Privacy Policy FAQ
Respecting the privacy and security of our customers' data are absolutely vital topics at WonderPush. Our particularly draconian policy of collection, anonymization and retention of data is the cornerstone of our DNA but also of our position in the face of multiple possible risks.
WonderPush anonymizes your users' data (random id, no ip, no precise geoloc, no idfa, no phone number...), encrypts them at rest, does not accumulate them over time and does not shares them with any third-party system. The data is stored exclusively in the EU and the possible unwanted extraction by a third party (due for example to an application of the Cloud Act), does not allow any possible re-identification, nor use. This unique policy on the market of push providers and marketing automation more broadly, makes WonderPush de facto the safest solution.
Data collected
Is personal data processing carried out within the framework of the implementation of the project?
By default, and only from the time chosen by the publisher, WonderPush does not collect any personnal or sensitive data, nor persistent identifiers such as device id, idfa, etc., nor geographical coordinates, nor IP address. The publisher is then the sole master of the information it retrieves and stores on behalf of its end users, via the tools made available to it such as tags, custom properties and events.
What are personal data processing purposes?
The data collected by default by wonderpush, once the user has granted permission to push notifications, are: a random installation identifier representing the user's device, a push token allowing to send him notifications and properties related to the device, such as the system used, the system language, the time zone...
The installation identifier is random and does not depend on the IP address, or the user agent of the user's terminal, or IDFA type identifier. The same user on the same terminal who would delete his browsing data and then subscribe again to pushes, would be allocated a new installation identifier and a new push token. The push token can be revoked at any time by the end user, from his terminal, by unsubscribing to push notifications. Furthermore, the deletion of browsing data by the user causes the deletion of the installation identifier.
What are the categories of personal data processed in the framework of the project?
Here is the list: https://docs.wonderpush.com/docs/collected-data
Is it treating a large amount of data?
It depends on what the publisher chooses to collect. The publisher is the sole master of his tagging plan.
Sensitive personal data be processed in the framework of the project (eg. Health data, trade union membership, etc.)?
WonderPush does not collect any sensitive data. The unique process consists of:
-extracting from WonderPush database, at the initiative of the publisher when he triggers a push, data attached to randomly generated installation IDs and their associated push tokens, revocable at any time by the end user, plus the tagging data decided by the publisher.
Data storage medium
What is the data storage medium (it can be hardware, software, paper documents or computer for example)?
Data is encrypted in transit via HTTPS supporting TLS 1.3 and at rest on secure Google Cloud servers in Brussels using AES256.
An interconnection with other tools / software is it planned?
No interconnection is made with any other tool / software unless requested by the customer.
Data lifecycle
How long to retain data necessary to achieve the objectives?
90 days by default for user events. Inactive installations which are older than 90 days are automatically deleted.
From experience, we find that a user who has not reopened the application for 90 days, i.e. inactive for 3 months, is no longer able to be re-engaged via the push channel. In addition, we believe that data older than 90 days is no longer useful for the use of pushes. Nevertheless, a publisher who does not share our vision has the possibility of recovering all the data in real time on its own servers, of applying its own data retention policy on its servers and of using, on their base, the APIs of WonderPush to trigger its pushes.
Is it possible to set retention periods in the tool?
Yes, but not beyond 6 months. We recommend using our apis or our webhooks to retrieve your data as you go. In addition to security and privacy reasons, WonderPush does not accumulate raw data because the accumulation is not useful in the context of pushes.
Is it possible to identify inactive data?
You can identify inactive installations for a given period. WonderPush also detects phantom devices that are devices which somehow no longer receive your notifications without having ever unsubscribed. They include lost, sold, broken, forgotten or factory reset devices, uninstalled apps, etc.
WonderPush uses a sophisticated algorithm based, among other things, on the repeated lack of acknowledgment to identify them.
Is it possible to easily remove the data?
Only the publisher's staff authorized according to their rights, with and admin role minimum, can remove data and after activating a 2 Factors Authentication. WonderPush does not touch, modify or delete any of your data, apart from the automatic deletion of old data as explained
Is there an archive system, encryption or anonymization of data?
Back-ups are incremental and made on a daily basis. They are kept during 90 days and fully destroyed after.
Anonymization is by design since WonderPush does not collect any stable identification data by default (IP, User Agent, IDFA, precise geography...). In fact, the data collected does not in any way allow the "re-identification" of users. If the publisher wishes to consolidate the data thus collected with those collected via another source (for example, CRM), then he must himself define a user identifier transmitted to WonderPush at the time of initialization of the SDK. From then on, he will be able to reconcile his data on his own servers.
