Privacy Notice Relating to the European Union General Data Protection Regulation (GDPR)
For the purposes of this document, SiteSpect refers to three corporate entities:
- SiteSpect, Inc., located in Auburndale, Massachusetts, United States
- SiteSpect Limited, located in Derby, Derbyshire, United Kingdom
- STSP Europe BV (d/b/a SiteSpect Europe), located in Breukelen, The Netherlands
Some SiteSpect clients are located in the European Union (EU) and other regions, and / or do business with clients within the EU, or elsewhere. In these cases, the company in which SiteSpect is contracted is required to comply with all GDPR obligations.
SiteSpect is committed to meeting all of the EU GDPR requirements.
SiteSpect complies with the GDPR regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and Switzerland transferred to the United States. SiteSpect has certified that it adheres to the GDPR policies with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the GDPR policies, the GDPR policies shall govern.
The Federal Trade Commission has jurisdiction over SiteSpect’s compliance with the GDPR policies and SiteSpect is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
SiteSpect, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. SiteSpect has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. SiteSpect, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
As part of the GDPR obligations, companies are required to advise you of their policy in a clear and transparent manner. They are required to provide this information free of charge. Listed below are a few (but not limited to) of the requirements:
- Who is responsible to control your personal data (if any), and their contact information
- The purpose of its collection
- Specifically, what is collected
- If it is shared with any third parties, and why
- Details of transfers to third countries and how it is protected during this transfer
- Your ability to “Opt Out” or withdraw consent at any time
- Your ability to access your personal data
- If the collection is part of a statutory or contractual obligation
- The existence of any automated decision making or profiling
- The source, if data is collected by a third party
Responsibility to Control Your Personal Data
SiteSpect has designated its Data Privacy Officer to oversee the control of personal data and coordinate SiteSpect’s compliance with the GDPR obligations. The contact information for the Data Privacy Officer appears near the end of this document.
Purpose of Collection
As noted in our general Privacy Policy, SiteSpect contracts with a variety of companies to provide a service to test variations in the digital customer experience on its client’s websites. Users of the websites are unlikely to be able to detect that SiteSpect is involved during the browsing experience.
In order to fulfill SiteSpect’s contractual obligation to its clients, it must collect some specific information. In addition, SiteSpect is contractually obligated to maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS) which requires preservation of audit logs for at least one year.
SiteSpect will not retain data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations.
What is Collected
While SiteSpect believes that aggregated data it collects does not constitute personally identifiable information (PII) as defined by the GDPR, it secures this data as if the data is PII. The data is subject to strict access controls and when processed and transmitted by SiteSpect, the data is encrypted.
While providing services to our clients, SiteSpect collects the following data, which is stored in audit logs and available in reports accessible by clients of SiteSpect that could potentially raise privacy issues under GDPR:
- The user’s browser agent-string (also known as the User Agent)
- The user’s Ancillary Cookie Value (if configured by the client and consented to by the user on the client’s website)
- The user’s OmniChannel Cookie Value (if configured by the client and consented to by the user on the client’s website)
- The user’s IP address
- The user's SiteSpect ID, an anonymous, randomized identifier stored as a cookie
Definitions of the above terms
The user’s browser agent-string is supplied by the user’s browser and it tells the website information about the browser and operating system. This allows the website to customize content for the capabilities of a particular device. On average, only one person in about 1,500 will have the same agent-string as you. On its own, that isn’t enough to reveal a person’s identity, but in combination with other details like geolocation to a particular ZIP code the agent-string might be used to identify an individual. Here is an example of an agent-string that was sent by a user using the FireFox browser, “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0”.
The Ancillary Cookie Value and OmniChannel Cookie Value are simply "-" by default, which reveals nothing about the identity of the user. However, the website of the SiteSpect client can set these values, once it has obtained a user’s consent to use cookies.
An IP address is a numerical label which is used to identify one or more devices on the Internet. While SiteSpect stores the entire IP address in its audit logs, when reported to SiteSpect clients only the first two octets of the IP address are displayed. By only providing a portion of the IP address to the clients, the clients ability to relate the IP address to a specific individual is limited, and location data will be limited to the state- or possibly county-level of detail. According to an EU court decision, an IP address is only personal information when it is accompanied by other data that when used together could reveal an individual’s identity.
The SiteSpect ID is an anonymous, randomized identifier that is generated for each user device and stored as a cookie. Commonly the cookie is named "SSID" and set to persist within the user's browser. This is used to associate multiple visits to a website by the same user, to ensure consistency of the user experience. By setting this cookie value to "0" (numeric zero), an end user effectively opts-out of any further data collection by the SiteSpect business service.
Disclosure of Personal Data
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your Personal Information to any regulatory or law enforcement agency if we believe that such action is necessary to protect the rights, property, or personal safety of SiteSpect, Inc., its customers, or any third party. In all other cases, SiteSpect, Inc. does not share Personal Information with third parties. If that changes in the future, SiteSpect, Inc. shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
SiteSpect, Inc. complies with the GDPR policies for all onward transfers of personal data from the EU, UK, and Switzerland to the United States, including the onward transfer liability provisions. In cases of onward transfer pursuant to the GDPR policies, SiteSpect, Inc. is potentially liable.
A subset of the data collected may be shared with SiteSpect, Inc’s customers in order to provide its service to test variations in the digital customer experience on its client’s websites.
Data Transfers Between Countries
All data transmitted by SiteSpect from the EU to the US and vice versa is encrypted using TLS.
Your Ability to "Out Out" or Withdraw Consent
Since SiteSpect does not control the user interface of the webpages that its clients' users are interacting with, it does not display any consent notices. Instead, it is the client’s websites that have the obligation to obtain user consents.
Contacting SiteSpect for Privacy Inquiries or Dispute Resolution
Since SiteSpect is a service provider, it does not control or collect the personal data that you may have shared with our client. Furthermore, if you ask one of our clients to provide you with a copy of all the personal information that they have about you, the client will be obligated to also pass that request on to SiteSpect. Therefore, SiteSpect recommends that if you wish to inquire about what data SiteSpect has about you, the initial inquiry should be submitted to the point of contact published by the online web site operator's privacy policy.
You still retain the right to contact SiteSpect directly. To request a copy of the data that we have about you or to confirm that SiteSpect systems are clear of any PII about you, please include the IP address used, since SiteSpect does not store your name or other identifying information. Evidence that you are in possession or control of the device that uses the IP address should be included in the inquiry.
In compliance with the GDPR policies, SiteSpect commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to GDPR policies. European Union, UK, and Swiss individuals with GDPR inquiries or complaints should first contact SiteSpect at dpo@sitespect.com or through the postal address listed below.
SiteSpect has further committed to refer unresolved privacy complaints to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your GDPR complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.
The same points of contact may be used to make any inquiries about SiteSpect’s compliance with the EU GDPR or to initiate any privacy complaints.
Please contact us by email at dpo@sitespect.com or in writing at:
SiteSpect, Inc.
Attn: Data Privacy Officer
275 Grove St, Suite 3-400
Auburndale, MA 02466
USA