GDPR and Data Privacy

Whiplash preparations General Data Protection Regulation (GDPR)
Whiplash is a strong advocate for privacy and transparency in data collection. We believe that the set of regulations that make up GDPR will benefit consumers. In the GDPR framework, Whiplash is a data "processor", and our the store operators that make up our client base are data "controllers".

GDPR provides a set of rights to consumers ("data subjects")  to citizens of the European Union. Those rights are:

Lawful Basis of Processing
You need to have a legal reason to collect someone's data. The consumer data Whiplash receives from store owners (primarily, but not limited to, name, address, telephone, and email) pertains directly to performing the activities described in our contracts with store owners. The legal basis of processing this data is "Contract".

Whiplash will not use, share, or otherwise distribute the data it receives from store owner's except when it is explicitly necessary to satisfy the terms of the contract.

For our client's themselves, Whiplash collects information needed to bill for services and perform other tasks necessary to satisfy the contract. Again, the legal basis of collecting and processing this data is "Contract". Whiplash will not share, use, or otherwise distribute the data it receives from our clients, except when it is explicitly necessary to satisfy the terms of the contract.

Withdrawal of consent
Consumers need to be able to see what they've given consent for, and to opt out just as easily as they opt in. This falls onto the shoulder's of our clients.

For Whiplash, our clients can already see the data we have collected for them. Because the data we collect from our clients is necessary to fulfill our obligations under the contract, access cannot be revoked without closing the account.

Consumers need to be given notice that you're using cookies to track them, and they need to provide consent.

Prior to May 25, 2018, Whiplash will update our public website to satisfy this requirement.

Consumers have the right to request that you delete the personal data you have about them. This includes permanent removal from your database, email tracking history, call records, form submissions, and more. The right to deletion depends on the context of the request, and allows for up to 30 days to respond to the request. The request may be rejected, if there is a lawful basis for doing so.

When our store owner's are presented with a deletion request, they will need to relay that request to Whiplash to delete the consumer's data that may be stored at Whiplash. Prior to May 25th, 2018, Whiplash will release a set of tools to support these deletion requests.

  1. v1 API Orders#anonymize. This endpoint will replace all name, email, and phone fields with an anonymized token to detach the order's history from the consumer.
  2. v2 API Orders#anonymize.
  3. In the dashboard, any order over 30 days old will have an Anonymize option
  4. In the dashboard's Bulk Update feature, an Anonymize option will be available to detach multiple orders from consumers at once.

3rd Parties
To satisfy the terms of our contracts, Whiplash may share the data it has received with 3rd parties, such as:
Upon receipt of a deletion request, Whiplash will relay the request to all 3rd parties Whiplash has shared your data with.  

Access / Portability
Consumers have the right to to access the personal data you have saved about them. Existing features in Whiplash, such as Search and Export, are already GDPR compliant, and will continue to operate as they do today.

Consumers can request to have their data modified if it's inaccurate or incomplete. This is possible today using existing tools.

Last updated Jan 6th, 2020