Data Protection Guide v3
Document Version 3.5.6 - Last update December 3rd, 2018
Applies to V3.x to V4.3.3 platforms [Archive]
DATA PROTECTION GUIDE
This guide describes the principles and rules of personal data protection at Popsell to ensure GDPR compliance:
Personal data processing in the Popsell SAAS platform
Popsell internal processes to ensure Data Privacy and Protection
This document gives exhaustive information in addition to the Privacy Policy available on the http://popsell.com web site.
GENERAL PROCESS
Popsell is a SAAS provider, which runs a web platform dedicated to brands, retail or direct selling companies (all designated as ‘Brand’ in this document). The purpose of Popsell is to enable their users to become micro-influencers or resellers on behalf of the brand. Users of the Popsell platform are called ‘Ambassadors’, and can be:
Loyal customers of the Brand, who become micro-influencers on their personal network,
Sales representatives in direct selling companies, who use the Popsell platform to promote the Brand on their social networks and by email,
Employees or contractors, who use the platform to promote the Brand.
Ambassadors manage their contacts (designated as ‘Contacts’ in this document) who can come from different sources, as described further in this document.
In addition to being a SAAS provider, Popsell can also provide services to the Ambassadors: support (level 1 or 2) and community management on behalf of the Brand.
Responsibilities
The Brand acts as the Data Controller for all personal data processed in the Popsell platforms, including Ambassadors and their contacts.
Popsell acts as the Data Processor and ensures that its platform, services and processes meet the requirements of the GDPR rules. The Popsell platform will collect data and consents, manage access rights, revoke consents and delete data according to the rules and processes described in this document. Popsell is responsible to respond to requests to exercise the rights defined in articles 15 to 22 of the GDPR.
Brand partitioned databases
Each Brand uses an independent instance operated by Popsell. The platform is white-labeled, and all the data collected remain partitioned for each Brand.
Personal data in the Popsell platform
Personal data in the Popsell platform are divided into two databases:
Ambassadors data
Contacts data
Ambassadors:
Ambassadors sign up into a Popsell platform, they must accept the Terms & Conditions, and are warned about the personal data processes.
Ambassador’s contacts:
Once they are registered, Ambassadors can build their own publications, using personal content or content provided by the Brand. These publications are shared to their personal or professional networks through the use of social media platforms or emailing. To enable them to send publications by email, personal data is collected in a contact management feature (designated as the ‘CRM’ in this document). Contacts issued by social media interactions can also be automatically recorded in that CRM. Data collection processes are further detailed in this document.
PERSONAL DATA IN THE POPSELL PLATFORM
Ambassador data
Ambassadors’ personal data collected into the Popsell database.
Data | Comments |
Creation date | Date when ambassador signed up into the platform |
Gender | Required (data not erased when ambassador deleted) |
First name | Required |
Last name | Required |
Alias | Required |
Password | Password are always hashed by a BCrypt algorithm. Required unless Facebook login or SSO (Single Sign On) |
Customer ID | Optional (unless required by the Brand) (hashed data kept when ambassador deleted) |
Facebook ID | Optional (hashed data is kept when ambassador is deleted) |
Email address | Required (hashed data is kept when ambassador is deleted) |
Address
| Address, city, postal code and country Optional (data is erased except city and postal code when ambassador is deleted). |
Language | Preferred language |
Date of birth | Optional (unless required by brand) (day and month erased when ambassador is deleted) |
T&C | Whether Terms & conditions have been accepted or not. Unless a signup has been interrupted, all ambassadors in the database must have accepted T&C. If not, access is not permitted. |
Profile photo | Optional Uploaded by the Ambassador or imported from Facebook if signup with Facebook login (file deleted when ambassador deleted) |
About | Ambassador’s short description (self-entered – optional) (data deleted when ambassador deleted) |
Interests | Optional (unless required by brand) |
Position | Position in the Brand organization Optional (unless required by brand) |
IBAN | IBAN number |
Community visibility opt-out | Enables an ambassador to hide all his data to other ambassadors of the Brand community :
Check boxes are not checked by default (opt-in during signup, in terms & conditions) |
