logo

Select Sidearea

Populate the sidearea with useful widgets. It’s simple to add images, categories, latest post, social media icon links, tag clouds, and more.
hello@youremail.com
+1234567890

excalibur-gdpr

The GDPR (General Data Protection Regulation) is a piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on May 25, 2018.

Custom Paywall Solutions LLC is fully committed to achieving and upholding ongoing compliance with GDPR prior to the effective date.

What we’re doing about the GDPR

Custom Paywall Solutions LLC began researching and pursuing compliance in 2017. Although it’s a complex piece of legislation the general idea is pretty simple; to make sure all data about private citizens is handled with the care it deserves. We’ve been working with privacy experts and our attorneys to be sure we’re compliant with the GDPR. The privacy and security of our clients and their users are of utmost importance to us.

If you are wondering what data we store about you and how it is being handled and used, you can easily find that out from our data privacy reports below.

 

Changes to Custom Paywall Solutions LLC to become GDPR compliant

There are dozens upon dozens of changes and steps we’re taking across every part of our company to ensure we are GDPR compliant. This includes anonymizing more data, reducing the types of data shared across vendors to only the parts that are absolutely necessary and providing more controls over what data is/isn’t processed.

Here’s a high-level overview of what we’ve completed so far on our GDPR Compliance Roadmap:

Your data

  • Update and improve our privacy policy and terms to ensure how we will handle data is clarified
  • Clarify and make available a list of how all data is stored and handled, including how we got consent to store the information

Accountability and management

  • Appoint a Data Protection Officer and enhance awareness around the company
  • Contracts with all third party data processors and storage partners ensuring they are compliant
  • List all third party data processors and storage partners
  • Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR
  • Thoroughly research the areas of our product and business impacted by GDPR
  • Develop a strategy and guidelines for how to address the areas of our product impacted by GDPR

New rights

  • Enable an easy way for our clients and their end users to request access to, edit and delete their personal information
  • Automatic deletion of data that our business no longer has any use for

Consent and communication

  • Improved Cookie information
  • Offer a way to withdraw consent as easily as it was given
  • Communicate our compliance to all clients and their end users
  • Regularly review policies for changes and effectiveness

Changes in our SaaS platform and new features

  • Easy access for clients’ users to export and/or erase data about them by going to their account page
  • Easy way for clients to export and/or erase data about their users from the Audience database in the platform
  • Ensure all parties involved are informed about any changes or requests made to export or erase data
  • Thoroughly test all of changes to verify & validate compliance with GDPR

We are still researching the need for our clients to add age verification to their registration process through our paywall. As soon as our experts reach a conclusion on this we will develop a feature accordingly.

Exceptions due to being a money processor

Custom Paywall Solutions LLC has anti-money laundering and financial regulatory obligations to retain records for certain periods, and we generally cannot delete transactional records prior to the expiration of those periods as we have statutory record-keeping obligations. Absent those specific requirements, we retain personal data for only as long as permissible under applicable data protection laws. Custom Paywall Solutions LLC does retain personal data in compliance with applicable data protection laws, and additional sector-specific rules, as they may apply to Custom Paywall Solutions LLC.

What is the GDPR?

The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. The European Payment Report reviled that the total cost for companies within the EU to reform due to the new regulation will land on a staggering 198 billion Euro.

The GDPR regulates the processing of personal data about individuals in the European Union and the European Economic Area including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

In summary, here are some of the key changes to come into effect with the upcoming GDPR:

  • Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, among other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
  • Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
  • Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
  • New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
  • Increased enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

 

 

Client data policy

This grid shows how and where we store personal data about our clients. Most important to note is that a lot of the data mapped below are connected to corporate contracts.

