated version app is being used by a user, all end users have this right to opt out using the mechanism provided by the controller.
  4. Implication
    1. The profile page of the user who has opted out will be stale and will not have the latest events performed by the user.
    2. While creating segments, funnels and reports past data of the opted out users will still be considered based on the date ranges selected. Appropriate care must be taken while creating segments which might include profiles of Opted out users.
  5. Default state
    1. By default, we will continue collecting profile and event data unless the SDK explicitly raises the flag.
    2. Default state: opt-out :disable i.e. we will collect data from the device by default (to be compliant with GDPR, we recommend that users set this flag to enable by default which ensure no collection of data unless explicit permission provided by end users).

Opt In

  1. If the user who has opted out, chooses to opt back in, all data will be appended to the same profile if identified as an existing user.
  2. The user will be treated as the same user (we will not create a new profile for the user).
  3. What is it?
    GDPR provides the right to the user to opt out of marketing communication.
  4. Upshot.ai Implementation
    1. Push opt out
      Our SDK has a flag ‘pushOptout’ which if set to yes, will ensure that push notifications are blocked for the specific device. When this flag is set to yes for a specific data subject identity Upshot.ai will suppress all the devices associated to the data subject.
    2. SMS opt out
      Our SDK has a flag ‘smsOptout’ which if set to yes, will ensure that sms notifications are blocked for the specific data subject. When this flag is set to yes for a specific data subject identity. Upshot.ai will suppress all the phone numbers associated to the data subject.
    3. Email opt out
      Our SDK has a flag ’emailOptout’ which if set to yes, will ensure that email messages are blocked for the specific data subject. When this flag is set to yes for a specific data subject identity Upshot.ai will suppress all the email addresses associated to the data subject.
    4. Access Control
      If the SDK has been updated and the updated app is being used by a user, all end users have this right to opt out of Marketing.
    5. Implication
      a. If the data controller wants users to be opted out of marketing communication across ALL channels, all the above flags need to be explicitly moved to yes state for the said data subject. b. Data Controllers need to be cognizant of sending transactional communication to the users who have opted out of marketing.
    6. Default state
      a. By default, we will continue marketing communication to said users, unless the SDK explicitly raises the flag. b. Default state: no i.e. we will send marketing messages by default.
  5. What is it?
    Part of the privacy by design notion of GDPR.
  6. Upshot.ai Implementation
    1. Upshot.ai does not capture any network IDs and does not report any network stats.However it captures IP address to enable security related operations ( example: Identify and prevent DDoS attacks).
    2. If data subject does not wish to enable IP based geo tracking then data controller needs to set “ipOptout” to yes using the latest version of SDK.
    3. Data controller and data subjects can still send location data (where applicable) to Upshot.i through the regular GPS based location tracking.
  7. Implications
    1. This may affect sending out geo targeted campaigns.
    2. This may affect your ability to perform geo based analytics.
  8. Access Control
    If the SDK has been updated and the updated app is being used by a user, Appropriate flags can be set via the SDK.
  9. Default State
    IP optout is set to no by default.
  10. What is it?
    Part of the privacy by design notion of GDPR.
  11. Upshot.ai Implementation
    1. Upshot.ai does not capture ADID by default however data controller can send this information to the SDK with data subjects approval.
    2. Necessary opt outs should be handled by the controller incase of data subject’s preference change.
  12. Implications
    None
  13. Access Control
    No changes in SDK required and works as is.
  14. Default State
    ADID is never collected by default by Upshot.ai SDK.
Request Demo
×
Download Case study






We value your privacy. We don’t share your details with any third party

×
Download Case study

 






We value your privacy. We don’t share your details with any third party

×
Download Case study






We value your privacy. We don’t share your details with any third party

×
Download Case study






We value your privacy. We don’t share your details with any third party

×
Download Case study






We value your privacy. We don’t share your details with any third party

×
Download Case study






We value your privacy. We don’t share your details with any third party

×
Download Case study






We value your privacy. We don’t share your details with any third party

×
Download Case study






We value your privacy. We don’t share your details with any third party

×
Download Case Study






We value your privacy. We don’t share your details with any third party

×
Download Case Study






We value your privacy. We don’t share your details with any third party

×
Download Case Study






We value your privacy. We don’t share your details with any third party

×