In light of General Data Protection Regulation (GDPR) obligations, Chartbeat wants our customers and users to know that we are committed to ensuring compliance and superior data protection.
We have always held strict guidelines around consumer data privacy and data security. Since 2017, we have undergone an extensive data protection audit, appointed a data protection officer, have been working to review and augment our data practices, and have self-certified under the EU-US Privacy Shield. Even though we have already achieved high levels of data security and protections, we continue to diligently work to enhance and improve our data privacy practices, and we want you to know that we won’t just stop on May 25 when the GDPR goes into effect.
Important: We wanted to provide this readiness summary as a plain English explanation of the GDPR and our compliance efforts. This is not a legal document, nor is it meant to provide all legal terms related to our provision of the services to you. For legal terms, please see the relevant agreement between you and Chartbeat.
The below FAQ addresses how Chartbeat is approaching GDPR, how our product works with regards to personal data, and what resources customers can access with respect to GDPR.
The General Data Protection Regulation (GDPR) is a European regulation adopted by the European Commission on data protection and privacy for the benefit of individuals located in the European Union. In short, it provides comprehensive data privacy protection for the personal data of EU individuals, focusing on transparency, accountability and the rights of data subjects.
One of the earliest decisions Chartbeat made as a business, and one which we've stuck to steadfastly over the years, is to build our products with user privacy as a top priority.
In light of GDPR, we have been diligently doing a re-evaluation of all of our data security, privacy, storage and data handling procedures, and working to improve and strengthen those (already strong) practices.
Beyond our product, Chartbeat is also evaluating our data privacy and security practices around standard business operations (such as marketing, finance and sales) to ensure that we are GDPR compliant now and in the future.
We will continue to enrich our data protection measures and communicate about them here on this site, and directly with our customers.
In terms of the data we collect on behalf of our customers, Chartbeat’s service is what GDPR refers to as a “Data Processor.” In acting as such, Chartbeat obtains user internet protocol (IP) addresses and certain other online identifiers which constitute “Personal Data” under the GDPR’s broad definition.
Chartbeat’s products are designed to provide full functionality to our customers without needing any identifying information about our customer’s website visitors such as the name, email address or any similar information. We do not collect or store such information. Further, as a matter of data security and privacy, we also do not collect or store any sensitive or special categories of Personal Data.
Every computer and device connected to the Internet is assigned an Internet Protocol (“IP”) address. IP addresses, which need to be used by websites for the Internet to function, enable information to pass between computers and servers, while also giving website owners a sense of the location their visitors are coming from. This helps companies provide services, protect data and abide by regulations.
Chartbeat uses IP addresses in order to provide our service. When visitors browse on websites using Chartbeat, Chartbeat code transmits information about what was read to our servers. This communication between browser and server necessarily involves IP addresses, as all Internet communication does. We use IP addresses to handle that data transmission. After receipt of this data, we strip identifying information from the IP addresses by masking the last octet, and use this masked IP address to identify the city and country in which a visitor is based. We then delete masked IP addresses from our systems within two hours of receipt. We do not use IP addresses in any other part of our system.
In technical terms, this means that each IP’s final octet is converted to 000 before being processed by Chartbeat's systems and is never written to disk. Conversion to 000 prevents the address from being used to track back to an individual host.s
Chartbeat does not set third-party cookies. We also do not take any steps to identify specific visitors (for example, we do not do browser fingerprinting or collect device IDs).
There are two types of cookies: first-party cookies and third-party cookies. First-party cookies are controlled by website owners, and they are specific to that particular website. Third-party cookies, by contrast, are set by third parties and may be used to track visitors between domains.
Chartbeat was designed with privacy in mind, and is a first-party analytics platform. This means that publishers who use our service can set first-party cookies on their sites using Chartbeat code, or they can run in cookieless mode. However, Chartbeat does not, under any circumstances, set third-party cookies on our publisher’s sites.
Yes. Chartbeat’s standard Terms of Service have been amended consistent with GDPR requirements and are located here. Customers governed by our standard Terms of Service will be automatically served by our Data Processing Addendum ("DPA") after May 25.
Yes, we would be happy to enter into a DPA with you if you provide service to individuals in the EU. You can download the DPA here. Please note that if you are on standard Terms of Service with us, you will be covered under the Terms of Service automatically. If you are not on standard Terms of Service, or if you are unsure, you will need a DPA with Chartbeat. Please provide a signed copy by May 25 to your Customer Success Manager or email it to us at firstname.lastname@example.org.
Chartbeat customers have the ability to manage and adjust controls over data they share with Chartbeat. Additionally, publishers can modify Chartbeat data settings, including running Chartbeat in cookieless mode.
Please note that the only way to enter cookieless mode is for a developer to change the way that Chartbeat's code is implemented across the entire domain.
For more information on our data security practices, you can access our data security policy here.