What is gdpr?

As of May 25th, 2018, the General Data Protection Regulation is in effect. The GDPR aims to give control of personal data back to the citizens while harmonizing the data protection regulations throughout the EU.

At iPaper, we have been following the GDPR closely and have been making a number of changes to our product and processes. This is to ensure that we are fully compliant with the GDPR as well as ensuring that our customers can remain compliant with the GDPR while using iPaper as well.

Terminology

  • Data subject
    This is the individual person for whom you may gather and store data.

  • Data controller
    This is the iPaper user who is ultimately responsible for controlling the data of the data subjects.

  • Data processor
    This is iPaper who processes the data of data subjects as asked by the data controller.

Data processor agreement

The GDPR forces all data controllers to document their processing of data and to ensure that any processors they use also live up to the GDPR. We have made a Data Processor Agreement (DPA) that documents what data we process as well as how we process it. To access our DPA, please sign in to your iPaper account. To the right hand side of the screen please click the 'Home' icon and select "Legal & Compliance" from the drop down menu. There you will find a link to the DPA.

 

image (1)

If you are not already a customer and would like a copy of the DPA, feel free to write to support@ipaper.io.

product changes

To ensure that the iPaper product is compliant with the GDPR and to give you the tools to ensure your own compliance with GDPR, we have implemented a number of product changes.

Consent storage

One of the main tenets of the GDPR is to increase transparency and ensure that the data subject consents to any use of personal information. While it is possible to add consent checkboxes to most iPaper forms, we are building it into the product directly, ensuring any stored consents are valid. Going forward, it will be possible to include a required consent option when designing Forms & Pop-ups in iPaper. When the data subject gives consent, we store that fact along with the actual text the data subject gave consent to enabling you to document the consent given at a later time.

Status: Implemented - Already available

Cookie consent banner

While cookie consent and GDPR are not directly related cookies may still be used to store personally identifiable information and thus be covered by the GDPR. At iPaper, we do not store any personally identifiable information in cookies, just as we do not use cookies to track data subjects. Cookies are only used for necessary functional purposes and to store aggregated usage statistics for analytical purposes. iPaper does however integrate with a number of third party marketing systems that can be enabled on an optional basis.

We allow you to inform the data subject about what types of cookies are set during the use of the flipbooks.

Status: Implemented - Already available

Anonymization of IP-addresses

We use the IP address of data subjects to determine their geographical location on a regional basis as well as to protect against fraud and misuse. We will no longer store exact IP-addresses. Once we have used the raw IP temporarily, it will be discarded and only a generic non-unique part of the IP address will be stored for logging purposes.

Status: Implemented - Already available

Automatic deletion of data

iPaper has never been used or intended as a permanent storage location for personal data. Newsletter signups are forwarded to customers' marketing systems shortly after signing up. Shop orders are sent directly to customers' ERP systems or forwarded as emails to sales staff. Competition signups are exported to Excel on a weekly basis. As such, there is no reason for this data to stay in iPaper for longer than necessary.

To ensure no data is forgotten in iPaper, we will start automatically deleting any data that may contain personally identifiable information after a three-month period. This leaves ample time to export the data into the customer's own systems while still keeping a backup in iPaper for three months.

Aggregated data will not be deleted. All statistics, visitor analytics, heatmaps, conversion rates, etc. will thus be stored forever. None of this data can be pinpointed to any individual person and is thus not in the scope of GDPR. So what will be deleted?

  • Pop-up conversions - E.g. the values submitted by the data subject. Conversion numbers & rates will still be stored.
  • Form submissions
  • Shop email checkouts - Statistics, flipbook & product-level revenue is still stored. The customer data attached to the order will be deleted after the three-month period.
  • Cards created using the Card Generator

This auto-deletion policy is in effect from May 25th and the first deletion of data will thus occur on August 25th, 2018. At this point, any of the above data that is more than three months old will be deleted on a daily basis.

Status: Implemented - First deletion occurs on August 25th, 2018

Data subject rights

Besides increasing the control on how data is stored and processed, the GDPR also ensures that data subjects own their own data. This gives the data subjects control over their own data, granting them the right to access their own data, to correct their own data, and to request their data to be deleted (e.g. forgotten).

  • Right of access
    You can export all data from your iPaper account and thus provide relevant data to the data subject.

  • Right to be forgotten
    The automatic deletion of data will ensure that no historical data is stored, leaving only the most recently submitted data in iPaper. If you need help in removing a specific data subjects data, reach out to support@ipaper.io and we will help you out.

  • Right to rectification
    Most data submitted by data subjects cannot be edited directly. If you need help in correcting any of this data, please reach out to support@ipaper.io and we will help you out.