Customer Notice on EU GDPR and CCPA Support

SiteSpect Customer Notice On The European Union Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA)

This notice applies to the following corporate entities (“Companies”).  It is relevant to Customers using SiteSpect software (“System”) who (a) conduct business with End Users that are citizens of the European Union (“EU”), and are thereby governed by the EU GDPR in effect as of May 25, 2018, and (b) conduct business with End Users that are citizens of the state of California, US, and are thereby governed by the CCPA in effect as of January 1, 2020.

  • SiteSpect, Inc., located in Auburndale, Massachusetts, United States
  • SiteSpect Limited, located in Derby, Derbyshire, United Kingdom
  • STSP Europe BV (d/b/a SiteSpect Europe), located in Utrecht, The Netherlands

The Companies are committed to meeting all EU GDPR and CCPA requirements.

Security

The Companies have a comprehensive and mature Information Security program and are committed to the privacy and security of its Customers’ data.  Any information processed through the System is securely handled, solely accessed by authorized personnel, and treated as confidential. The Companies implement and maintain appropriate technical, security, and organizational controls to protect all personal data against unauthorized or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure.

End User Ability to Opt-Out or Withdraw Consent

It is each Customer's obligation to obtain End User consents. The Companies do not operate the web site or digital property that its Customers’ End Users interact with, and therefore do not display any consent notices. SiteSpect provides an end point (/__ssobj/opt-out) that will automatically remove any SiteSpect cookies for that user. Customers may choose to use this functionality within their consent framework.

See Cookie Consent, for more information about configuration options.

End User Ability to Request Data Deletion

End Users have the right to request that you delete any historical data you have stored about them. To delete End User data, please submit a request to helpdesk@sitespect.com with a list of End User identifiers (SiteSpect ID cookie values) and/or End User IP addresses. Your request will be processed within fifteen (15) calendar days and you will receive a confirmation response when it’s complete.

Data Collection

In its default configuration, the System is configured to prevent the capture of any personally identifiable information.  However, to perform its intended function, the System has the capability to read specific End User information. Due to the sensitivity of some of the information processed by the System, the Companies maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS), which requires preservation of audit logs for at least one year.

The Companies will not retain data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations.

What is Collected

The System has the capability to report aggregated data, which is subject to strict access controls and encrypted when processed and transmitted.

While providing services to our Customers, the Companies collects the following End User data, which is stored in audit logs and available in reports:

  • The End User’s browser agent-string (also known as the User Agent)
  • The End User’s Ancillary Cookie Value (if configured by the Customer and consented to by the End User on the Customer’s website)
  • The End User’s OmniChannel Cookie Value (if configured by the Customer and consented to by the End User on the Customer’s website)
  • The End User’s IP address
  • The End User’s SiteSpect ID, an anonymous, randomized identifier stored as a cookie (typically “SSID”)

The Court of Justice of the European Union ruled, under Case 582/14, Patrick Breyer v Germany, that IP addresses are "personal data" in certain circumstances and stated IP addresses would only qualify as personal data if the relevant individual provides additional details to the website operator (e.g., name, email address, etc.) in the course of using the website.  The System does not store such additional user details.

Definitions of the above terms

End User’s browser agent-string:  is supplied by the End User’s browser and provides information related to the Customer’s website information about the browser and operating system.

Ancillary Cookie Value:  is set to "-" by default, which reveals nothing about the identity of the End User. The Customer website can set these values after it has obtained an End User’s consent to use cookies.

OmniChannel Cookie Value:  is set to "-" by default, which reveals nothing about the identity of the End User.  The Customer website can set these values after it has obtained an End User’s consent to use cookies.

SiteSpect ID:  is an anonymous, randomize identifier that is generated for each user device and stored as a cookie.

GDPR Feature in SiteSpect Configuration

SiteSpect has implemented an optional feature within the SiteSpect service that prevents the collection of full End User IP addresses, which under certain circumstances may be considered personal information (PII) under the GDPR. This feature is OPT-IN and not enabled by default.

Please note that enabling this feature will (1) prevent IP-based segmentation in the SiteSpect's reporting feature, and (2) delete the left-most two IP address numerical values (e.g. x.x.0.0) that are shown within exported campaign data or downloaded web traffic log files.

SiteSpect customers wishing to enable this feature, or having any questions about our support for GDPR compliance, should contact the SiteSpect Help Desk at helpdesk@sitespect.com.

End Users Contacting SiteSpect for Privacy Inquiries or Dispute Resolution

Under GDPR, End Users have the right to contact the Companies directly.  Contact information and instructions can be found on our website at Business Services Privacy Policy.

In compliance with the EU-US Data Privacy Framework program’s Principles, the Companies commit to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union individuals with DPF inquiries or complaints should first contact dpo@sitespect.com.

The Companies have further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2