Company: GDPR

Compliance #

Clerk.io is fully GDPR compliant. This article describes everything you need to know about Clerk.io and GDPR and how Clerk.io makes it easy for you to handle GDPR requests.

Handling personal data requests #

We have made it super easy for both marketeers and developers to handle requests about personal info or requests to be forgotten.

Personal data information requests #

You can at any time see what information Clerk.io has on a customer by visiting that data subjects profile or using our Privacy Information API.

Requests to be forgotten #

By forgetting a customer we will remove any personal data we have on this data subject while still preserving all non-personal data. You can forget a customer by simply clicking Forget Customer on the bottom of the customers profile or using our Privacy Forget API.

Remember to remove the personal data from any system interacting with Clerk.io before issuing the Forget Request to Clerk.io.

Due to backup and security measures it can take up to 30 days before all personal data is purged from our platform. If we at anytime need to use such a backup to recover lost data personal data will be restored. In such a case you will be informed and will have to re-issue all Forget Requests issued in the last 30 days.

What personal data is collected by Clerk.io #

As a data controller you are fully responsible for informing your data subjects about how their personal data is being used and for using Clerk.io in a such complient manner.

Clerk.io can be fully configured to only collect the personal data you want but by default we collect the following:

• The pages you visit.

• The content you see via Clerk.io.

• The clicks on content via Clerk.io.

• The products in the orders you placed (if any).

• Your email address, but only if the store explicitly enables it and you give an explicit content to the store processing your e-mail for e.g. marketing purposes.

Visitor data is stored between 1-12 months depending on your visits’ frequency and length and the need for legal documentation of compliance with the GDPR.

How we handle personal data #

Clerk.io has been built from the beginning with privacy and security in mind as we do already do the following:

• All personal data is stored and processed in Germany, with a backup of the data stored in Ireland.

• Any personal data is stored in isolated databases to enhance data separation between our customers.

• We ensure that any of our service providers that can get into contact with personal data keeps this data within the EU.

• We conduct routine vulnerability scans and penetration tests of our entire platform.

• We ensure and monitor that our employees only have access to Personal Data when it’s needed to perform their job.

In anticipation of GDPR, Clerk.io has added the following features before May 25, 2018:

• We added a standard Data Processing Agreement.

• We have enabled the ability to remove all of a users personal information both via our API and UI.

• We have gotten a third party GDPR certification both as Data Controller and Data Processor.

Managing customer data #

Important: Before removing a customer from Clerk.io, remember to also remove them from your webshop platform, so the data does not get synced again.

As a data-processor, Clerk.io stores customers’ email address, purchase-history click-history which is sensitive data. In response to GDPR we have made it very easy to check this data and remove the customers email address and click-history from an order, thereby keeping the order data, but making it anonymous. This is called Forgetting Customer.

In my.clerk.io #

To see a customers profile, start by logging in to my.clerk.io and search for the email address of the customer you want to Forget:

This lets you see the orders and recent activity of this customer

In the bottom of the page you will see the Forget Customer button:

Click this button, and confirm the action:

This way, you get to keep the data from the order to optimise Clerk.io, but without any personal data attached to it.

With API #

You can also use our API endpoints to check and delete customer data dynamically as part of your existing process:

• https://docs.clerk.io/reference/privacy-info
• https://docs.clerk.io/reference/privacy-forget

The GDPR Dashboard #

In your my.clerk.io backend, you will also be able to find a dedicated GDPR dashboard.

The GDPR Dashboard offers an always-up-to-date overview of the data you are sending to Clerk.io, and which Sub-Processors are using that data to optimise the results you show to customers.

Sub-Processor #

Clerk.io uses a number of Sub-Processors to store and use the data that you send.

The Sub-Processors that are used, depends on which Clerk.io products and features you are using. Any Sub-Processors that are using your data, will be highlighted with green.

Data #

Since a Company can have any amount of Stores, the data section is sorted based on the data that is accessible in each Store respectively.

Each data type is indicated with a green checkmark if the corresponding Store has access to that data type.

Website Browsing History #

The Store successfully tracks Visitor IDs and associates behaviour with it.

Purchase Preferences #

The Store is able to identify customers and can generate recommendations based on preferences. Preferences based on a customers clicks or previous purchase history.

E-Mail Address #

The Store has access to email-addresses from customers.

Order History #

The Store has access to historical order data, independent from the ability to identify customers.

CRM #

The Store has access to customers, independent from the ability to identify customers.