Knowledge Base

Merchandising Cloud

GDPR

In short, is Maropost Merchandising Cloud (formerly Findify) GDPR-compliant?

Yes!

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a regulation in EU law on data protection and privacy for all individuals within the EU and also addresses the export of personal data outside the EU.

The goal of this regulation is to give control to citizens and residents over their personal data. It also aims to simplify the regulations for international business by unifying the regulation within the EU.

GDPR took effect on May 25, 2018. It replaced the 1995 EU Data Protection law.

What steps has Merchandising Cloud taken to comply with GDPR regulations?

At Merchandising Cloud, we have a firm commitment to complying with all aspects of the GDPR regulations. Below are the actions we’ve taken to do so:

Mapping of our security and privacy measures
Datastore mapping
Updated our privacy policy with the GDPR provisions
Added a Data Processing Addendum (DPA)
Notifications of customers about changes and the DPA

1. Supporting Data Subject Rights

As a data processor, we are giving you the tools to support data subject rights:

Right of access and data portability
Right to be forgotten
Right to restrict processing

2. Obtaining Consent

Merchandising Cloud uses cookies to provision its services to you by setting a cookie in your visitor’s browsers. As a data controller, you are required to obtain consent from your visitors in order to comply with the European laws on data protection.

This page provides some advice on how to obtain consent and what to do in case the end-consumer does not consent.

3. Privacy by Design

Merchandising Cloud builds products with privacy and security central in its design.

This page summaries the security measures that we have put in place to protect customer data, covering:

Compliance and Certification
Infrastructure
Business Continuity
Data Security and Privacy
Application Security
Corporate Security

GDRP FAQ

Do we process personal data?

Yes, we store or process the type of data stated in our Privacy Policy and Data Processing Addendum. While the data does not directly identify individuals, we do use online identifiers, such as cookies. We do not process sensitive information such as gender, health, religion or political views.

I want to use Merchandising Cloud but I do not want Merchandising Cloud to process any personal data. Can I still use the service?

Our products rely on user data to feed our machine learning algorithms. That is to say, our algorithms need this data to learn. In addition, our 1:1 real-time personalization requires us to anonymously identify where a request is coming from. This gives us the ability to return products relevant to a specific person. Without the data that we collect, we would no longer be able to do this.

However, in the case where you do not wish to allow Merchandising Cloud to process personal data, our service will fallback to the non-personalized version.

I do not want Merchandising Cloud to gather data for a specific session. How can I go around this?

You can accomplish that by setting the cookie findify_optout to the value 1. Our analytics library will then detect that you did not consent to the analytics tracking and will not send your personal data to our service.

For more information on how to set up the cookie, please visit this section.

Where does Merchandising Cloud store my data?

We store the data we collect in the cloud services provider Amazon Web Services (AWS). Our servers are located in the United States.

Since Merchandising Cloud transfers data to the US, is it part of Privacy Shield?

No. Privacy Shield is a certification program that applies to US-based companies. Because Merchandising Cloud is an EU-based company, we are not part of the Privacy Shield. However, our sub-processors such as AWS and others (See Subprocessors section) are in fact part of the Privacy Shield.

Does Merchandising Cloud offer a Data Processing Addendum?

Yes, the Data Processing Addendum is part of our Terms and Conditions. Moreover, our Data Processing Addendum is available to all of our customers to review upon request. To obtain a copy of our DPA, please contact us at privacy@findify.io.

How long does Merchandising Cloud store the personal data of data subjects?

We store personal data for a period of 2 years. However at any point in time, if a data subject wishes to remove personal data from our system, they can do so by submitting a request to us. More details about this in the section “Can a data subject access the data you collect about them?”.

Can a data subject access the data Merchandising Cloud collects about them?

Data subjects have the right to access their personal data by submitting what is known as a personal information access request. To request access to the data we have collected on a specific data subject, on behalf of that subject, please follow the instructions explained in this section.

Can a data subject request the removal of all their personal data from the Merchandising Cloud system?

Yes. To request the removal of personal data of a specific data subject from our system, on behalf of that subject, please follow the instructions explained in this section.

When an email request for data removal has been submitted, the following happens:

We will clear the uniq_id and visit_id from all the data collected, making it impossible to identify back a consumer.
This process will take up to 30 days as we would need to remove the personal data from our long-term storage.

NB: If a data subject requests that their data be removed from our system, but then in the future opts-in to analytics tracking again, we will begin collecting data on this subject again. We give our merchant a Javascript snippet that they can copy/paste to their consent banner in order for the customer to opt-out completely from analytics tracking.

Once a request is submitted, we will remove all personal data that we’ve collected on that data subject from our system.

Does Merchandising Cloud use subprocessors to further process end-consumer data?

Yes. we work with the following set of subprocessors:

Third-party service vendor	Purpose	Entity/Country	Website
Amazon Web Services Inc.	Cloud hosting	USA (North Virginia)	https://aws.amazon.com
Functional Software, Inc. dba Sentry	Logging & Diagnostics	USA	https://sentry.io
Google Cloud Platform	Cloud Hosting	USA (Iowa)	https://cloud.google.com
Google Cloud Platform	Cloud Hosting	The Netherlands	https://cloud.google.com
Google Cloud Platform	Cloud Hosting	Sydney, Australia	https://cloud.google.com

Who can I contact with questions regarding GDPR?

We encourage you to review this FAQ page first, in addition to our Privacy Policy as it includes many commonly asked questions. However, we also understand there are circumstances where it may help to connect with us directly. For more information, please contact us at privacy@findify.io

Additional Resources

Data Processing Addendum

We have updated our DPA to ensure compliance with all GDPR-specific requirements. The DPA enables our customers to comply with the GDPR.

List of subprocessors

The list of sub-processors can be found here.

Privacy Policy

We updated our privacy policy.