1. What is GDPR?
As of May 25th, 2018, the General Data Protection Regulation is in effect. The GDPR aims to give control of personal data back to the citizens while harmonizing the data protection regulations throughout the EU. At iPaper, we have been following the GDPR closely and have been making a number of changes to our product and processes. This is to ensure that we are fully compliant with the GDPR as well as ensuring that our customers can remain compliant with the GDPR while using iPaper as well.
1.1 Terminology
This is the individual person for whom you may gather and store data.
This is the iPaper user who is ultimately responsible for controlling the data of the data subjects.
This is iPaper who processes the data of data subjects as asked by the data controller.
2. Data Processor Agreement (DPA)
The GDPR forces all data controllers to document their processing of data and to ensure that any processors they use also live up to the GDPR. We have made a Data Processor Agreement (DPA) that documents what data we process as well as how we process it. To access our DPA, please sign in to your iPaper account. To the right hand side of the screen please click the 'Home' icon and select "Legal & Compliance" from the drop down menu. There you will find a link to the DPA.
If you are not already a customer and would like a copy of the DPA, feel free to write to support@ipaper.io.
3. Product changes
To ensure that the iPaper product is compliant with the GDPR and to give you the tools to ensure your own compliance with GDPR, we have implemented a number of product changes.
3.1 Consent storage
One of the main tenets of the GDPR is to increase transparency and ensure that the data subject consents to any use of personal information. While it is possible to add consent checkboxes to most iPaper forms, we are building it into the product directly, ensuring any stored consents are valid. Going forward, it will be possible to include a required consent option when designing Forms & Pop-ups in iPaper. When the data subject gives consent, we store that fact along with the actual text the data subject gave consent to enabling you to document the consent given at a later time.
3.2 Cookie consent banner
While cookie consent and GDPR are not directly related cookies may still be used to store personally identifiable information and thus be covered by the GDPR. At iPaper, we do not store any personally identifiable information in cookies, just as we do not use cookies to track data subjects. Cookies are only used for necessary functional purposes and to store aggregated usage statistics for analytical purposes. iPaper does however integrate with a number of third party marketing systems that can be enabled on an optional basis.
We allow you to inform the data subject about what types of cookies are set during the use of the flipbooks.
3.3 Anonymization of IP-addresses
We use the IP address of data subjects to determine their geographical location on a regional basis as well as to protect against fraud and misuse. We will no longer store exact IP-addresses. Once we have used the raw IP temporarily, it will be discarded and only a generic non-unique part of the IP address will be stored for logging purposes.
3.4 Automatic deletion of data
iPaper has never been used or intended as a permanent storage location for personal data. Newsletter signups are forwarded to customers' marketing systems shortly after signing up. Shop orders are sent directly to customers' ERP systems or forwarded as emails to sales staff. Competition signups are exported to Excel on a weekly basis. As such, there is no reason for this data to stay in iPaper for longer than necessary.
To ensure no data is forgotten in iPaper, we will start automatically deleting any data that may contain personally identifiable information after a three-month period. This leaves ample time to export the data into the customer's own systems while still keeping a backup in iPaper for three months.
Aggregated data will not be deleted. All statistics, visitor analytics, heatmaps, conversion rates, etc. will thus be stored forever. None of this data can be pinpointed to any individual person and is thus not in the scope of GDPR. So what will be deleted?
4. Data subject rights
Besides increasing the control on how data is stored and processed, the GDPR also ensures that data subjects own their own data. This gives the data subjects control over their own data, granting them the right to access their own data, to correct their own data, and to request their data to be deleted (e.g. forgotten).
You can export all data from your iPaper account and thus provide relevant data to the data subject.
The automatic deletion of data will ensure that no historical data is stored, leaving only the most recently submitted data in iPaper. If you need help in removing a specific data subjects data, reach out to support@ipaper.io and we will help you out.
Most data submitted by data subjects cannot be edited directly. If you need help in correcting any of this data, please reach out to support@ipaper.io and we will help you out.