The GDPR (General Data Protection Regulation) is a piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on May 25, 2018.
Custom Paywall Solutions LLC is fully committed to achieving and upholding ongoing compliance with GDPR prior to the effective date.
What we’re doing about the GDPR
Custom Paywall Solutions LLC began researching and pursuing compliance in 2017. Although it’s a complex piece of legislation the general idea is pretty simple; to make sure all data about private citizens is handled with the care it deserves. We’ve been working with privacy experts and our attorneys to be sure we’re compliant with the GDPR. The privacy and security of our clients and their users are of utmost importance to us.
If you are wondering what data we store about you and how it is being handled and used, you can easily find that out from our data privacy reports below.
Changes to Custom Paywall Solutions LLC to become GDPR compliant
There are dozens upon dozens of changes and steps we’re taking across every part of our company to ensure we are GDPR compliant. This includes anonymizing more data, reducing the types of data shared across vendors to only the parts that are absolutely necessary and providing more controls over what data is/isn’t processed.
Here’s a high-level overview of what we’ve completed so far on our GDPR Compliance Roadmap:
Your data
- Update and improve our privacy policy and terms to ensure how we will handle data is clarified
- Clarify and make available a list of how all data is stored and handled, including how we got consent to store the information
Accountability and management
- Appoint a Data Protection Officer and enhance awareness around the company
- Contracts with all third party data processors and storage partners ensuring they are compliant
- List all third party data processors and storage partners
- Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR
- Thoroughly research the areas of our product and business impacted by GDPR
- Develop a strategy and guidelines for how to address the areas of our product impacted by GDPR
New rights
- Enable an easy way for our clients and their end users to request access to, edit and delete their personal information
- Automatic deletion of data that our business no longer has any use for
Consent and communication
- Improved Cookie information
- Offer a way to withdraw consent as easily as it was given
- Communicate our compliance to all clients and their end users
- Regularly review policies for changes and effectiveness
Changes in our SaaS platform and new features
- Easy access for clients’ users to export and/or erase data about them by going to their account page
- Easy way for clients to export and/or erase data about their users from the Audience database in the platform
- Ensure all parties involved are informed about any changes or requests made to export or erase data
- Thoroughly test all of changes to verify & validate compliance with GDPR
We are still researching the need for our clients to add age verification to their registration process through our paywall. As soon as our experts reach a conclusion on this we will develop a feature accordingly.
Exceptions due to being a money processor
Custom Paywall Solutions LLC has anti-money laundering and financial regulatory obligations to retain records for certain periods, and we generally cannot delete transactional records prior to the expiration of those periods as we have statutory record-keeping obligations. Absent those specific requirements, we retain personal data for only as long as permissible under applicable data protection laws. Custom Paywall Solutions LLC does retain personal data in compliance with applicable data protection laws, and additional sector-specific rules, as they may apply to Custom Paywall Solutions LLC.
What is the GDPR?
The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. The European Payment Report reviled that the total cost for companies within the EU to reform due to the new regulation will land on a staggering 198 billion Euro.