Data minimization
Is an access management policy implemented?
WonderPush lets you build a team of collaborators and give each of them an appropriate level of access to your project. Here is the list of possible roles: https://docs.wonderpush.com/docs/dashboard-staff
The processed personal data be relevant and limited to what is necessary for the purposes for which they are processed?
By default, and only from the time chosen by the publisher, WonderPush does not collect any sensitive data, nor persistent identifiers such as device id, idfa, etc., nor geographical coordinates, nor IP address. The publisher is then the sole master of the information it retrieves and stores on behalf of its end users, via the tools made available to it such as tags, custom properties and events.
Does WonderPush anonymize or pseudonymize data?
By default, data relating to a device is linked to an installation id. This installation id is random and never the same.
Is it possible to link the "installation id" with an identifying data?
The only way to do this is for the publisher to define a user ID that will be provided to the SDK at initialization time. This user ID will allow the publisher, and him exclusively, to reconcile the data collected via WonderPush with those he has via the publisher's other systems.
The installationId is a hash calculated from the user ID provided by the publisher but also from a random number that changes with each reinstallation or deletion of data. It is in fact impossible to trace the user identifier provided by the publisher from the installationId.
User information and consent
Are the users informed of the processing is done of their data?
WonderPush provides, among other things, tools to allow users to download all data stored on WonderPush concerning their terminal as well as to delete them on their own.
The display of adapted messages must be carried out by the publisher.
Does the processing require obtaining the consent of the users (opt-in)?
The operation is different depending on whether you are on an android device or an iOS device.
On Android, by default the end user is automatically subscribed to push notifications and can unsubscribe at any time by accessing the settings at the top right of a notification.
On iOS, by default, the end user is not subscribed to push notifications. iOS requires you to prompt the end user to opt in.
Is there a consent management process?
Yes. WonderPush provides the publisher with a tool to activate WonderPush on the sole condition that the end user has given their consent.
Process to ensure respect for user rights
Can the users access on request to their data?
End users do not need to request access to their data to you. WonderPush directly allows them to:
- download all the data stored on the server side concerning his device
- immediately delete all the data stored on the server side concerning his device.
WonderPush recommends exposing within the application, in its settings and in a "personal data and privacy" section, a switch "Disable push notifications", as well as two links "Download my notification data", and " Delete my notification data". These functionalities are directly offered by the WonderPush SDKs and aim to give the user control over the management of his personal data.
If a user has in the meantime deleted their application and therefore cannot access these personal data management features, then their data will follow the general life cycle within WonderPush, namely, 90-day deletion.
If the publisher wants to delete all the data of a user to whom the publisher would have associated a user id, then the publisher can either find within the dashboard the installations corresponding to the user id and delete them, or delete them directly via a call to API from the publisher servers.
Can the users request correction of their data (right of rectification)?
The users can only download or delete their data. The possibility of downloading / deleting personal data by the user himself seems to us to be a fundamental right and WonderPush strongly advocates allowing it. Free to the publisher not to expose this functionality.
Can users object to processing or request its limitation?
The users can unsubscribe from push at any time and de facto block any further processing.
Data recipients
Is a sub-processor involved in the processing of personal data?
WonderPush uses a unique subcontractor as servers and data hosting provider. This is Google Cloud Computing, based in Brussels (Belgium).
The data is stored on WonderPush servers within Google Cloud Platform Brussels. The data is stored and processed exclusively within this area. The data is anonymized and temporarily stored for the exclusive use of allowing the publisher to send push notifications to the subscribed users it has targeted.
Are the data transferred / sold / leased / transferred to third parties?
No, in no case. The publisher is the sole owner of the data (with its users) and only he decides on their use.
Transfer outside the European Union
Is a transfer of data (hosting or access) outside the European Union operational or planned?
No. The data is hosted on dedicated servers rented by WonderPush from Google Cloud Computing in Brussels (Belgium). WonderPush has no other subcontractors.
Google Cloud Platform's parent company is located in the United States. Don't you think it is necessary to regulate potential data transfers outside the EU (in application of the Cloud act).
WonderPush has chosen to deploy its service within the infrastructure of Google Cloud France, Europe Region (specifically in Belgium), for its location in the EU, scalability, resilience and the very high level of security offered by GCP. GCP contractually guarantees that the absence of external transfer of data stored within the region chosen by the publisher.
In addition, the storage policy (anonymization, encryption, no IP or IDFA, no retention of data beyond 90 days, etc.) deployed by WonderPush, renders unusable by design, data that would eventually be transferred to under the application of the Cloud Act.
Updated about 1 year ago