VOCO & GDPR
DISCLAIMER: The information below is not meant to serve as legal advice.
What is the GDPR?
The EU General Data Protection Regulation (“GDPR”) is a new data protection and privacy law that takes effect on May 25, 2018.
It replaces the existing Data Protection Directive 95/46/EC in order to harmonize data privacy laws across Europe as single set of rules which govern the processing and monitoring of EU data. See the actual regulation here https://gdpr-info.eu/.
What is the connection between the business and VOCO?
With Voco, you need to send data about your customers to your and our server.
As such, Voco is considered a ‘Data Processor’, and you are the ‘Data Controller’.
As a Data Controller, you’ll need to inform your customers about the 3rd party integration and to honor their requests about data you have processed or stored about them (whether in the Voco server or not).
Voco helps with this by providing tools that make it easy for you to change, delete and view the data in your Voco account at your customer’s request.
As Voco is a Data Processor, you might need to obtain consent from your customers for how you plan to use Voco to process their data. Some examples are: sending a survey and collecting the survey & share results. If you need to so, we suggest you be as clear as possible about how you use Voco and why your end users might want to grant you consent to send their data to Voco.
With Voco, you can collect data via survey replies, share information , pages or widgets that you can use as part of your referral program.
Data collected on these pages, where the experience is fully controlled by VOCO, will be GDPR compliant.
However, we are not able to confirm that data collected and processed outside of our platform or on pages within the platform that have been edited or changed by you are GDPR compliant.
In these cases, we recommend that you seek help from your legal counsel to ensure you understand what it takes to become fully GDPR compliant.
How is Voco preparing for the GDPR?
Here are the main things that we are doing to meet GDPR obligations:
- Improving our internal processes and documentation to ensure that we meet GDPR standards.
- Let all the employees sign an NDA.
- Assessing our data flows and reviewing any third-party Data Processors that personal data is pushed to to ensure their compliance.
- Reviewing Voco to add in features help you to easily comply with the GDPR.
- Updating our privacy policies and terms & conditions to ensure that they are compliant with the GDPR.
- We’ve appointed a Data Protection Officer to oversee data management and privacy. Get in touch by emailing email@example.com.
Features we’ve built to help you to comply with the GDPR
Here are the features that enable you to fullfil the rights of data subjects in your roles as a Data Controller:
- Influencers have access to their own settings page where they can delete their account.
- Unsubscribe: Advocates have the “Right to object”: Each SMS/web notification/email that is sent to the customer about the survey and the referral program has a build in mechanism that allows them to opt out or not even participate.
- You are able to unsubscribe influencers from the Voco dashboard as well if they request you to do so.
Exporting customer data (“Right to data portability”): You can download a full list of your Influencers through the ‘Export to CSV’ feature . If you’d like more information about a specific influencer, please email us at firstname.lastname@example.org with the name and email address of the influencer.
Delete influencer (“Right to be forgotten”, “Right to the restriction of processing”, “Right to object”): From the Voco dashboard, you are able to, at a click of a button, remove a customer and their data from the Voco systems.
Is it okay if customers share a survey or trivia item after a purchase even if they didn’t opt-in to it?
Yes, sending a referral email to customers if they didn’t specifically opt-in to it is allowed as long as certain conditions are fulfilled during the collection of their information and in the messages sent to them.
The customer’s information was collected in the context of a sale of product or service.
The customer needed to have been given the opportunity, free of charge, to object to marketing at the point of collection (e.g. when the purchase was made), in a clear manner, separate of any other information.
Each message sent to the customer for direct marketing should provide the opportunity to object too.
Voco automatically includes marketing consent information in the survey that are generated by Voco
Data Retention & Restoration of Deleted Data
We retain data associated with your user account, including personal information and survey & share data, for as long as you have a Voco account and for such longer periods as may be required by applicable law. For example, we’re required to retain limited billing data for 10 years for audit purposes even after an account is deleted.
If you have a paid plan which later downgrades to a non-paid plan, your data will be retained unless you delete your account entirely. There may also be restrictions on what data you can see in your account unless you upgrade back to a paid plan.
The following sections detail who can delete data, how long it’s retained, and whether it can be restored.
Survey data deleted from within the account
You can delete surveys & share and data from within your account at any time. Survey data you delete from your account isn’t accessible, but it’s not permanently deleted right away. We retain your data for a limited time so you can restore it if it was deleted accidentally.
Since we permanently purge deleted data, we can’t guarantee that we’ll be able to restore it. The more recently the data has been deleted, the more likely we’ll be able restore it. Once deleted from your account, data is permanently purged from our system within 90 days.
