In light of General Data Protection Regulation (GDPR) obligations and the California Consumer Privacy Act (CCPA), Chartbeat wants our customers and users to know that we are committed to ensuring compliance and superior data protection.
We have always held strict guidelines around consumer data privacy and data security. Since 2017, we have undergone an extensive data protection audit, appointed a data protection officer, and have been working to review and augment all of our data practices.. Even though we have already achieved high levels of data security and protections, we continue to diligently work to enhance and improve our data privacy practices.
Important: We wanted to provide this readiness summary as a plain English explanation of GDPR and the CCPA and our compliance efforts. This is not a legal document, nor is it meant to provide all legal terms related to our provision of the services to you. For legal terms, please see the relevant agreement between you and Chartbeat.
The below FAQ addresses how Chartbeat is approaching GDPR and the CCPA, how our product works with regard to personal data, and what resources customers can access with respect to each.
The General Data Protection Regulation (GDPR) is a European regulation adopted by the European Commission on data protection and privacy for the benefit of individuals located in the European Union. In short, it provides comprehensive data privacy protection for the personal data of EU individuals, focusing on transparency, accountability and the rights of data subjects.
The California Consumer Privacy Act (CCPA) is a California law on data protection and privacy for the benefit of California consumers.
One of the earliest decisions Chartbeat made as a business — and one which we've stuck to steadfastly over the years — is to build our products with user privacy as a top priority.
In light of GDPR and CCPA, we continue to evaluate and improve all of our data security, privacy, storage and data handling procedures and practices. Chartbeat does not sell any personal information.
Beyond our product, Chartbeat continuously evaluates our data privacy and security practices around standard business operations (such as marketing, finance and sales) to ensure that we are GDPR- and CCPA-compliant now and in the future.
We will continue to enrich our data protection measures and communicate about them here on this site, and directly with our customers.
In terms of the data we collect on behalf of our customers, Chartbeat obtains but does not store user internet protocol (IP) addresses and certain other online identifiers which constitute “Personal Data” and personal information under GDPR and CCPA’s broad definition, respectively.
Chartbeat’s products are designed to provide full functionality to our customers without needing any identifying information about our customer’s website visitors or consumers such as the name, email address or any similar information. We do not collect or store such information. Further, as a matter of data security and privacy, we also do not collect or store any sensitive or special categories of Personal Data or personal information.
Every computer and device connected to the Internet is assigned an Internet Protocol (“IP”) address. IP addresses, which need to be used by websites for the Internet to function, enable information to pass between computers and servers.
Chartbeat uses IP addresses in order to provide our service. When visitors browse on websites using Chartbeat, Chartbeat code transmits information about what was read to our servers. This communication between browser and server necessarily involves IP addresses, as all Internet communication does. We use IP addresses to handle that data transmission. After receipt of this data, we strip identifying information from the IP addresses by masking the last octet, and use this masked IP address to identify the city and country in which a visitor is based. We then delete masked IP addresses from our systems within two hours of receipt. We do not use IP addresses in any other part of our system.
In technical terms, this means that each IP’s final octet is converted to 000 before being processed by Chartbeat's systems and is never written to disk. Conversion to 000 prevents the address from being used to track back to an individual host.
Chartbeat does not set third-party cookies. We also do not take any steps to identify specific visitors (for example, we do not do browser fingerprinting or collect device IDs).
There are two types of cookies: first-party cookies and third-party cookies. First-party cookies are controlled by website owners, and they are specific to that particular website. Third-party cookies, by contrast, are set by third parties and may be used to track visitors between domains.
Chartbeat was designed with privacy in mind, and is a first-party analytics platform. This means that publishers who use our service can set first-party cookies on their sites using Chartbeat code, or they can run in cookieless mode. However, Chartbeat does not, under any circumstances, set third-party cookies on our publisher’s sites.
Yes. Chartbeat’s standard Terms of Service have been amended consistent with GDPR requirements and are located here. Customers governed by our standard Terms of Service will be automatically served by our Data Processing Addendum ("DPA") after May 25, 2018.
Chartbeat customers have the ability to manage and adjust controls over data they share with Chartbeat. Additionally, publishers can modify Chartbeat data settings, including running Chartbeat in cookieless mode. Please note that the only way to enter cookieless mode is for a developer to change the way that Chartbeat's code is implemented across the entire domain.
For more information on our data security practices, you can access our data security policy here.