Security & Data Protection

If you sell/offer products or services to customers based in the EU, you must adhere to General Data Protection Regulation (GDPR).

This page provides a summary of our work towards GDPR compliance and tutorials on how Voucherify implements particular GDPR procedures.

Shortcuts

What is GDPR?

The General Data Protection Regulation (GDPR), a European privacy law approved by the European Commission, is an attempt to strengthen, modernize EU data protection law, and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it's giving EU citizens and residents control over their personal data while simplifying the regulatory environment for international businesses that operate in the EU.

The authors of this regulation introduce the concept of “data minimization” which forces companies to:

  • Collect as little information as they need to run the business.
  • Inform customers about every way their data will be processed (including 3rd party providers).
  • Enable customers to delete, export, or update their data at any point in time.
  • And finally – gain a customer’s unambiguous consent for every data processing activity.


Voucherify’s commitment to data privacy and GDPR compliance

Voucherify is a GDPR compliant Data Processor. To find detailed security and data protection measures we have implemented, visit our legal section. Below there is an overview of what we have done to meet the regulation requirements.

  • Data Processing Addendum - we offer a data processing addendum (DPA) for our customers who collect data from folks in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers.
  • GDPR-ready contracts with third-party vendors - Voucherify uses only trusted and reliable vendors. We have signed data processing agreements with all partners which subprocess any of your sensitive data. This approach makes our platform fully GDPR compliant, so you can be certain that your data are neither stored nor processed in a non-secure environment.
  • Email consent - you can control which information you want to receive from Voucherify. The contact preference center provides fine-grained controls to activate and deactivate various notification for you and your team.
  • Employee training -  Data Protection Officer ensures that all employees receive tools and training for handling sensitive data (including credentials) and for avoiding social engineering and other non-technical attacks. Moreover, Voucherify team access is controlled by a carefully managed and audited security policy.
  • Updates to our Terms and Privacy - we’ve introduced updates to our Terms of Service and Privacy Policy to ensure we are fully compliant with the GDPR. We openly describe what personal data we are collecting, processing, why, how we use it, who we share it with and how long we store it.
  • Risk Assessment - Data Protection Impact Assessment process guarantees that Voucherify team considers data protection risks identification and minimization of its priority. Every change to the software, organizational procedures, or tooling triggers privacy due diligence. If any risk is identified, the team collaborates on a solution to mitigate the consequences for our clients and their end-customers.
  • Data Access, Portability and Deletion - new features have been introduced to stay in line with data regulations for the right of portability, to be forgotten, and to rectification, see the section below for details and tutorials.

Data Protection Officer

We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don't hesitate to reach out.


How to execute GDPR procedures in Voucherify?

How to remove your account permanently

There are two ways you can delete your account permanently:

  1. Submit a ticket through the support page and our team will take care of removing your account and all underlying data from the data center and 3rd party providers.
  2. You can also use this API method that allows users to permanently remove their data from Voucherify.

How to remove a team member permanently

Option 1: The organization administrator can remove a team member by reaching out to support team through the support page.

Option 2: The organization administrator can remove user data permanently from the Voucherify system by using the web application interface. The steps to be taken by the administrator are as follows:

  1. Log in to the dashboard.
  2. In the Team settings, find a user you want to remove.
  3. Run “Remove Permanently” and confirm the operation.

How to remove/update a consumer (end-customer) permanently

Option 1: The organization user can request data removal by the Support Team. They can do this by submitting a ticket and providing “id”, “source_id”, or “email address” of the consumer to be removed.

Option 2: The organization user can remove consumer data permanently from the Voucherify system by using web application interface. To do so, the user has to find a given consumer in the Customer view and click Remove Permanently button.

Option 3: A consumer can directly reach out to Voucherify Support Team to remove/update their data. To perform removal/update, the consumer has to submit information which allows the Support Team to identify a corresponding organization and records. In case of such incident, the organization administrator will be notified.


How to export your data

You can export all of your data, individual customers, subsets of customers or specific time periods as CSV or JSON files.

Option 1: Dashboard - see the tutorial.

Option 2: API - see the reference.


How to add contact details for EU Representative and Data Protection Officer

You can find sections for contact details in your Team settings.

Contact with EU Rep - Person designated, where applicable, to represent customers not established in the EU with regard to their obligations under the General Data Protection Regulation (GDPR).

Contact with DPO - Person designated, where applicable, to facilitate compliance with the provisions of the GDPR, which defines the criteria and the conditions under which a data protection officer shall be designated.


How to remove customer data by using the dashboard

You can permanently delete any customer history from Voucherify to comply with European data protection laws (GDPR). 

Go to the Team Settings (1) and choose the tab 'Delete People Data' (2).

Search for active customers or people you have already archived from customers list within the current project (3).

Choose the bin icon and confirm to remove a customer history permanently (4).

Adding marketing permissions

The Brand Details and Marketing Permissions tabs allow you to add all necessary marketing information and data protection clauses in compliance with the GDPR and other data-related policies in order to receive explicit consent of your end-customers to data processing. 

Brand Details

In this tab you will be asked to provide the name of your brand (1), physical mailing address (2) and contact information (3). The provision of these details is obligatory as international law states that all marketing emails must include physical mailing address and contact information of your brand. Here you may also provide a URL to your own Privacy Policy and Terms of Use, customizable permission reminder which helps avoid false spam reports and your website URL (4). Lastly, you may also upload the logo of your brand (5). 

Note: Information provided in this tab will be automatically placed in the footer of any Voucherify template you’ll use. 

Marketing Permissions

This tab allows you to add your own opt-in consents and group them. It is important to remember that in accordance with the GDPR, consent has to be opt-in which means that it should be freely given and that neither pre-checked boxes nor customers’ silence are equal with consent for personal data processing. Here you may fill in all the details of the consent (name, category and description). These details will help you find, categorize and group them effortlessly. After creating your first consent, you will be able to see it in the field below Opt-in Consents form. 

This tab also grants you a possibility to group your consents and to place them in Voucherify templates. 

Where can I use the marketing permissions I’ve just created?

You will be able to choose between particular consents while working in the Distributions Manager. In the picture, you may see both the Distributions tab and a drop down list with consents that you’ve created for the particular project. You will be asked to provide marketing permissions on the 3rd step of the Distributions Manager "Choose your audience" so that you may segment your audience accordingly. 

Your marketing permissions will also be available in the landing page templates guaranteeing quick and easy customization of your dream landing page. In the landing page Designer you are going to see a preview of your marketing permissions which are going to be presented in the form of checkboxes. 

In order to customize the consents form, go to the Form tab (1.) and choose Marketing Permissions Group that you’ve created (2.). Note that you may mark this consent as optional or obligatory. 

Go here to learn more about landing pages creator. 


Contact preference Center

In order to further comply with GDPR and other data-related policies, your customers can decide whether they want to stay subscribed to messages from your brand. You can find preference center in your customers' cockpits. The contact preference center allows them to change their communication settings at any point in time.