Personal data typeWhy we have it – purposeWhere we got itWhere is it storedWho at InPlayer is involved (has access)Legal basisHow long do we keep it
Contact detailsCommercial communication, Providing SupportThe individual, Publicly available information (company website, LinkedIn profile etc.)Excalibur Servers
Confluence
Gmail
Google Drive
Admin users in the developer team, Customer Support, Account Management and Sales Team membersContract,by accepting the Terms and Conditions upon signupFor as long as your information is relevant for the purpose
Communication contentCommercial communication, Providing SupportThe individualGmailAdmin users in the developer team, Customer Support, Account Management and Sales Team membersLegitimate interest, by accepting the Terms and Conditions upon signupFor as long as your information is relevant for the purpose
Application usage and browsing actionsUX improvement of products and services, Providing SupportThe individual, Third party analytics technology (cookies etc.)Excalibur Servers
Gmail
Admin users in the developer team, Customer Support, Account Management and Sales Team membersBy accepting the Terms and Conditions upon signupFor as long as your information is relevant for the purpose
IP AddressMarketing research, Providing SupportThird party analytics technology (cookies etc.)Excalibur ServersAdmin users in the developer teamBy accepting the Terms and Conditions upon signupFor as long as your information is relevant for the purpose
Browser characteristicsImprovement of products and services, Providing SupportThe individual, Third party analytics technology (cookies etc.)Excalibur Servers
Gmail
Admin users in the developer team, Customer Support, Account Management and Sales Team membersBy accepting the Terms and Conditions upon signupFor as long as your information is relevant for the purpose
Communication content, Contact detailsContact enquiry, Direct marketing activitiesThe individual (through website form)Stored with CRM provider: SalesForce (Pardot)Our Sales and Marketing teamsLegitimate interest, Support queryFor as long as your information is relevant for the purpose

 

If you want us to export or delete your data, submit the email address used to us to get all personal records that are not connected to corporate contracts deleted. You can submit a request at info@cusomtpaywallsolutions.com

 

End-user data policy

This is the data we store about any user who has created an account with one of our clients via our paywall solution.

Personal data typeWhy we have it – purposeWhere we got itWhere is it storedWho is involved (has access)Legal basisHow long do we keep itCan it be deleted? Then how?Please note
End-user personal information (email, fullname, password for access)To provide authetntication flow and store user information throughout our system for payments, subscriptions and access to assetsEnd user (Individual) provides it upon registration (by filling in the registration form)Database (for website: In our storage system)Merchants have access to their end users data, while admin users have access to all.By registring through our Paywall and the Terms are accepted.Until the user is deletedData obfuscated as part of our Erase Account feature
Additional end-user information (country, region/continent, IP address, device used for registration)To gather analytics for ourselves and towards our merchants (e.g. location where users are mostly buying from). In addition, the location related information is important in the payments records so that merchants can determine whether they should cover tax costs or notEnd user (Individual) provides it upon registration (automatically gathered by our system, not entered in the registration form)(for website: In our storage system)Merchants can see this in the merchant panel for their end users, while admin users can see this information for all.By registring through our Paywall and the Terms are accepted.Until the user is deletedLocation data is kept for bookeeping purposes even after the account is deleted, until it is not needed anymore. All other data can be obfuscated or deleted.Some information such as the IP address will be obfuscated, however the location related information are needed as information towards our merchants even after a user is deleted in order to determine whether they should cover taxes or not.
End-user Metadata (custom registration fields, register source)Merchants define these custom registration fields in order to gather additional insights for their audienceEnd user (Individual) provides it upon registration (part of the registration form)Database (for website: In our storage system)Merchants can see this in the merchant panel and in reports they generateBy registring through our Paywall and the Terms are accepted.Until the user is deletedYes, and we will fully delete this information with the Erase Account feature
End-user Account Logins Information (+ location data and device used for logging in)To provide our service and charge clients. This information is also used to gather analytics (e.g. devices mostly used for accessing content)We record it when end user logs in on their merchant’s website(for website: In our storage system)Merchants can generate a report with this informationBy registring through our Paywall and the Terms are accepted.Until the user is deletedUser data part of these records can be obfuscatedWe will not fully delete these records because one way we charge our clients is for unique logins in a specific timeframe
Action records – PaymentsTo provide our service and charge clientsEnd-user provides it when paying for an assetDatabase (for website: In our storage system)Merchants & Admin users can see this informationBy registring through our Paywall and the Terms are accepted.Minimum 10 yearsIt will not be deleted, nor obfuscated (check note)Due to legal legislations, such as money laundrying regulations, we are required to keep this data in our system
Action records – SubscriptionsTo provide our service and charge clientsEnd-user provides it when subscribing for a premium content on their merchant’s websiteDatabase (for website: In our storage system)Merchants & Admin users can see this informationBy registring through our Paywall and the Terms are accepted.Until the user is deletedIt will not be deleted, nor obfuscated (check note)
Action records – AccessTo provide our service and charge clientsEnd-user provides it when purchasing (ppv or subscription) an asset and by that getting access for a premium content on their merchant’s websiteDatabase (for website: In our storage system)Merchants & Admin users can see this informationBy registring through our Paywall and the Terms are accepted.Until the user is deletedThe personal data which is part of the Assets Access Records in our system will be obfuscated and not available for merchants or admin users to see it
Action records – Adding users to vouchersTo provide our service and charge clientsMerchants specify it when adding end-user email addresses to a specific voucherDatabase (for website: In our storage system)Merchants & Admin users can see this informationBy registring through our Paywall and the Terms are accepted.Until the user is deletedIt is fully deleted using in case the end-user account gets deleted