The GDPR regulates the processing of personal data about individuals in the European Union and the European Economic Area including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
In summary, here are some of the key changes to come into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, among other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
- Increased enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
This grid shows how and where we store personal data about our clients. Most important to note is that a lot of the data mapped below are connected to corporate contracts.| Personal data type | Why we have it – purpose | Where we got it | Where is it stored | Who at InPlayer is involved (has access) | Legal basis | How long do we keep it |
|---|
| Contact details | Commercial communication, Providing Support | The individual, Publicly available information (company website, LinkedIn profile etc.) | Excalibur Servers
Confluence
Gmail
Google Drive | Admin users in the developer team, Customer Support, Account Management and Sales Team members | Contract,by accepting the Terms and Conditions upon signup | For as long as your information is relevant for the purpose |
| Communication content | Commercial communication, Providing Support | The individual | Gmail | Admin users in the developer team, Customer Support, Account Management and Sales Team members | Legitimate interest, by accepting the Terms and Conditions upon signup | For as long as your information is relevant for the purpose |
| Application usage and browsing actions | UX improvement of products and services, Providing Support | The individual, Third party analytics technology (cookies etc.) | Excalibur Servers
Gmail | Admin users in the developer team, Customer Support, Account Management and Sales Team members | By accepting the Terms and Conditions upon signup | For as long as your information is relevant for the purpose |
| IP Address | Marketing research, Providing Support | Third party analytics technology (cookies etc.) | Excalibur Servers | Admin users in the developer team | By accepting the Terms and Conditions upon signup | For as long as your information is relevant for the purpose |
| Browser characteristics | Improvement of products and services, Providing Support | The individual, Third party analytics technology (cookies etc.) | Excalibur Servers
Gmail | Admin users in the developer team, Customer Support, Account Management and Sales Team members | By accepting the Terms and Conditions upon signup | For as long as your information is relevant for the purpose |
| Communication content, Contact details | Contact enquiry, Direct marketing activities | The individual (through website form) | Stored with CRM provider: SalesForce (Pardot) | Our Sales and Marketing teams | Legitimate interest, Support query | For as long as your information is relevant for the purpose |
If you want us to export or delete your data, submit the email address used to us to get all personal records that are not connected to corporate contracts deleted. You can submit a request at info@cusomtpaywallsolutions.com
This is the data we store about any user who has created an account with one of our clients via our paywall solution.| Personal data type | Why we have it – purpose | Where we got it | Where is it stored | Who is involved (has access) | Legal basis | How long do we keep it | Can it be deleted? Then how? | Please note |
|---|
| End-user personal information (email, fullname, password for access) | To provide authetntication flow and store user information throughout our system for payments, subscriptions and access to assets | End user (Individual) provides it upon registration (by filling in the registration form) | Database (for website: In our storage system) | Merchants have access to their end users data, while admin users have access to all. | By registring through our Paywall and the Terms are accepted. | Until the user is deleted | Data obfuscated as part of our Erase Account feature | |
| Additional end-user information (country, region/continent, IP address, device used for registration) | To gather analytics for ourselves and towards our merchants (e.g. location where users are mostly buying from). In addition, the location related information is important in the payments records so that merchants can determine whether they should cover tax costs or not | End user (Individual) provides it upon registration (automatically gathered by our system, not entered in the registration form) | (for website: In our storage system) | Merchants can see this in the merchant panel for their end users, while admin users can see this information for all. | By registring through our Paywall and the Terms are accepted. | Until the user is deleted | Location data is kept for bookeeping purposes even after the account is deleted, until it is not needed anymore. All other data can be obfuscated or deleted. | Some information such as the IP address will be obfuscated, however the location related information are needed as information towards our merchants even after a user is deleted in order to determine whether they should cover taxes or not. |
| End-user Metadata (custom registration fields, register source) | Merchants define these custom registration fields in order to gather additional insights for their audience | End user (Individual) provides it upon registration (part of the registration form) | Database (for website: In our storage system) | Merchants can see this in the merchant panel and in reports they generate | By registring through our Paywall and the Terms are accepted. | Until the user is deleted | Yes, and we will fully delete this information with the Erase Account feature | |
| End-user Account Logins Information (+ location data and device used for logging in) | To provide our service and charge clients. This information is also used to gather analytics (e.g. devices mostly used for accessing content) | We record it when end user logs in on their merchant’s website | (for website: In our storage system) | Merchants can generate a report with this information | By registring through our Paywall and the Terms are accepted. | Until the user is deleted | User data part of these records can be obfuscated | We will not fully delete these records because one way we charge our clients is for unique logins in a specific timeframe |
| Action records – Payments | To provide our service and charge clients | End-user provides it when paying for an asset | Database (for website: In our storage system) | Merchants & Admin users can see this information | By registring through our Paywall and the Terms are accepted. | Minimum 10 years | It will not be deleted, nor obfuscated (check note) | Due to legal legislations, such as money laundrying regulations, we are required to keep this data in our system |
| Action records – Subscriptions | To provide our service and charge clients | End-user provides it when subscribing for a premium content on their merchant’s website | Database (for website: In our storage system) | Merchants & Admin users can see this information | By registring through our Paywall and the Terms are accepted. | Until the user is deleted | It will not be deleted, nor obfuscated (check note) | |
| Action records – Access | To provide our service and charge clients | End-user provides it when purchasing (ppv or subscription) an asset and by that getting access for a premium content on their merchant’s website | Database (for website: In our storage system) | Merchants & Admin users can see this information | By registring through our Paywall and the Terms are accepted. | Until the user is deleted | The personal data which is part of the Assets Access Records in our system will be obfuscated and not available for merchants or admin users to see it | |
| Action records – Adding users to vouchers | To provide our service and charge clients | Merchants specify it when adding end-user email addresses to a specific voucher | Database (for website: In our storage system) | Merchants & Admin users can see this information | By registring through our Paywall and the Terms are accepted. | Until the user is deleted | It is fully deleted using in case the end-user account gets deleted | |
Manage your data
If you choose delete your account, You can submit a request at info@cusomtpaywallsolutions.com. We will delete any and all information that is not directly necessary for bookkeeping or compliance purposes due to legislations governing monetary transactions. In the cases where we need to keep some data for compliance reasons not tied to your person (like location) – we will obfuscate (anonymise) the personal details.
