At iPaper, it is vital that we ensure that we are fully GDPR-compliant, as well as strive to ensure that our customers can remain compliant with the GDPR while using iPaper as well.
In this article, you can find information on how we maintain our GDPR compliance, as well as how to find our Data Processor Agreement (DPA) that documents what data we collect, and how we process it.
📖 This article explains:
What is GDPR?
As of May 25th, 2018, the General Data Protection Regulation is in effect. The GDPR aims to give control of personal data back to the citizens while harmonizing the data protection regulations throughout the EU.
⚠️ GDPR applies to organizations that process personal data of individuals residing in the EU, regardless of the company's location. Personal data encompasses any information that directly or indirectly identifies an individual, including:
names,
addresses,
email addresses,
IP addresses, and more.
Understanding GDPR-specific terminology
GDPR uses specific terminology to identify various roles and the requirements expected for them, respectively:
Data subject: This is the individual person for whom you may gather and store data.
Data controller: This is the iPaper user who is ultimately responsible for controlling the data of the data subjects.
Data processor: This is iPaper who processes the data of data subjects as asked by the data controller.
iPaper's GDPR compliance
To ensure that iPaper's product is compliant with GDPR, and to give you the tools to ensure your own compliance with GDPR, we have implemented a number of product changes:
Consent storage
One of the main tenets of the GDPR is to increase transparency and ensure that the data subject consents to any use of personal information. While it is possible to add consent checkboxes to most iPaper forms, we are building it into the product directly, ensuring any stored consents are valid. Going forward, it will be possible to include a required consent option when designing Forms & Pop-ups in iPaper. When the data subject gives consent, we store that fact along with the actual text the data subject gave consent to, enabling you to document the consent given at a later time.
Cookie consent banner
While cookie consent and GDPR are not directly related, cookies may still be used to store personally identifiable information and thus be covered by the GDPR. At iPaper, we do not store any personally identifiable information in cookies, just as we do not use cookies to track data subjects. Cookies are only used for necessary functional purposes and to store aggregated usage statistics for analytical purposes. iPaper does however integrate with a number of third party marketing systems that can be enabled on an optional basis.
We allow you to inform the data subject about what types of cookies are set during the use of the flipbooks.
Anonymization of IP-addresses
We use the IP address of data subjects to determine their geographical location on a regional basis, as well as to protect against fraud and misuse. We will no longer store exact IP-addresses. Once we have used the raw IP temporarily, it will be discarded and only a generic non-unique part of the IP address will be stored for logging purposes.
Automatic deletion of data
iPaper is not, and has never been, used or intended as a permanent storage location for personal data. Newsletter signups are forwarded to customers' marketing systems shortly after signing up. Shop orders are sent directly to customers' ERP systems or forwarded as emails to sales staff. Competition signups are exported to Excel on a weekly basis. As such, there is no reason for this data to stay in iPaper for longer than necessary.
To ensure no data is forgotten in iPaper, we automatically delete any data that may contain personally identifiable information, after a 3-month period. This leaves ample time for the customer to export the data into their own systems, while still keeping a backup in iPaper for three months.
Aggregated data are not deleted: all statistics, visitor analytics, heatmaps, conversion rates, etc. are stored indefinitely. Aggregated data is anonymized, meaning it cannot be pinpointed to any individual person, and is thus not in the scope of GDPR.
Data that is deleted after the 3-month period:
Pop-up conversions: The values submitted by the data subject are deleted. Conversion numbers & rates are not deleted and will still be stored.
Form submissions are deleted.
Shop email checkouts: Customer data attached to the order is deleted after the three-month period. Statistics, Flipbook & product-level revenue data is not deleted.
iPaper's Data Processor Agreement (DPA)
The GDPR forces all data controllers to document their processing of data and to ensure that any processors they use also live up to the GDPR. We have made a Data Processor Agreement (DPA) that documents what data we process as well as how we process it.
How to find iPaper's DPA
Accessing our DPA is easy:
Sign in to your iPaper account, then select the Account details menu in the top, right-hand corner.
From the drop-down menu, select Legal and compliance.
At the bottom of this view, you can download a copy of our Data Protection Agreement by selecting Download agreement.
Data subject rights
Besides increasing the control on how data is stored and processed, the GDPR also ensures that data subjects own their own data. This gives the data subjects control over their own data, granting them the right to access their own data, to correct their own data, and to request their data to be deleted (e.g., forgotten).
Right of access: You can export all data from your iPaper account and thus provide relevant data to the data subject.
Right to be forgotten: The automatic deletion of data will ensure that no historical data is stored, leaving only the most recently submitted data in iPaper. If you need help in removing a specific data subject's data, reach out to support@ipaper.io, and we will help you out.
Right to rectification: Most data submitted by data subjects cannot be edited directly. If you need help in correcting any of this data, please reach out to support@ipaper.io and we will help you out.