Overview
As a third-party customer analytics provider, the safety, security, and privacy of our customers' data is always our primary concern. Beyond achieving and maintaining regulatory compliance (for example: GDPR, CCPA, and COPPA) and in addition to our Privacy Shield certification, customers can count on us to stay ahead of new developments as the digital privacy landscape continues to evolve.
Please don't hesitate to reach out to support@mparticle.com if you have questions or concerns about compliance with the following local data regulations.
GDPR
The General Data Protection Regulation (GDPR) is an EU regulation aimed to enhance privacy and expand individual choice when it comes to the tracking and retention of personal information. GDPR went into effect on May 25th, 2018.
Analytics has tackled GDPR with a two-pronged approach, in response to our dual role under the regulations as both a Data Processor and Data Controller:
As a Data Processor
Under GDPR, a data processor is defined as “any person (other than an employee of the data controller) who processes the data on behalf of the data controller.” As a customer analytics platform, Analytics is a third-party vendor that ingests and processes consumer data on behalf of our clients. Thus, we are a data processor.
In order to comply with GDPR, we have implemented the following measures:
- APIs: Analytics provides two APIs which may be used to delete or cease processing of data in accordance with GDPR stipulations. Customers may use these APIs to rectify or delete user data.
- Data Deletion API: Allows quick and easy deletion of existing data.
- Data Rectification API: Allows the alteration and rectification of existing user property data.
- Data Suppression API: Prevents future data from being processed.
- Data Access Form: A form to request to view, alter, delete, or transfer existing data is available on our website. It may be accessed here.
- Data Processing Agreement: Our Data Processing Agreement has been updated to reflect EU model clauses. Customers may access the updated agreement here.
As a Data Controller
A data controller is defined as the “person or persons who determine the matter in which any personal data is processed.” Since Analytics collects information about the usage of our platform for the purposes of quality assurance and bug tracking, we are the data controller for information relating to our own customers.
In order to comply with GDPR, we implemented the following measures:
- Privacy Policy Update: In conjunction with our legal team, we conducted a comprehensive review and update of our privacy policy to ensure it complies with GDPR. The privacy policy is GDPR-compliant as of May 25th, 2018, and may be accessed here.
- Comprehensive Review of Vendors: Our team comprehensively reviewed our existing vendors with the aim of ensuring that our contracts conform with GDPR security and privacy standards.
- Data Collection Opt-In: Analytics users will be prompted with a pop-up widget, allowing them to opt in or opt out of data collection.
- Data Access Form: Users may request to view, alter, delete, or transfer existing data through this form.
Data Locality
Analytics provides the option to store data in an EU regional data center. Contact support@mparticle.com to learn more.
CCPA
The California Consumer Privacy Act (CCPA) is a California state statute aimed at enhancing privacy and expand individual choice when it comes to the tracking and retention of personally identifiable information. CCPA went into effect on January 1st, 2020.
The following measures ensure that Analytics is fully compliant to CCPA as a service provider.
APIs
Analytics provides two APIs which may be utilized to delete or cease processing of data in accordance with GDPR stipulations. Customers may utilize these APIs to rectify or delete user data.
- Data Deletion API: Allows quick and easy deletion of existing data.
- Data Rectification API: Allows the alteration and rectification of existing data.
- Data Suppression API: Prevents future data from being processed.
COPPA
The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law that imposes certain data tracking restrictions onto companies that provide online services directed toward children 13 years of age or younger. Click here for more information on COPPA compliance.
Analytics as a Third Party
By default, Analytics does not collect any personal information as defined under COPPA. Please keep in mind that it is the sole responsibility of our customers to ensure that any additional data that is being collected is compliant from a COPPA perspective. In section 2 of our Privacy Policy, we specifically highlight:
- "In order to use our Services, you will not use our service to send us sensitive information where unauthorized disclosure could cause material, severe, or catastrophic harm or impact to Analytics, You or Your Customers. Sensitive Information includes: Personally identifiable information knowingly collected from children under the age of 13 or form online services directed toward children"
IP Geolocation Tracking
Please note that IP geolocation tracking is restricted under COPPA. Please ensure that you have disabled this within any project that contains data from online services directed towards children 13 years of age or younger. Customers using Analytics' SDK can do this in Project Settings:
- On the left menu, click on the project that may contain data from online services directed toward children 13 years of age or younger.
- Navigate to the Settings on the left menu and click on Project Settings
- In the General section, click on 'Disabled' under 'IP Address Collection'.
Customers with integrations from other sources may require additional configurations to disable IP geolocation tracking.
Privacy Shield Certification
As a leader in the data analytics field, Analytics maintains Privacy Shield Certification.
SOC 2 Type II Certification
mParticle maintains an official System and Organization Controls (SOC) 2 Type II certification.