At MoEngage we take data protection and privacy seriously. We firmly believe in respecting our customers and their respective users’ privacy rights.
The General Data Protection Regulation (GDPR) framework sets guidelines for the collection and processing of personal data of individuals who live in the European Union (EU). This regulation aims to give users complete control over their own data. With MoEngage, you can comply with GDPR and establish trust with your brand by informing users about the data collection scope and purpose.
In terms of data handling, MoEngage processes personal data on clients’ behalf, according to their instructions.
However, when it comes to personal data collected from clients’ employees that hold EU passports, and EU citizens that visit our website, MoEngage collects and processes their data through marketing programs adhering to GDPR guidances.
Security is embedded throughout our organization, from our products to the people. We have set up a ‘security by design’ team which consists of product managers, engineers, and compliance experts, who ensure we have the controls and processes in place to safeguard your data while making continuous improvements as a mandate.
At MoEngage, we go beyond data processing for our clients, we enhance their user experience by automating data collection requests, enabling user data export, and providing options for user data deletion on demand. All these measures allow our clients to comply with the GDPR regulations for the EU citizens with more ease.
What does this mean?
The GDPR informs the processing of user personal data by brands. It also calls for more transparency in terms of the scope, storage, and purpose of critical personal data collection that needs to be communicated to customers.
Our recommendations
Under GDPR you need to inform your customers about the scope and purpose of their personal data collection. Many of our clients include information about data privacy on their websites and provide their users with easy access to relevant policies. While creating your Privacy Policy, make sure to disclose the info regarding your data sharing with third parties that might process users’ personal data on your behalf, and provide additional information.
What does this mean?
The data subject under GDPR has the right to confirm that their data is being processed; Access to their personal data; and Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see GDPR Article 15).
How is MoEngage compliant with this right?
MoEngage has established mechanisms that help customers, as data controllers, access specific information about data subjects. MoEngage customers can download data for particular users based on any user identifier. MoEngage dashboard users with Admin and Manager access can download user data directly from the dashboard.
What does this mean?
Data subjects, under GDPR, are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data used by third parties, you must inform users of the rectification where possible.
How is MoEngage compliant with this right?
MoEngage clients can update their user data for specific users on MoEngage by using one of our data import APIs. These are by default enabled for all clients and can be used whenever an end-user requests for their information to be updated. For information on MoEngage Data Import API and how to update user data in MoEngage, please refer to the docs here.
What does this mean?
To help our clients delete the personal data of their users from our database, we recommend the following solutions: –
How is MoEngage compliant with this right?
To help our clients delete the personal data of their users from our database, we recommend the following solutions: –
1. An Erase API that erases the personal data of specific users entirely from our database. For more details on the delete API, you can refer to this article. Please note that deleting the data does not automatically stop processing additional data that you send to MoEngage for a given user.
2. Alternatively, you can ask your end-users to uninstall the app from all their devices. Deleting a user from the MoEngage platform will permanently remove the user profile for that particular user. This includes all personal data as mentioned under GDPR guidelines.
Analytics within MoEngage is tied to an anonymous MoEngage User ID. Once the user profile is deleted, the MoEngage user-id effectively becomes a wholly anonymized identifier, as we cannot tie it back to any personally identifiable information.
What does this mean?
Data Subjects have the right to ‘block’ or suppress processing of specific subsets of their personal data in the event of inaccurate or improperly obtained data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual user to ensure that the restriction is respected in the future.
How is MoEngage compliant with this right?
MoEngage SDKs are shipped with the functionality to suppress tracking of personal data for a particular user. As of now, we cannot suppress the tracking of specific categories of data, but we will stop tracking all the data entirely. For more information on disabling data tracking from the MoEngage SDK, you can refer to this implementation doc
What does this mean?
The right to data portability allows individuals to obtain and reuse their personal data for their purposes across different services.
How is MoEngage compliant with this right?
Similar to Right to Access, MoEngage customers can easily download the data of specific users based on any user identifier. MoEngage dashboard users with Admin and Manager access can download user data directly from the dashboard. For more information on this, you can refer to our help article