GDPR

What is GDPR?

The General Data Protection Regulation is the latest regulation from the European Union (EU) to protect the privacy of it's citizens and residents. The regulation goes into effect on May 25th 2018.

The GDPR Alliance posted an article titled, The General Data Protection Regulation (GDPR) In A Nutshell that outlines the GDPR in these simple terms:

  • Applies to personal data — any data that relates to or can be used to identify a person in any way.
  • Controls what can be done with personal information.
  • Requires that consent is given or there is a good reason to process or store personal information.
  • Gives a person a right to know what information is held about them.
  • Allows a person to request information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
  • Makes sure that personal information is properly protected. New systems must have protection designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default).
  • If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
  • Data cannot be used for anything other than the reason given at the time of collection.
  • Data is securely deleted after it is no longer needed.
  • Allows national authorities to impose fines on companies breaching the regulation.
For more information, here is the full GDPR.

***

What do you need to do?

If you are a "data controller" (a business that works with CartStack or is thinking about working with CartStack) you are on the right page. First, we ask you to review the GDPR Legislation and the definition of Personal Data. Next, please view the appropriate column in the table below based on where your account was created.

  EU/EEA ACCOUNTS REST-OF-WORLD ACCOUNTS
Website Tracking Since explicity opt-in is required under GDPR you will need to make sure there is a consent checkbox on your website when you capture emails. You will need to contact us (support@cartstack.com) to let us know where this consent checkbox is located, so we can make sure our system only tracks users that have consented. Decide if you want to track EU website visitors. If not, you can turn on "Ignore EU Visitors". If yes, you will need to comply with the directions to the left (EU / EEA Accounts - Website Tracking).
IP Addresses No action is required. We anonymize or exclude IP addresses automatically, according to local law. You may wish to anonymize IP addresses (contact us for instructions on how to do this). This removes the last tuple of IP address data.
Explicit Consent You need to obtain explicit consent to track and send emails to EU/EEA users. See "Website Tracking" section above for more information. You may need to obtain active and explicit consent to track users on your site. We recommend checking the laws and regulations that apply to your website(s) and obtaining legal advice.
Opt-Out You may be required to offer an opt-out for tracking on your website, depending on local laws/regulations. You may be required to offer an opt-out for tracking on your website, depending on local laws/regulations.


***

What do we do?

  EU/EEA ACCOUNTS REST-OF-WORLD ACCOUNTS
Data Protection Officer Brett Thoreson
CartStack LLC
860 Blue Gentian Rd, St Paul, MN 55211
Email: support@cartstack.com
Phone: 888-363-3647
Brett Thoreson
CartStack LLC
860 Blue Gentian Rd, St Paul, MN 55211
Email: support@cartstack.com
Phone: 888-363-3647
Dispute Resolution Yes (contact us) Yes (contact us)
Data Processing Agreement Yes (contact us) Yes (contact us)
Encryption in Transit All Data All Data
Data Separation We never send data outside the region in which it is originally stored (Europe/EEA). We never send data outside the region in which it is originally stored (United States).
No Keystrokes All Visitors EU/EEA Visitors
IP Addresses Automatically Anonymized (EU/EEA) Optional
Security Policies & Training Yes Yes


***

How does GDPR affect specific features?

  EU/EEA ACCOUNTS REST-OF-WORLD ACCOUNTS
Cart Abandonment Emails You can use this feature but you must add a consent checkbox to any form where you capture email addresses. You can use this feature as is. (without explicit consent)*
Browse Abandonment Emails You can use this feature but you must add a consent checkbox to any form where you capture email addresses. You can use this feature as is. (without explicit consent)*
Send My Cart Campaigns You can use this feature as is (since the email capture is explicit consent). You can use this feature as is (since the email capture is explicit consent).
Exit Intent Pop-up Campaigns You can use this feature as is (since the email capture is explicit consent). You can use this feature as is (since the email capture is explicit consent).
Live Session Recording This feature is not available for EU users, however, please contact us if you'd like us to refer you to a 3rd party solution that provides this technology in a fully GDPR compliant way. You can use this feature as is. *
Browser Push Notifications You can use this feature as is. You can use this feature as is.
Real-Time Notification Emails This feature is not available to EU users. You can use this feature as is. *
Cookie Pool This feature is not available to EU users. You can use this feature as is.*
Data API & Webhooks You can use this feature as is (as long as you get explicit consent from users). You can use this feature as is. *


* If you are outside of the United States we recommend checking the local laws and regulations that apply to your website(s) and obtaining legal advice about user consent.

***

Questions?

Please email us at support@cartstack.com.

Note: This page is not intended to provide legal advice. We recommend you consult your own legal counsel.