Ptengine GDPR Compliance

Ptengine GDPR Compliance

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 27 April 2016 and becomes enforceable from 25 May 2018. What’s important is that GDPR applies to your business as long as you provide services to EU citizens, even if you don’t run the business inside of EU territory. Ptengine is committed to be fully compliant with GDPR when it’s enforced.

As the Ptengine product team we are very proud to serve global customers and deeply appreciate our customers’ trust in us. We’ve always treated privacy, data security and integrity as our top priority and consider GDPR as a great opportunity to have a thorough review to our services and processes, and make further improvements as necessary. This article is for explaining how Ptengine internally collects, stores and shares data, as well as the specific actions we take to get fully compliant with GDPR. It also covers the actions needed for our customers to become GDPR compliant, with regard to using Pteingine for web analytics.

How does Ptengine collect, store and share data?

By embedding Ptengine’s data collection Javascript code on their websites, our customers send their website’s visitors’ activities to our backend servers. Our Javascript code uses a first party cookie to store a unique identifier for getting to know if a visitor is new or a returning one. The identifier is generated randomly and doesn’t carry any personal information. When a visitor browses our customer’s website, activity data is sent to our servers, including:
- Browser information
- Operating system information
- Mobile device information (not including device’s unique ID)
- IP address (see notes in the next section on changes related to this)
- Pages accessed
- Time of visit
- Referring site
- ID of web page element clicked by mouse
- Mouse scroll position
- Duration of stay on pages

The purpose of the data collection is for analyzing trends based on groups of visitors but not for identifying any individual visitor. Our collection code never collects information on web pages which can potentially contain personal identifiable information.

Our backend servers store such data and later use it for rendering charts, tables and maps for visualizing the data to our customers, inside of Ptengine product. Our data store is carefully secured and never exposed directly to the internet. Data from different customers are strictly isolated.

Ptengine never shares data with individuals and companies other than the specific customer on whose website Ptengine collected the visitor information.

What actions are we taking to be GDPR compliant?

While reviewing GDPR requirements we’ve identified areas we should improve. Here is a list of major actions we took (some are still ongoing):
- Thoroughly review our internal data flow and data storage, and maintain an up-to-date documentation.
- Update our Terms of Service and Privacy Policy to make them more concise and easier to understand.
- Implement IP address anonymization. Full IP address won’t be stored anymore after May 25, 2018.
- Fully delete account information and collected website visitor data upon account deletion.
- Implement retention control for service log files and database backups.

What do our customers need to do?

If your website serves EU citizens you’re likely already preparing for GDPR compliance. Since Ptengine does not collect personal identifiable information, it doesn’t add additional liability to your compliance work. However we still recommend that you update your Terms of Service and Privacy Policy to indicate that you use Ptengine for analyzing website usage, and reference back to Ptengine’s Terms of Service and Privacy Policy.

If you have any question, please don’t hesitate to contact us at support@ptmind.com.