Communication opt-ins | Enables an ambassador to opt-out to communications sent by the platform (opt-in during signup, in terms & conditions)
|
Social media access granted | Ambassadors can grant access to Popsell social media apps to enable data collection (activity, contact data). Data is deleted on the Popsell database when the ambassador is deleted. Grants are also stored by social media platforms and need to be deleted by the user according to their Terms and Conditions. Platform like Facebook now automatically disable access rights granted when no access to the app is made for a 3 months period (as of April 2018). |
Ambassador activity
Throughout the use of the Popsell Platform, an ambassador generates various data and contents:
Data | Comments |
Publication | Ambassadors can create their own publications, posted on social medias or sent by email. |
UGC | Ambassadors can upload their own personal photos (UGC = User Generated Content) and share it in a publication. These UGCs are stored on Popsell servers. UGCs remain the property of the Ambassadors, Popsell nor the Brand have the rights to re-use them, unless specified by a specific contest or challenge. In that case, the ambassador will be warned and will consent that his UGCs can be reused, for the usage and duration specified. |
Community comments and likes | Publications displayed to other ambassadors can be liked and commented on the community flow. |
Activity logs | Activities generated by publications on email systems and on social medias are collected: number of opens, clicks, likes, comments, reshares. Comments are not collected (only number of comments). This data is anonymous for all social medias, except Facebook and emails. IP address and ‘user-agent’ (browser characteristics) are collected on the Popsell database. They are used by an anti-fraud monitoring algorithm. IP address is always hashed. |
Score, badges | Activity of the ambassadors are compiled in a gamification program, which generates the following data :
|
Contact data
This table lists all the data that can be collected into the ambassadors ‘contacts database.
Each field is optional, it is only required to have at least one data filled.
Data | Comments |
Ambassador | Reference to the unique ambassador who owns this contact. If a same contact has been entered by more than one ambassador, then the data will be stored twice. |
First name |
|
Last name |
|
Email address | Hashed data is kept when contact is deleted |
Email status | Status received from previous emails :
This status is displayed to the ambassador in the CRM, but the ambassador is not able to send emails to a contact with a blocked status. Only a Soft bounce can be released manually by the ambassador in the CRM. |
Facebook ID | Hashed data is kept when contact is deleted |
Twitter ID | Hashed data is kept when contact is deleted |
Instagram ID | Hashed data is kept when contact is deleted |
Public photo | Link to public photo url on social medias (no image is stored on Popsell database) |
Customer ID | Customer reference in the brand database |
Ambassador opt-in | If the contact has accepted to be contacted by the ambassador. Values :
|
Date ambassador opt-in | Date for the last opt-in or opt-out status. |
Brand opt-in | If the contact has accepted to let his personal data be stored by the brand and has accepted to receive emails from the brand. Values :
|
Date brand opt-in | Date for the last opt-in or opt-out status. |
Partners opt-in | If the contact has accepted to let his personal data being transferred to Brand partners. This information is a Boolean. If set to true, this opt-in has been obtained from Popsell. |
Date partners opt-in | Date for the last opt-in or opt-out status for Brand partners. |
Contact type | Hostess, Customer, Prospect : only used in direct selling scenarios |
Comments | Text area that can be filled by the ambassador |
Address | Address, city, postal code and country Data is erased except postal code and city when contact is deleted |
Mobile phone |
|
Home phone |
|
Tags | Tags (keywords) can be created by an ambassador and manually assigned to his contacts. |
Interactions history | List of publications sent by email to this contact. List of publications where an engagement has been made on a social media (like, comment). The text of the comment is not recorded. |
Sales history | Online orders or store purchase made following an ambassador’s publication. Date and amount of order : List of products purchased : |
Change history | Created by (manually, from a social media, etc.), modified by, date record has been created or modified. |
Contacts black list
This table contains some extra information about contact consents:
· Global opt-out: if a contact has decided not to receive any publications from any ambassador, this information is stored in this table (email address is hashed). This enables to block future ambassadors that would import again a contact who opted-out.
