Security & Data Protection

If you sell/offer products or services to customers based in the EU, you must adhere to General Data Protection Regulation (GDPR).

This page provides a summary of our work towards GDPR compliance and tutorials on how Voucherify implements particular GDPR procedures.

Shortcuts

What is GDPR?

The General Data Protection Regulation (GDPR), a European privacy law approved by the European Commission, is an attempt to strengthen, modernize EU data protection law, and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it's giving EU citizens and residents control over their personal data while simplifying the regulatory environment for international businesses that operate in the EU.

The authors of this regulation introduce the concept of “data minimization” which forces companies to:

  • Collect as little information as they need to run the business.
  • Inform customers about every way their data will be processed (including 3rd party providers).
  • Enable customers to delete, export, or update their data at any point in time.
  • And finally – gain a customer’s unambiguous consent for every data processing activity.


Voucherify’s commitment to data privacy and GDPR compliance

Voucherify is a GDPR compliant Data Processor. To find detailed security and data protection measures we have implemented, visit our legal section. Below there is an overview of what we have done to meet the regulation requirements.

  • Data Processing Addendum - we offer a data processing addendum (DPA) for our customers who collect data from folks in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers.
  • GDPR-ready contracts with third-party vendors - Voucherify uses only trusted and reliable vendors. We have signed data processing agreements with all partners which subprocess any of your sensitive data. This approach makes our platform fully GDPR compliant, so you can be certain that your data are neither stored nor processed in a non-secure environment.
  • Email consent - you can control which information you want to receive from Voucherify. The contact preference center provides fine-grained controls to activate and deactivate various notification for you and your team.
  • Employee training -  Data Protection Officer ensures that all employees receive tools and training for handling sensitive data (including credentials) and for avoiding social engineering and other non-technical attacks. Moreover, Voucherify team access is controlled by a carefully managed and audited security policy.
  • Updates to our Terms and Privacy - we’ve introduced updates to our Terms of Service and Privacy Policy to ensure we are fully compliant with the GDPR. We openly describe what personal data we are collecting, processing, why, how we use it, who we share it with and how long we store it.
  • Risk Assessment - Data Protection Impact Assessment process guarantees that Voucherify team considers data protection risks identification and minimization of its priority. Every change to the software, organizational procedures, or tooling triggers privacy due diligence. If any risk is identified, the team collaborates on a solution to mitigate the consequences for our clients and their end-customers.
  • Data Access, Portability and Deletion - new features have been introduced to stay in line with data regulations for the right of portability, to be forgotten, and to rectification, see the section below for details and tutorials.

Data Protection Officer

We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don't hesitate to reach out.


How to execute GDPR procedures in Voucherify

How to remove your account permanently

There are two ways you can delete your account permanently:

  1. Submit a ticket through the support page and our team will take care of removing your account and all underlying data from the data center and 3rd party providers.
  2. You can also use this API method that allows users to permanently remove their data from Voucherify.

How to remove a team member permanently

Option 1: The organization administrator can remove a team member by reaching out to support team through the support page.

Option 2: The organization administrator can remove user data permanently from the Voucherify system by using the web application interface. The steps to be taken by the administrator are as follows:

  1. Log in to the dashboard.
  2. In the Team settings, find a user you want to remove.
  3. Run “Remove Permanently” and confirm the operation.

How to remove/update a consumer (end-customer) permanently

Option 1: The organization user can request data removal by the Support Team. They can do this by submitting a ticket and providing “id”, “source_id”, or “email address” of the consumer to be removed.

Option 2: The organization user can remove consumer data permanently from the Voucherify system by using web application interface. To do so, the user has to find a given consumer in the Customer view and click Remove Permanently button.

Option 3: A consumer can directly reach out to Voucherify Support Team to remove/update their data. To perform removal/update, the consumer has to submit information which allows the Support Team to identify a corresponding organization and records. In case of such incident, the organization administrator will be notified.


How to export your data

You can export all of your data, individual customers, subsets of customers or specific time periods as CSV or JSON files.

Option 1: Dashboard - see the tutorial.

Option 2: API - see the reference.


How to add contact details for EU Representative and Data Protection Officer

You can find sections for contact details in your Team settings.

Contact with EU Rep - Person designated, where applicable, to represent customers not established in the EU with regard to their obligations under the General Data Protection Regulation (GDPR).

Contact with DPO - Person designated, where applicable, to facilitate compliance with the provisions of the GDPR, which defines the criteria and the conditions under which a data protection officer shall be designated.


How to remove customer data by using the dashboard

You can permanently delete any customer history from Voucherify to comply with European data protection laws (GDPR). 

Go to the Team Settings (1) and choose the tab 'Delete People Data' (2).

Search for active customers or people you have already archived from customers list within the current project (3).

Choose the bin icon and confirm to remove a customer history permanently (4).


[Coming soon] How to configure your widgets to be GDPR-ready (consent & contact preferences controls)

Voucherify web widget helps you collect customer details such as email and other contact information. To conform with GDPR, it has been equipped with features which enable customers to give you explicit consent for further communication. The contact preference center allows them to change their communication settings at any point in time, to learn more visit the tutorial.