What is captured
ReCheckit captures customer related information for the purpose of increasing conversion on its Clients’ websites.
ReCheckit captures information to feed its email-generator engine, in order to create and send customized e-mails and captures onsite related information to draw a customer’s attention to their ongoing purchase process.
The following data and personal data may be captured:
- Customer E-mail address
- Customer First name
- Basket / form contents
- Order number
- Technical information
- Browser agent details
- Product details
- Product page
- Product image
In addition to the above, ReCheckit can capture more customer related data, based on separate agreement with Clients, e.g.:
- Full name
- Telephone number
- Delivery information (physical address)
- IP address
ReCheckit follows the ‘need-to-know’ approach prompted by the EU GDPR principles of purpose limitation, data minimalization and storage limitation. Only the personal data relevant for the given Client and product/service is captured, stored and processed.
What is NOT captured
ReCheckit never stores
- Credit Card information
- Social Security Number
- Sensitive personal data
How data is captured
This code runs in the customer’s browser and sends relevant data via https:// protocol to ReCheckit servers.
- ReCheckit does not introduce new Cookie domains.
- ReCheckit may create cookies in the same cookie domain the Client already possesses.
- ReCheckit uses solely Session Cookies and these are removed by the browser at the end of the session.
As a technical measure, personal data is never stored in Cookies.
ReCheckit may use storage functionalities of the browser (Local Storage) for storing data related to a session, such as:
- Data cache – stored for the session lifetime (maximum 30 minutes)
- Product information – stored for the duration of the session, (maximum 30 minutes)
- Browser identifier – remains in Local Storage
- Timestamp of the last shown OnSite – remains in Local Storage
As a technical measure, personal data is never stored in Local Storage.
Clients can deactivate ReCheckit’s script from their websites at any time – even on an ad-hoc basis.
This allows our clients to block personal data capture at any time, including the following scenarios:
- Non-acceptance of personal data usage by their customers
- When the customer is properly identified (e.g. via a successful login) and has actively opted out of personal data usage.
Location, underlying services
ReCheckit uses Amazon Web Services (AWS) as its infrastructure for running its platform.
ReCheckit takes advantage of AWS technology to mitigate DDOS and other attacks. Client website scripts are hosted and delivered by relevant AWS services, such as AWS CloudFront for CDN.
AWS Regions are used to host data capture servers near the clients’ customer-base, and also to meet country legislations. ReCheckit uses AWS EU premises as a primary storage region. ReCheckit does not replicate live data outside of that region.
Database storage is multi-layered, each layer forms an additional security layer to protect malicious data access or modification. Databases are accessed solely within the same region, only allowing private IP addresses within the same subnetwork.
ReCheckit builds its platform on a highly available architecture with high focus on secure replication across different availability zones. ReCheckit does not provide online access to personal data stored in its systems as this would weaken our systems against malicious access attempts.
Non-personal data, such as statistics or insights on data traffic and certain KPIs are available online via our Dashboard, however these are aggregated data only – no personal data is available on the Dashboard server.
Access to AWS account and AWS infrastructure is highly restricted. Access to database servers, databases and backup storage is further restricted (limited to certain IT administrators, trained in IT Security).
Session-related data is stored in related databases which are backed up in encrypted format of RSA encryption using 2048-bit keys. The backups and their encryption are performed automatically with no manual intervention. The private key for accessing encrypted backups is separately encoded and available only for recovery situations.
ReCheckit never gives customer related data to 3rd parties or partners.
Data Controllers do not have a direct, online access to Personal Data stored in ReCheckit Platform. While they can review relevant and near-live statistical data via a Dashboard related to their sites, they don’t have access to individual Personal Data of their customers via the Dashboard.
Clients may have access to a limited number of e-mails generated for their Customers (e.g. Support cases), yet solely on individual basis – bulk download of e-mails is not supported.
Data processing is fully automatic, no manual/human intervention is needed to operate the services (e.g. sending out e-mails, claiming recovered sales, etc.)
ReCheckit is a Data Processor that does not collect personal data directly from Data Subjects. Obtaining consent from the Data Subjects (customers on Data Controllers’ websites) is the sole responsibility of the Data Controller
Clients may provide ReCheckit with an unsubscribes lists (e.g. based on Data Subjects’ complaint) which are then registered to ReCheckit platform to avoid any further e-mail sending.
Automatic Data Deletion
Automatic data deletion is built in ReCheckit Platform as ReCheckit platform supports auto-removal of personal data. Data deletion is performed automatically and is being actively monitored on an internal Operational Dashboard. Depending on the DPA signed between the Data Controller and ReCheckit, personal data will be automatically deleted from live dataset after 1, 7, 14 days, 1, 2, 3, 6 or 12 months of first capturing it.
Note, that this has an impact on supporting any queries regarding personal data. Once the data is removed, it is not possible to query it again in any way.