· Email callbacks: if a definitive error (spam, hard bounce, block) has been returned by the messaging platform, this information is stored to ensure to block any future communications (email address is hashed).
AMBASSADORS DATA COLLECTION MECHANISMS
Introduction
Ambassadors’ data can be collected through 3 different mechanisms:
Signup form: data is manually entered by the Ambassador. His email address is verified (email sent with a link to confirm the registration).
Facebook Login
Single Sign On (SSO): see details below
In all cases, Terms and Conditions must be accepted to enable account creation.
Single Sign On
SSO mechanism enables to rely on the credentials used by a user on a Brand platform (e-commerce platform, Extranet …) to authenticate on the Popsell Platform.
SSO enables:
· Account provisioning (ambassador data is collected and save in the Popsell database on first connexion),
· Automatic login (without having to re-enter credentials)
· Data update (data updated on the Brand database are synchronized to the Popsell database)
· Account deletion (if an account has been deleted on the Brand database, the account and his personal data will also be deleted in the Popsell database).
Please refer to the Popsell SSO Guide for further details.
Registration white List
The Popsell platform enables a Brand to control who is authorized to sign up as an Ambassador:
· List of email addresses authorized (data hashed in the database)
· List of customer ID authorized
· SSO process can be set in an exclusive mode (which means that SSO is the only possible way to sign up) thus ensuring that only members of the Brand database can sign up.
CONTACTS DATA COLLECTION MECHANISMS
Introduction
Ambassador’s contacts data can be collected through several mechanisms. Contacts are saved in the Popsell database and ambassadors can see their own contacts in the CRM page. Brand administrators can only see the contacts with a Brand opt-in in the Popsell Manager, contacts without a Brand opt-in are hidden.
1| Manually entered in the CRM
Data is manually entered by an ambassador in a CRM form.
At that time, if the contact has a valid email address, then the ambassador is proposed to send an invitation email. The ambassador must send an invitation email within a 30 days period or the contact will be deleted from the database (data is deleted).
For specific Direct Selling scenarios, it will be possible to manually enter an opt-in, if the consent has been obtained via an external process. (Not available at the moment in current version of the Popsell platform).
2| Manually imported from a private contact list
Data can be imported from public email messaging systems:
· Gmail
· Outlook (formerly Hotmail)
Data can also be imported from an external source, by copying/pasting a list of email addresses.
These contacts are marked as new, and the ambassador is proposed to send an invitation email. The ambassador must send invitation emails within a 30 days period or the contacts will be deleted from the database (data is not hashed, contacts are indeed deleted).
3| Automatic imported from an external Brand database
A data synchronization process can be setup with the Brand, in order to import and regularly update contacts data, from a database owned by the Brand.
When the contacts are synchronized, an opt-in status is sent.
In the Popsell database, this opt-in status is assigned to both ambassador opt-in and brand opt-in. If no opt-in is imported from the brand database, then the Amb opt-in is set to “New” and Brand opt-in status is set to 'storage only' in the Popsell database.
This feature is only available for direct selling scenarios (Ambassadors are sales representatives of the Brand) or for employees (professionals employed by the Brand or sub-contractors).
4| Imported from Social networks
As of August 1st, 2018, this paragraph only applies to Twitter – no longer available with Facebook.
Ambassadors can post their publications to their social networks.
When a contact interacts with the publication, his data is automatically imported into the Popsell Database. Only the alias or ID and image are collected. No name or email address or other private data are available.
Popsell is allowed to import this data for the following reasons:
· The contact has accepted the terms and conditions of the social media.
· A Popsell application has been granted read rights by the social media, following a validation process, to ensure that the data usage is compliant with the social media policies.
· The ambassador has granted this Popsell Application to access his personal data.
These contacts have not opted-in and can only be contacted by the ambassador through the social media platform. The opt-in value is set to “social media only”.
For some social medias, having the Contact ID enables Popsell to display on the CRM page the public profile image and a link to the public profile.
5| Created from an ambassador’s blog
Two different features can be activated on the ambassador’s blog, enabling a visitor to contact the ambassador:
Subscription button: enables a visitor to opt-in and leave his contact details (first name, last name, email address)
Message button: enables a visitor to send a message to the ambassador, opt-in, and leave his contact details.
