Ptengine GDPR Compliance

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 27 April 2016 and becomes enforceable from 25 May 2018. What’s important is that GDPR applies to your business as long as you provide services to EU citizens, even if you don’t run the business inside of EU territory. Ptengine is committed to being fully compliant with GDPR when it’s enforced.

As the Ptengine product team, we are very proud to serve global customers and deeply appreciate our customers’ trust in us. We’ve always treated privacy, data security and integrity as our top priority and consider GDPR as a great opportunity to have a thorough review of our services and processes, and make further improvements as necessary. This article is for explaining how Ptengine internally collects, stores and shares data, as well as the specific actions we take to get fully compliant with GDPR. It also covers the actions needed for our customers to become GDPR compliant, with regard to using Pteingine for web analytics.

How does Ptengine collect, store, and share data?

By embedding Ptengine’s data collection Javascript code on their websites, our customers send their website’s visitors’ activities to our backend servers. Our Javascript code uses a first-party cookie to store a unique identifier for getting to know if a visitor is new or a returning one. The identifier is generated randomly and doesn’t carry any personal information. When a visitor browses our customer’s website, activity data is sent to our servers, including:

  • Browser information
  • Operating system information
  • Mobile device information (not including the device’s unique ID)
  • IP address (see notes in the next section on changes related to this)
  • Pages accessed
  • Time of visit
  • Referring site
  • ID of web page element clicked by mouse
  • Mouse scroll position
  • Duration of stay on pages

The purpose of the data collection is for analyzing trends based on groups of visitors but not for identifying any individual visitor. Our collection code never collects information on web pages which can potentially contain personally identifiable information.

Our backend servers store such data and later use it for rendering charts, tables, and maps for visualizing the data to our customers, inside of Ptengine product. Our datastore is carefully secured and never exposed directly to the internet. Data from different customers are strictly isolated.

Ptengine never shares data with individuals and companies other than the specific customer on whose website Ptengine collected the visitor information.

What actions are we taking to be GDPR compliant?

While reviewing GDPR requirements we’ve identified areas we should improve. Here is a list of major actions we took (some are still ongoing):

  • Thoroughly review our internal data flow and data storage, and maintain up-to-date documentation.
  • Update our Terms of Service and Privacy Policy to make them more concise and easier to understand.
  • Implement IP address anonymization. Full IP address won’t be stored anymore after May 25, 2018.
  • Fully delete account information and collected website visitor data upon account deletion.
  • Implement retention control for service log files and database backups.

What do our customers need to do?

If your website serves EU citizens you’re likely already preparing for GDPR compliance. Since Ptengine does not collect personally identifiable information, it doesn’t add additional liability to your compliance work. However, we still recommend that you update your Terms of Service and Privacy Policy to indicate that you use Ptengine for analyzing website usage, and reference back to Ptengine’s Terms of Service and Privacy Policy.

If you have any questions, please don’t hesitate to contact us at support@ptmind.com.