Account deleted from within the account
You can request to delete your account and survey and share data associated with it at any time. After you initiate the deletion of your account, it’s disabled immediately, but the account and share and survey data will be held in our database for 90 days, at which point it will be permanently deleted. You can contact us within that time frame to request that we restore the account. After the account is permanently deleted, we won’t be able to restore it or the survey data it contained.
User account in a team deleted by an admin
The Primary Admin or Admin of a team can delete a user account from their team at any time. This disables the user account immediately, but its survey data will be held in our database for 90 days before being deleted. The Primary Admin can contact us within this 90-day time frame to request that we restore the account.
Some residual copies of deleted data may remain on backup media up to 90 days after the deletion has occurred, at which point it will be overwritten.
We generally do not use deleted survey data for any purpose other than to give you the opportunity to restore it. In limited circumstances, we may retain deleted data for the following legitimate reasons:
To comply with our legal obligations, To enforce our agreements, To resolve disputes,To enforce our agreements.
In these cases, we ensure that access to the data is blocked except for the purposes for which we have been required to retain the information and the data is deleted as soon as that purpose no longer exists.
Voco is the owner of the tools used to build surveys, share and analyze data. Who we regard as the owner of your account and the data in it depends on your plan type listed in the Account Details section of the My Account page. Choose the applicable section below:
This makes it easier for organizations to ensure they retain ownership and control of all surveys and survey and share data contained in the user accounts that belong to the team (including all Admin accounts). Voco does not claim ownership of the survey questions your organization creates or responses it collects through its user accounts.
The organization, or an authorized representative of it, is responsible for payment obligations and has the ability to manage all the team’s accounts—even if that representative is not an account holder.
Data Privacy, Security & Confidentiality
We understand that survey responses and share information can capture a wide range of information, some of which may be highly sensitive, confidential, or proprietary—both to your organization as the survey creator, and to the individuals who may be providing you with their personal information.
Voco values the trust that our customers, whether they be individuals or large organizations, place in us by letting us be the custodians of their survey data.
We’ll make every effort to ensure that whatever information you provide is maintained in a secure environment.
Our Security Statement describes the security measures we use to keep your data secure. Your data can only be handled appropriately if it’s also handled and stored securely.
Voco compliance with the US consumer protection act, spam act
About: Voco is an AI bot that turns customers into brand ambassadors using the following method:
1) If a person has not opted out, then Voco Sends an SMS post purchase asking the customer “A” to rate the product he just received.
2) The SMS has a per person, unique code. If “A” clicks, i.e. agrees to rate, then he is directed to a web based survey.
3) If “A” answers the survey positively, then Voco asks “A” if he is willing to discuss & recommend the product to his friends and family.
4) If “A” clicks, e.g. agrees to share, then he receives the product’s marketing material to be forwarded to friend (“B”)
5) if “B” purchases the product, then Voco rewards both “A” & “B”
The vendor does not ask for permission to send the SMS requesting to proceed wuth the survey when clicked
Flow diagram: http://bit.ly/2WxGzAz
- US: The Telephone Consumer Protection Act (“TCPA”)
- US: CAN-SPAM ACT
- Australia: Spam Act
- UK: Privacy and Electronic Communications Regulations
●EU: General Data Protection Regulation (GDPR)
Voco SPAM & GDPR Compliance
Voco actively seeks consent before: 1) Sending out a survey 2) Sending out a promotional material regarding the recently purchased product.
The user is required to click on the consent question, before Voco proceeds to the next step. The question has a unique, trackable link.
Opt-out on Initial SMS
Customers can opt out from the initial invite to survey SMS.
Legitimate interest for sending the survey
Following the consent, Voco starts with a survey about the recent consumer activity, whether it’s purchase, delivery or other activity.
Results are stored online for future analysis and improvement.
Legitimate interest for requesting to share
As the vendor wishes to promote a wider use of an already purchased, he seeks the help of his customers in doing that.
Voco compliance with the US consumer protection act, spam act & GDPR
Voco keeps the individual’s right to their data
Voco has a processes that enables individuals right to request access to personal data that was collected
through online surveys and shares. Voco all deletes personal information upon request.
Storing personal data
Personal data that Voco collects is kept for a period of 3 years.
Remember to define and notify data subjects for how long you will retain personal information before you send out survey invitations.
Voco need to send a message to achieve customer interest
Voco works post purchase, minutes or days after the user has left the vendor’s website.
Voco have balanced the act of sending the message against the individual’s interests, rights and freedoms
By letting users opt out, or mute notifications from a certain vendor
Voco actively contacts only active customers and about products they purchased
A prospect is never actively contacted without a full and written consent
Updated: May 12, 2019