GDPR - ViewLift

ViewLift is committed to protecting the privacy of our users and we take compliance with these policies very seriously. We will continue to monitor our apps and make sure that they are always compliant with the latest privacy regulations. As a developer for your apps and websites, ViewLift assures that the Tools platform and your site and apps are fully compliant with the GDPR policies. 

How ViewLift ensures your site and apps are GDPR compliant

ViewLift is proud to be fully GDPR compliant. Here are some of the ways we ensure GDPR compliance:

• Consent Mechanisms: We seek user consent before collecting and processing any personal data. To this end, we have implemented consent checkboxes or opt-in options to display legal verbiage available in the Subscription flow messaging. Tools admins can easily customize the messages to communicate clearly to your users about your GDPR compliance.
• Data Collection and Usage: ViewLift only stores user data necessary for billing and account management. Access to the user management module is diligently tracked as the Tools users are enforced to log sessions every time they access a user record. We are PCI compliant, we only save payments token auth, and the rest is all maintained at payment handlers.
• Data Access Controls: ViewLift implements appropriate access controls to protect user data from unauthorized access, such as authentication and authorization mechanisms.
• User Rights: ViewLift allows users to exercise their GDPR rights, such as the right to access, change, or delete their personal data stored in the ViewLift Portal.  We also destroy data associated with churned accounts, so our partners can be sure that their data is being handled responsibly. 
• Third-Party Integrations: ViewLift ensures that its third-party integrations comply with GDPR requirements by reviewing the privacy policies and data handling practices of these third-party services.

You can include this statement in your privacy policy on your site and apps, or any other relevant documentation. It is important to communicate clearly to your users about your apps' GDPR compliance to build trust and confidence in your platform.

To include your GDPR status as a macro in URLs such as Ad Tag URLs or video stream URLs, activate the GDPR flag under the Compliance section in AppCMS. Once enabled, the boolean flag for your GDPR status can be applied to URLs as a macro. For example, the macro GDPR_CONSENT_STRING can be used to represent the GDPR consent status. When the URL is called, the macro will be replaced with the corresponding value indicating the user's GDPR consent status. For Example:

&gdpr=&gdprcs=[GDPRCS]&coppa=0

Information regarding GDPR is also documented in our privacy policy and ToS here:
ViewLift Privacy Policy
ViewLift TOS

Compliance with Developer Program Policies

Our mobile and TV apps comply with the Developer Program Policies of Google, Apple, Roku, Amazon, Samsung, and Vizio. These policies require app developers to provide information about how they collect, use, and share user data. We meet these requirements by submitting a Data Safety Form for each of our apps. This form discloses all data that is collected and passed off the device. A team of experts from each store reviews the form to ensure that our apps meet their company's privacy standards. Apps that do not comply with the Data Safety Form requirements can be removed from platforms.

FAQs - GDPR 

Q. What type of data is collected and how are we using the collected data?

ViewLift collects beacon events for users' watch history and player metrics, which are processed for analytics purposes. Cookies are used on our website to collect user behavior and device information. Additionally, we allow our clients to use user engagement tracking platforms that we have integrated with, as outlined in our ViewLift Privacy Policy. Our Terms of Service define the tools we provide to data subjects for determining how their personal data is being used. Users have the option to opt out of cookies and trackers.

Q. Is ViewLift providing any tools to data subjects so they can determine how their personal data is being used?
Defined in TOS but should also be defined in clients' TOS.

Q. What are the Technical and Organizational measures taken by you as Data Processors for the protection of personal data, of the data subjects?
Security at rest, IAM role management, monthly security audits, key rotations.

Q. Are we using privacy-enhancing technologies? If yes what are they?
Yes, only capture the data we need and share as per PII only. 

Q. Do you have any information security policy or equivalent?
Yes

Q. Do you have a backup process?
Yes

Q. Do you conduct regular testing and reviews of the protection measures you have in place to ensure they are effective? If yes how often?
Yes, monthly audits

Q. What are the information security measures you implement? Do they guarantee confidentiality, integrity, availability, and resilience?
We delete/encrypt the personally identifiable information we have collected and stored upon your request to techsupport@viewlift.com

Q. Is there any code of conduct and certificate mechanism in place so far to establish compliance with the security principles?
Yes

Q. Is there a Data Protection Officer (DPO) appointed? If Yes, is he well trained on how to monitor GDPR compliances and other data protection laws? What is the process in place in the event of any data breach?
We have appointed a Data Protection Officer who is trained in monitoring GDPR compliance and other data protection laws. In the event of a data breach, we inform the client and work together to notify end-users and correct any deficiencies, with periodic re-tests. 

Q. How is the data stored? Do you have a data retention policy? If yes what is it?  
We store data on our private cloud database and pass user data in hashed form to the engagement channels we support. 

Q. Do you conduct DPIA (Data Protection Impact Assessment) as a process to identify and minimize the Protection risks?
While we do not conduct DPIAs, we take proactive measures to identify and minimize protection risks to ensure the confidentiality, integrity, availability, and resilience of data.