As a data and analytics company, Divvit takes pride in taking every measure so that our merchants’ data is as secure and private as it can be.
With the GDPR, we feel it’s our duty to inform you of how we’re staying compliant and just what we’re doing to protect your data.
How we’ve prepared:
The good news is that we’ve built our company with the GDPR in mind. The GDPR was approved by the EU on April 14, 2016, before we were open to the public. From our first Terms and Conditions and Data Privacy agreements, we have taken the GDPR into account.
We have been in close contact with our Data Privacy advisor, who has reviewed our company from a Data Privacy perspective and have teamed up with a legal team to make sure that we were compliant at every step of the way.
Divvit’s Roles within the GDPR
Divvit falls into two unique categories under the GDPR when it comes to Data Privacy.
- Data Controller: for the personal data collected from our direct users (merchants)
- Data Processor: for the personal data from the visitors of our users (our merchants’ customers)
As the Data Controller for our merchants, we hold to the following responsibilities and offer our users:
- Collecting Consent: We are completely clear and transparent about how we use the data that we collect from our users when we ask for consent. We have chosen to comply with the GDPR by requiring an active opt-in to our Terms and Conditions and Data Privacy Processing, with a link to these aforementioned documents.
- Right to Access: Our users are able to access the processed data that we have collected on them at any time upon request. Simply contacting us at GDPR@divvit.com is enough to get access to this data.
- Right to Rectification: Our users have the right to correct any inaccurate personal data concerning them, or completing incomplete data. Our users can notify us of any inaccurate personal data at GDPR@divvit.com at any time, and we will correct it without delay.
- Right to Erasure: Our users have the right to be forgotten, and we are obliged to erase any personal data on our user upon request at GDPR@divvit.com, or when the data is no longer relevant to the original purposes for processing.
- Right to Data Portability: Our users have the right to obtain the data concerning them in “commonly used and machine readable format” and the right to transmit that data to another controller. Requests for this can be made at GDPR@divvit.com.
As a Data Processor for the visitors and customers of our users, we have different responsibilities. Our users become the Data Controllers, and we function as Data Processor.
This ultimately means that our users are responsible for the responsibilities of their visitors as Data Controllers. The distinction between our roles to our users and our roles to our users’ visitors is important, as the GDPR considers the Data Controller as the primary responsibility of compliance with users.
This means that if consent is revoked for one of your customers or visitors, it is your responsibility to comply with erasing, rectifying, and providing that data to your users. It also means that you need to notify us, as your Data Processor, so that we can remove the data from our servers.
Our responsibilities as Data Processor include:
- We can only process personal data on the instructions from the Data Controller (our users) and inform the Data Controller if we believe that these instructions infringe on the GDPR.
- We need written permission from the controller before engaging a subcontractor.
- We will delete or return all personal data to the controller at the end of the service contract upon request at GDPR@divvit.com.
- We will enable and contribute to compliance audits by the controller or representative of the controller.
- We take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, with regular security testing.
- We will notify Data Controllers without delay upon learning of data breaches.
- We will restrict personal data transfer to a third country or international organization unless the controller has provided appropriate safeguards
What we do with the data we process:
The purpose of the data that we collect and process is crucial for GDPR compliance. We have defined our purpose as:
“To enable the features of our service as described in the applicable Service Descriptions, including but not limited to:
- Enabling tracking of our user’s customer from his or her first visit on the user’s webpage until the first purchase is made, including tracking of information about the products bought, etc.
- Enabling monitoring of our users’ customers’ lifetime value, the number of purchases made, etc.
- Enabling identification of our users’ customers across multiple devices.
- Enabling segmentation of our users’ customers, for example “large customers” or “one time customer.”
- Enabling the use of above segmentation when communicating with the customers via email, customized ads, or directly on the user’s webpage.
What kind of data we collect:
All of the data that we collect is integral to providing our services to our users, and we want to be transparent about exactly what we collect, when, and why.
When it comes to the data about page views of our user’s visitors, we collect the following data:
- IP address
- Current URL
- Referrer URL
- User ID Cookie
- Page load time
When it comes to the orders of our users, we collect the following data:
- Customer name
- Customer ID
- Payment method
When it comes to data about the users’ visitors’ carts, we collect the following data:
- Added and removed products, and their prices
Concerning data privacy and security, Divvit has always been over compliant because we take data seriously. From the time we started our company, privacy and security has been a top priority in everything we’ve done.