Our GDPR Compliance Commitment

The General Data Protection Regulation (GDPR) is a landmark privacy law that applies to all organizations handling the personal data of European Union (EU)individuals. Its design strengthens and unifies data and protection laws within EU member nations and grants EU citizens and residents specific rights and control of their data globally through extra-territorial effect.

Everflow commits to upholding the data privacy requirements of the GDPR and will support our customers with their compliance needs with respect to the GDPR and other data privacy legislation.

In support of this commitment, we have implemented processes and controls that strengthen data protection technologies, we allow for the exercise of data subject rights, and we provide transparency into the data elements and retention periods of the data we collect. Additionally, we implemented a structured compliance program that aligns to GDPR requirements through the following:

• Developed a plan to address product areas and processes affected by GDPR
• Published a Data Processing Addendum
• Revised our Privacy Policy and Service Terms
• Present website users with a cookie tracking notice
• Delete customer data upon request by data controllers
• Allow account-level opt-in for obfuscation of personal data elements
• Replace the last octet with"xxx" in reports for all EU user IP addresses
• Blanket device IDs upon request
• Signed up with an Alternative Dispute Resolution (ADR) provider

‍

Further, as data privacy legislation evolves within the EU and other national jurisdictions, Everflow will assess and implement changes necessary to support our customers.

For current and future customers of Everflow, we ask that you do the following:

• Ensure yourTerms of Service or Privacy Policy clearly state how you are collecting andusing personally identifiable information (PII).
• The means in which your users can notify you for Data Subject Requests (DSRs)
• Review the terms of Everflow’s DPA. Our DPA is included as part of our Terms of Service. If you require an executed DPA, please reach out to your account executive for our Enterprise service tier.

‍

To further inform customers and individuals about the GDPR and similar forms of data privacy legislation, we have compiled a list of frequently asked questions:

‍What is PII and how does the GDPR protect it?

TheGDPR defines PII in Article 4 as the following:

’Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR, in most business use cases, requires organizations processing PII to adhere to modern secure data handling practices and provide individuals with access, rectification, and deletion capabilities. More plainly put, it gives the individual direct control over their PII. Businesses that must process PII are now required to follow these protection criteria, and when they do not, could suffer financial penalties. In addition, many other national jurisdictions now have data privacy laws similar to the GDPR with enforceable penalties for non-compliance.

We are not based in the EU. Are we still required to comply with the GDPR?

The GDPR leverages extra-territorial effect through its contractual data protection requirements. Most national jurisdictions enforce contract law, and if you do business with an EU entity, or target and/or process data on EU individuals, then you likely will be required to adhere to the provisions in the GDPR. You should consult your legal advisor for further specifics.

Some of our campaigns collect data from non-customers. Do we still need to comply?

Yes, while the GDPR does have provisions for exceptions, in general, ad campaigns are a form of mass collection for business purposes and are not exempt.

I believe Everflow has my data and I’d like for you to delete it.

As a processor, we are required to follow the instructions directed by the controller with respect to your data. You should reach out to the organization you entered into an agreement with as we are contractually obligated to decline these requests.

However, we recognize that there may be extenuating circumstances within certain legal jurisdictions where we must process or forward your request. For those cases, please reach out to privacy@everflow.io.

‍