PushBots welcomes the GDPR as an opportunity to reaffirm our commitment to the privacy and security of our customer’s data. As part of that commitment, we confirm that the PushBots (Service) will comply with the GDPR when it becomes enforceable on May 25, 2018.
Compliance with the GDPR relies on a partnership between PushBots and our customers in their use of the PushBots Platform. In order to provide transparency to our customers, this document provides relevant information regarding how PushBots will comply with the GDPR as a data processor.
Who and what does the GDPR apply to?
The GDPR applies to all organizations operating in the EU and processing “personal data” of EU residents. The definition of "personal data" under the GDPR covers any information relating to an identified or identifiable natural person; where identifiable natural person is one who can be identified, direct or indirectly, in particular by reference to an identifier such as name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What personal data does PushBots process as part of the Service?
PushBots processes anonymous data and pseudonymous data by default as the result of our customers’ use of the PushBots Platform. A current list of data collected in the default settings of the PushBots Platform is available to customers upon request. Anonymous data is not “personal data” and falls outside the scope of the GDPR.
Customers have the option to configure and use their account on the PushBots Platform to process personal data, such as names, location data, email addresses and other online identifiers and related analytics data. PushBots processes personal data via the PushBots Platform only as instructed by customers based on each customer’s configuration, access and use of the PushBots Platform, or otherwise as instructed in writing.
PushBots prohibits processing any sensitive personal data or “special classes of data” as defined in the GDPR as well as any individual financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history.
Where is data held and accessed from? What protections are in place to ensure that transfers out of the EEA to the US are adequate from an EU data protection perspective?
The PushBots Platform is operated from and the data is stored in cloud data centres located in the United States. For transfers of personal data out of the EEA to the US, PushBots enters into the PushBots Data Processing Addendum which incorporates the EU Standard Contractual Clauses.
Does PushBots use subcontractors for PushBots Platform?
PushBots uses sub-processors for certain aspects of the operation of the PushBots Platform. Prior to onboarding subprocessors, PushBots conducts an audit of the security and privacy practices of each subprocessor to ensure such subprocessor provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Subprocessors are re-authorized upon contract renewal or on an annual basis.
How will PushBots help if a data subject wants to exercise any of its rights in relation to personal data?
PushBots is committed to provide all necessary co-operation and assistance under the GDPR to our customers, as data controllers, to respond appropriately to data subjects exercising their rights in relation to their personal data, including:
Right to be told about how their personal data will be processed
Right of access to and correction of personal data
Right of data portability
Right to be forgotten
Right to object to processing of personal data for certain purposes
How does PushBots help meet data minimisation requirements?
At default settings, the PushBots Platform processes anonymous data, such as time-zone, browser version and type, SDK version; and pseudonymous data, including tokenized ID specific to each separate installation of customer’s mobile application. In addition, PushBots supports processing of anonymous data triggered by activity or tags, and pseudonymous data such as hashed IDs that may tie back to additional personal data in customer’s systems. A current list of data collected in the default settings of the PushBots Platform is available to customers upon request. Processing of any additional data by PushBots is controlled by customers and is automated pursuant to each customer’s configuration and use of the PushBots Platform.
Is consent needed to send notifications using the PushBots Platform?
The PushBots Platform supports opt-in consents for mobile application push notifications and web notifications. Each customer must implement its use of the PushBots Platform with the legally appropriate level of consent enabled to ensure that customer has obtained the required consent from each data subject