Manage your data

If you choose delete your account, You can submit a request at info@cusomtpaywallsolutions.com. We will delete any and all information that is not directly necessary for bookkeeping or compliance purposes due to legislations governing monetary transactions. In the cases where we need to keep some data for compliance reasons not tied to your person (like location) – we will obfuscate (anonymise) the personal details.

 

Handling of data subject requests (data subject rights)

It is important to distinguish between Publisher Purposes and Excalibur Purposes, because:

  • We do not handle data subject requests in respect to Publisher Purposes (Publishers do);
  • Publishers do not handle data subject requests in respect to Excalibur Purposes (we do).

Our DPA is based on the above and requires both parties to forward data subject requests to the other party they relate to other party’s purposes. However, as a data processor we shall according to the Art. 28(3)(g) GDPR: “taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III”. We ensure this as is explained below:

Right of access

When applicable, Excalibur will provide the Data Controller with a My Account widget that allows the user to access their private data that Excalibur processes.

Right of rectification

Excalibur will provide the Data Controller with a My Account widget that allows the user to correct their private data that Excalibur processes.

Right of erasure

An anonymous data subject will be qualified as erased when they delete any Excalibur cookies. For data subjects where Excalibur stores registration information, that information shall be erased where possible.

Right of restriction

On a case by case basis, Excalibur will ensure that data is restricted.

Right to data portability

Excalibur provides a My Account widget where the user can access their data in order to download it. This refers to data actively provided by the data subject on registration forms. In addition, the Data Controller has access to the user profile through the user dashboard.

Security measures

Excalibur carefully addresses GDPR defined security measures by the pseudonymisation and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows Excalibur to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Excalibur maintains a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Data breachers

Excalibur maintain an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between Excalibur and all publishers, in the MSA.

Stay updated

Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Excalibur Software can help you with compliance, we hope you’ll reach out to us.

Subprocessors

To support delivery of our Services, Excalibur Software, Inc. (or one of its Affiliates listed below) may engage and use data processors with access to certain Customer Data (each, a “Subprocessor”). This page provides important information about the identity, location and role of each Subprocessor. Terms used on this page but not defined have the meaning set forth in the Customer Terms of Service or superseding written agreement between Customer and Excalibur (the “Agreement”).

Third Parties

Excalibur Software currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Subprocessor, Excalibur Software performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.

Infrastructure Subprocessors

Excalibur Software may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of our Services:

ENTITY NAMESUBPROCESSING ACTIVITIESENTITY COUNTRY
Amazon Web Services, Inc.Cloud Service ProviderUnited States
Google Inc.Cloud Service ProviderUnited States

Other subprocessors

Excalibur Software may use the following Subprocessors to perform other Service functions:

ENTITY NAMESUBPROCESSING ACTIVITIESENTITY COUNTRY
MailChimpCloud-based Email Notification ServicesUnited States
Google Inc.Cloud Service ProviderUnited States
Braintree/StripePayment ProvidersUnited States

Excalibur Affilates

Excalibur Software has one office located in the USA:

ENTITY NAMEENTITY COUNTRY
Custom Paywall Solutions LLC.United States

Updates

As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide the owner of Customer’s account with notice of any new Subprocessors to the extent required under the Agreement, along with posting such updates here. Please check back frequently for updates.

Notifications should be sent to the following:

Custom Paywall Solutions LLC.

Attn: John Gjoni

1320 Metcalf Ave #1

Bronx NY 10469

Email: info@custompaywallsolutions.com