Handling of data subject requests (data subject rights)
It is important to distinguish between Publisher Purposes and Excalibur Purposes, because:
- We do not handle data subject requests in respect to Publisher Purposes (Publishers do);
- Publishers do not handle data subject requests in respect to Excalibur Purposes (we do).
Our DPA is based on the above and requires both parties to forward data subject requests to the other party they relate to other party’s purposes. However, as a data processor we shall according to the Art. 28(3)(g) GDPR: “taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III”. We ensure this as is explained below:
Right of access
When applicable, Excalibur will provide the Data Controller with a My Account widget that allows the user to access their private data that Excalibur processes.
Right of rectification
Excalibur will provide the Data Controller with a My Account widget that allows the user to correct their private data that Excalibur processes.
Right of erasure
An anonymous data subject will be qualified as erased when they delete any Excalibur cookies. For data subjects where Excalibur stores registration information, that information shall be erased where possible.
Right of restriction
On a case by case basis, Excalibur will ensure that data is restricted.
Right to data portability
Excalibur provides a My Account widget where the user can access their data in order to download it. This refers to data actively provided by the data subject on registration forms. In addition, the Data Controller has access to the user profile through the user dashboard.
Security measures
Excalibur carefully addresses GDPR defined security measures by the pseudonymisation and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows Excalibur to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Excalibur maintains a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Data breachers
Excalibur maintain an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between Excalibur and all publishers, in the MSA.
Stay updated
Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Excalibur Software can help you with compliance, we hope you’ll reach out to us.
Subprocessors
To support delivery of our Services, Excalibur Software, Inc. (or one of its Affiliates listed below) may engage and use data processors with access to certain Customer Data (each, a “Subprocessor”). This page provides important information about the identity, location and role of each Subprocessor. Terms used on this page but not defined have the meaning set forth in the Customer Terms of Service or superseding written agreement between Customer and Excalibur (the “Agreement”).
Third Parties
Excalibur Software currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Subprocessor, Excalibur Software performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.
Infrastructure Subprocessors
Excalibur Software may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of our Services:
| ENTITY NAME | SUBPROCESSING ACTIVITIES | ENTITY COUNTRY |
| Amazon Web Services, Inc. | Cloud Service Provider | United States |
| Google Inc. | Cloud Service Provider | United States |
Other subprocessors
Excalibur Software may use the following Subprocessors to perform other Service functions:
| ENTITY NAME | SUBPROCESSING ACTIVITIES | ENTITY COUNTRY |
| | |
| MailChimp | Cloud-based Email Notification Services | United States |
| Google Inc. | Cloud Service Provider | United States |
| Braintree/Stripe | Payment Providers | United States |
Excalibur Affilates
Excalibur Software has one office located in the USA:
| ENTITY NAME | ENTITY COUNTRY |
| Custom Paywall Solutions LLC. | United States |
| |
| |
| |
Updates
As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide the owner of Customer’s account with notice of any new Subprocessors to the extent required under the Agreement, along with posting such updates here. Please check back frequently for updates.
Notifications should be sent to the following:
Custom Paywall Solutions LLC.
Attn: John Gjoni
1320 Metcalf Ave #1
Bronx NY 10469
Email: info@custompaywallsolutions.com