Up to three opt-in checkboxes can be displayed (depending on the parameters setup for the brand):
Ambassador opt-in
Brand opt-in
Brand partners opt-in
If the ‘ambassador opt-in’ is not checked, a warning message is displayed, as the ambassador will not be authorized to contact him.
If the ‘Brand opt-in’ or ‘Brand partners opt-in’ is checked, then the data becomes available to Brand Administrators in the Popsell Manager.
A confirmation email is sent to the email address entered, in order to verify that it is a valid address and that is was entered by its owner. As long as the contact has not confirmed his email address, the contact is considered as opted-out, and is not displayed to the Brand nor the ambassador.
6| Created from a blog: internal form
A specific form can be setup in order to collect specific data on behalf of the Brand.
Mechanism is similar to case 5, except that if Brand opt-in have not been checked, then status is set to 'storage only' for the brand.
7| Created after an e-commerce order (without message popin)
When a new contact places an order on the Brand web site (after having seen an ambassador’s publication), his contact details can be exported to the Popsell database through a web service.
Depending on how the web service is called (each Brand can implement it specifically), the following data may be exported:
First name and last name
Email address
Order amount and product details
Brand opt-in
All the data is stored in the Popsell database, and the following values are set for opt-ins:
If Brand opt-in parameter value is True, then
o Ambassador opt-in is set to “optin from order”
o Brand opt-in is set to “optin from brand database”
If Brand opt-in parameter is False, or if Brand opt-in parameter is not set:
o Both Ambassador and Brand opt-ins are set to “Storage only”
8| Created after an e-commerce order + message popin
Similar to case 7, unless a popin is displayed to enable the contact to leave a message to the ambassador.
This popin also allows the contact to enter his name and email, if this information is not exported by the brand.
This popin also enables to ask for an ambassador opt-in.
if Brand opt-in is not set or set to “false”, opt-in checkbox is displayed, and is stored in the Popsell database: order opt-in (if checked) or storage only (if not checked).
If Brand opt-in is set to “true”, opt-in checkbox is not displayed because ambassador opt-in is assumed (same as case 7).
9| Created after a store purchase
In some cases, store purchases can be tracked. They can only be tracked if the contact generates a voucher and presents it to the store assistant during checkout. To be able to generate the voucher, the contact must already be in the Ambassador’s database (with opt-in), otherwise a popin is displayed to get an opt-in, similar to case 5.
10| Created from an external form
An ambassador can lead users to a specific form in an external website, e.g. subscription to a newsletter, subscription to a loyalty program, participation in a game (e.g. powered by Adictiz) …
Data collected depends on the implementation of the specific form.
All the data is stored in the Popsell database (storage allowed), and the following values are set for opt-ins:
Ambassador opt-in is set to New (unless ambassador opt-in asked for in the form)
Brand opt-in is set to ‘storage only’ (unless brand opt-in asked for in the form)
AMBASSADORS DATA DELETION PROCESS
Deleted vs Hashed
Ambassadors and Contacts data are not always completely removed from the database. Instead, some data is hashed, which means that it is anonymized with an encryption algorithm that cannot be decrypted.
Popsell uses a sha-256 algorithm to hash the data (except passwords which are BCrypt hashed).
Data is hashed instead of being removed from the database:
to enable statistics,
to keep opt-out information usable (for example, if a contact opted-out, we must prevent another ambassador to re-enter the same information. This remains possible by comparing hashed data)
Ambassador unsubscription
An ambassador can unsubscribe from the Popsell platform. Access is immediately blocked, and his personal data is deleted (hashed) within 7 days (to enable a rollback in case of mishandling). All his contacts are also deleted, except those having an opt-in for the brand.
The duration is set to 7 days by default, but can be changed in the platform configuration for the Brand.
End of contract of an employee or a sales representative
If a Brand employee or a sales representative terminates his contract with the Brand, the Brand must delete it manually in the Popsell Back Office, or give the information to Popsell to enable the deletion of his personal data.
