What is GDPR?
This is a European Union regulation, designed to improve the data security and privacy of European citizens. Find out more on Wikipedia or the GDPR main site. Although this is specific to European customers, we think it's a good idea for the entire world.
In essence, GDPR helps make sure your data is safe, and that you can access and control it.
GDPR for Zingtree.com
As a company, we've enacted the following procedures and policies:
- Consent: We ask for your name and email when signing up for an authoring account, and ask for your consent before proceeding.
- Breach notification policy: If there is a data breach on our side, we'll notify you within 72 hours of discovery via email.
- Data Access: Our customers can access the personal data we collect from them via Account, My Info. This is their name and email.
- Right to be Forgotten: When you delete your account, your information is permanently erased from our system.
- Privacy by Design: We ask for the minimum amount of data needed to ensure your success as a publisher of Zingtree decision trees. Optional questions in the sign-up process help us offer better support to you.
- Data Protection Officer: Mark Beckmeyer, our Sr. Director of Security and Compliance, is your Data Protection Officer. If you have any questions or concerns about your data, please contact us.
- Personal Data in Chat: When you communicate to us via our chat bubble, you are asked for some personal information so we can properly reply. This service is provided through intercom.io. If requested, we can delete your contact info and conversations from Intercom.
GDPR for your published trees
When you create a decision tree using the Zingtree platform, and you have customers residing in the EU, you should make sure of the following:
- Consent: If you are collecting any personal information using Data Entry fields (name, email, address, etc.), you are required to ask for consent first. We recommend using Zingtree's Require Confirmation feature to do this.
- Breach notification policy: If we discover a data breach on our side, we'll notify you as soon as possible via your login email. It is your responsibility to notify any of your customers who may be affected.
- Data Access: Individuals must have the right to access any personal data that you store about them and this must be provided free of charge, in a format that is easily readable. If you are collecting personal data via Zingtree, you can use the Session List or Form Data reports to find, gather and deliver this information.
- Right to be Forgotten: If a customer asks to have their data erased, you can do this via the Session List Report, Session Details. Individual sessions can be erased, including their session transcript and any data collected.
- Privacy by Design: Be judicious about what data you are collecting from the users of your trees. If it's not necessary, it's best to not ask.
- Data Protection Officer: GDPR mandates that you have a person in charge of data protection. This person should be able to execute any of the above duties related to data privacy.
Data Processing Agreement
If you require a customized Data Processing Agreement, either send us your own copy, or download and complete this Word document, and send to Zingtree for signature.
Zingtree's Amazon AWS Hosting and EU-based data
Many of our servers and all the data are located in the USA. Fortunately, we can continue to use AWS to transfer data from the EU to USA without altering our architecture, and in compliance with present EU law. Read about AWS and the EU-US Privacy Shield.
This is possible because AWS has already obtained approval from EU data protection authorities (Article 29 Working Party) to enable transfer of personal data outside Europe, including to the USA. This means Zingtree can continue to run global operations using AWS in full compliance with the EU Data Protection Directive, even if your data was originally stored in the USA.
You can find further information at:
List of Sub-Processors
As of the date of this document, Zingtree uses the following GDPR compliant organizations as data sub-processors:
- Amazon AWS
- Smarty Streets
- WP Engine
Please contact us if you have any questions or concerns about GDPR and our data protection policy.