GDPR and Data Privacy

Josh Chamberlain
Josh Chamberlain
  • Updated

Data Privacy

General Data Protection Regulation (GDPR)

Whiplash is an advocate for privacy and transparency in data collection. We believe that the set of regulations that make up GDPR will benefit consumers. In the GDPR framework, Whiplash is a data "processor", and our the store operators that make up our client base are data "controllers".

GDPR provides a set of rights to consumers ("data subjects")  to citizens of the European Union. Those rights are:

Lawful Basis of Processing

You need to have a legal reason to collect someone's data. The consumer data Whiplash receives from store owners pertains directly to performing the activities described in our contracts with store owners. The legal basis of processing this data is "Contract".

For our client's themselves, Whiplash collects information needed to bill for services and perform other tasks necessary to satisfy the contract. Whiplash will not use, share, or otherwise distribute the data it receives from store owners except when it is explicitly necessary to satisfy the terms of the contract.

Withdrawal of consent

Consumers need to be able to see what they've given consent for, and to opt out just as easily as they opt in. This falls onto the shoulder's of our clients.

Our clients can see the data we have collected for them. Because the data we collect from our clients is necessary to fulfill our obligations under the contract, access cannot be revoked without closing the account.

Cookies

Consumers need to be given notice that you're using cookies to track them, and they need to provide consent.

Prior to May 25, 2018, Whiplash will update our public website to satisfy this requirement.

Deletion

Consumers have the right to request that you delete the personal data you have about them. This includes permanent removal from your database, email tracking history, call records, form submissions, and more. The right to deletion depends on the context of the request, and allows for up to 30 days to respond to the request. The request may be rejected, if there is a lawful basis for doing so.

When our store owner's are presented with a deletion request, they will need to relay that request to Whiplash to delete the consumer's data.

  1. v1 API Orders#anonymize. This endpoint will replace all name, email, and phone fields with an anonymized token to detach the order's history from the consumer.

  2. v2 API Orders#anonymize.

  3. In the dashboard, any order over 30 days old will have an Anonymize option

  4. In the dashboard's Bulk Update feature, an Anonymize option will be available to detach multiple orders from consumers at once.

3rd Parties

To satisfy the terms of our contracts, Whiplash may share the data it has received with 3rd parties, such as:

  • Parcel carriers (e.g., UPS, USPS, FedEx, etc)

  • Database and hosting providers (e.g., Amazon Web Services, Heroku)

  • Business Intelligence tools (e.g., Periscope)

  • Customer service providers (e.g., Intercom)

  • Email list management providers (e.g., Mailchimp)

  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or assets. We may acquire or merge with other businesses. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy notice.

Upon receipt of a deletion request, Whiplash will relay the request to all 3rd parties Whiplash has shared your data with.   

Access / Portability

Consumers have the right to to access the personal data you have saved about them. Existing features in Whiplash, such as Search and Export, are already GDPR compliant, and will continue to operate as they do today.

Modification

Consumers can request to have their data modified if it's inaccurate or incomplete. This is possible today using existing tools.