This operation can be done automatically if an SSO process has been setup with Popsell.
Account access is immediately blocked, but data is deleted within a delay of 7 days, to enable a rollback in case of mishandling.
The duration is set to 7 days by default, but can be changed in the platform configuration for the Brand.
End of contract between Popsell and the Brand
Should the contract between Popsell and the Brand terminate, all personal data (Ambassadors and Contacts) will be deleted (hashed) within a delay of 7 days, to enable a rollback in case of mishandling
Program suspended
If the program is suspended for any reason, and planned to be relaunched soon, data can be kept in the database, for a maximum of 6 months.
Ambassadors will be warned of the program suspension by a newsletter and can opt-out.
Ambassadors without activity
Ambassadors with no activity for a period of 3 years are automatically deleted from the database (their data is hashed with a sha-256 algorithm). No activity means that they have not logged into the platform for a period of 3 years.
Two emails are sent prior to account deletion, every 15 days, to let the ambassador reactivate his account.
The duration is set to 3 years by default, but can be changed in the platform configuration for the Brand.
ACTIVITY DATA DELETION PROCESS
Activity data and UGCs
All personal data generated by an ambassador on the Popsell platform are deleted or hashed at the same time as his account is deleted.
There is an exception if the content (personal photos) have been collected through a specific contest or challenge. In that case, this content will be deleted according to specific usage and duration specified within the contest.
CONTACTS DATA BLOCK/DELETION PROCESS
Contacts without activity
Contacts (with optin or storage allowed) with no activity for a period of 3 years are automatically deleted (hashed) from the database.
An activity means they intentionally interacted with the publication (click, like, etc.). Opening an email is not considered as an activity.
The duration is set to 3 years by default but can be changed in the platform configuration for the Brand.
New contacts in the database
New contacts who have just been imported or manually entered in the database are blocked by default: nothing can be sent to these contacts except an invitation email.
If no invitation email is sent to these contacts within a 30 days period, contacts are deleted (hashed).
The duration is set to 30 days by default, but can be changed in the platform configuration for the Brand.
Contacts in the database prior to GDPR application
If these contacts have an activity history (e.g. engagement on a social media, email clicked …), an opt-in is assigned by default, assuming that they have not opted-out, and that their activity proves an interest in the ambassador’s publications.
If these contacts have no activity, they are marked as “new” and will follow the same process as new contacts. Ambassadors will be warned of that process on May 25th, 2018.
Contacts with an invitation pending
An invitation email has been sent to the contacts, but they did not respond (no click on ‘decline’ or ‘accept’ buttons, no bounce or spam received for the messaging system).
These contacts remain blocked by default for a period of 15 days.
A new invitation will automatically be sent after this 15 days period.
If still no response is received after another 15 days, then the account is marked as opted-out.
The duration is set to 15 days by default, but can be changed in the platform configuration for the Brand.
Contacts pending email confirmation
Contacts who received an email to confirm their email address are stored in the database, but not visible to ambassadors.
If they never confirm their address, then data is deleted within 15 days.
Same parameter is used as in previous case for no response received.
Contacts opted-out
Contacts who have opted-out for a publication or contacts who have declined an invitation:
They are immediately blocked
Data is kept in the database for a 1 year period, to ensure that the ambassador knows about his opt-out, and does not try to recreate and resend an invitation.
Email address is hidden to the ambassador
The duration is set to 1 year by default, but can be changed in the platform configuration for the Brand.
Contacts imported from an external system
Contacts are deleted when the delete information is sent by the Brand via the synchronization process (data hashed): data privacy rules from the Brand apply.
COOKIES
All data stored in the Popsell cookies are technical cookies //FVFV.
Cookies created by Popsell on the Brand web site
These cookies are created on the brand website, by the Popsell JavaScript tags implemented:
Popsell_session_add: created when an ambassador wants to pick products on the Brand website to import them to the Popsell platform.
Contains an ambassador ID and his aliasPopsell_session_shop: created when a contact has been redirected to the Brand website after a click on an ambassador’s publication.
Contains the publication IDPopsell_data: can be generated if Popsell needs to pass specific data to the Brand data.
As of today, this cookie has just been used for Customer Ids or product codes to be added as gifts in the shopping basket.
Cookie life time = 4320 hours by default (180 days). Each Brand can change this lifetime in the Brand configuration.
Cookies created on the Popsell platform
These cookies are created while using the Popsell platform:
Popsell_registered: to remember if the user has already signup, in order to redirect to the login page
Popsell_remember_me: used for autologin of the ambassadors
Popsell_data_dashboard: used to cache dashboard metrics data for performance purposes
Google analytics cookies (_ga, _utm…)
Popsell cookies have a lifetime of 1 year.
DATA PROTECTION
Roles and access to personal data
Popsell account team (community managers and support agents): they are granted access to all data of the Brands they manage, through the Popsell Management platform.
These people are referenced in the “users” interface and must log in with their assigned account.
Popsell technical team (developers and system administrators): they can access all data through the Popsell Management platform or through technical database administrative tools.
Brand users (administrators, support agents and Community Managers): they have a limited access to ambassadors’ data, through the Popsell Management Platform. Ambassador’s contact data is not available unless a contact has left a consent (Brand opt-in).
These people are referenced in the “users” interface and must log in with their assigned account.
The Brand is responsible for granting and revoking access to its employees.Ambassadors: on the Popsell platform, they can access their own contacts data only. They can see other Ambassadors of the Brand community. Ambassadors information displayed depends on Brand configuration, and if ambassadors have not opted-out for displaying their personal information to other Ambassadors:
Name of ambassadors: First name and Last name, or only First name + family initial, or only Initials.
Postal code
Profile photo
Gamification metrics: score and badges
Data Access right
Popsell employees and sub-contractors who are part of the account team and the technical team are educated and aware of Data Protection and GDPR rules.
Data can only be accessed or updated on behalf of an Ambassador or a Contact, for support purposes only.
Real data must not be used in testing environments. Members of the development team must use test data only.
Data remains on the Popsell servers and must never be copied and stored on client computers, even by the technical team.
Popsell employees and sub-contractors are not allowed to copy, export or transfer personal data outside of Popsell databases for any reason.
Data transfer
Through the Popsell Manager platform, Brand users can access Ambassadors and Contacts personal data, but only if a consent has been collected.
Contacts data without Brand opt-in is never displayed to Brand users, thus cannot be read, copied or exported.
Contents generated by the Ambassadors (comments posted and personal photos) are displayed in the Popsell Manager platform but cannot be exported or reused by the Brand without the Ambassadors consent.
Data operational security
Popsell is committed through its processes to ensure a secure platform:
All Popsell developers are educated to write secure code and ensure that the platform cannot be hacked using injections and other techniques.
Popsell is performing regular external audits on its platforms to ensure identity, design and operational security.
Identity and access management best practices are implemented. Password are encrypted using the most secure encryption algorithms.
Access logs are recorded to monitor any intrusion or data theft attempts
Logs are kept for 1 year
Logs are anonymous and do not record personal data.
Popsell is fully operated on Microsoft Azure Services:
All services and data are hosted in Europe (Primary servers in Netherlands, backup servers in Ireland)
Physical and network protection is ensured by Microsoft services.
Microsoft Azure best practices and guidance are implemented.
Database backup is performed every hour using Microsoft Azure Backup Services
Hourly backups are kept for 40 days.
Monthly backups are kept for 1 year.
All information on security and GDPR compliance of Azure services are available on: https://www.microsoft.com/en-us/trustcenter
Popsell relies on Mailjet services for emailing:
Mailjet is fully GDPR compliant and certified: https://www.mailjet.com/gdpr/mailjet-gdpr-compliance
Data Privacy Policy
Ambassadors are warned of the data privacy policy when they sign-up to the Popsell program and accept the Terms and Conditions.
This policy is always accessible to Ambassadors and their Contacts from any page of the Popsell Platform, and from the footer of emails:
https://www.popsell.com/docs/legal_en_EN.html
Contacts
For any question about data privacy please contact: privacy@popsell.com