Theme Demo. GDPR Processing Addendum
The Theme Demo chatbot takes the security of its users’ data seriously, adhering to the General Data Protection Regulation (GDPR) standards. Theme Demo’s user data is GDPR-compliant and is stored in London, UK. Theme Demo is committed to ensuring that its users’ data is kept secure and safe. All information is kept confidential and is never shared with third parties without explicit user permission and also allows users to delete their data at any time in line with GDPR.
What is GDPR?
GDPR stands for General Data Protection Regulation. The EU enforced a new law to protect end users’ data. This law enforces several aspects of data security. Here we want to give a guideline on how we protect your data, what it is our responsibility and what our commitment is.
We strongly suggest you read all our documentation or another article about GDPR and decide whether you want to use our application. We are not responsible for any negligence or fault in data protection on your side or any third-party site. Take your time to read the documentation and act wisely; stay safe.
Definition of Personal Data:
Any data owned by an individual is their data. It could be someone’s name, image, email address, physical address, social media post, location, computer IP address, etc. The ownership of the user’s data is absolute. That means wherever and however the data is saved, it belongs to the user solely. The data collector or user (Facebook, youtube) cannot show, save, share or perform any other activity with the user’s data without explicit or implicit permission.
If a user permits using their data on a specific type of action (data storing, data viewing, etc.), then it can be used by the application’s admin. To visualize this, consider a hypothetical situation. You post a status on social media. Here you have given implicit permission to show the post to your public or private contacts. Application admin is not responsible for any abusive comment to your post made by your contacts.
This means that if you made your data public, then it is your responsibility. But application admin does hold responsible for any data sharing with a third party. If any data is shared, it must be said explicitly in advance. So we see how data uploading and showing depends on both the app admin and the user. Further details you will get upon reading the complete documentation.
Responsibility of Developer:
The developer is responsible for safeguarding personal user data on the application’s back end. The developer is responsible for storing the user data (name, telephone no. email, etc.) and other info ( like logs of user interaction with the application ) on the database and server. We will describe in detail how the data you submit directly (name, email, etc.) and indirectly (browser name, computer IP, etc.) are saved on the database and server.
Once any data is uploaded to the server, the security of data depends on the server’s safety and sometimes the application’s admin. The user will be notified about all the temporary (cookie and session) and permanent (data saved to the database) data saving. Users will get the option of all or their data erasing permanently upon account deletion or service cancellation. We assure you that we do not keep logs of user activity or any other backdoor to extract user data. Sometimes Cpanel access and another credential of app admin are needed by the developer to support and maintain the application for a short time before the application goes fully online.
We strongly recommend that the app admin change these credentials after the job gets done. The developer cannot be held responsible for any credential leak on this ground. Developers also cannot be held accountable for any unwilling security glitch on the application. After all, data shared online always has the risk of getting leaked. So we strongly suggest not sharing any data that can compromise with any other individual.
Responsibility of Application Admin:
Application Admin has unrestricted access to the user’s data. Admin can access the database, server logs, and any other info on admin’s reach. Application admin can see and copy the data saved on the database and server. App admin can share users’ data with third parties.
How the user’s data is used must be announced by the app admin explicitly before user registration. The admin should not allow anyone to extract data openly or under the disguise of the survey, fill out the form, or any other means. The app admin enjoys the most privileges on the application. So admin has the highest responsibility for safe keeping of users’ data.
It all depends on the user. If users do not submit data, there will be no data breach. But this is not an option. The topmost priority of the user is to read all the documentation from the app developer and app admin and then submit the data. Safekeeping of the user’s credentials is the sole responsibility of the user.
Password and username may be encrypted on the database. Still, a dictionary word or too predictable password for a specific user can give a hacker easy access to the user’s account. Change your credential on any suspicious activity by an unauthorized person or in case you share your credential with others for some inevitable reason. Always think before submitting.
Our Action on GDPR:
Collect as little data as possible. Tell the user necessity of collecting specific data.
Destroy all sessions and cookies after logout.
Do not track user activity for commercial purposes.
Tell users of any logs that save computer IP and location.
Transparent terms and conditions.
Inform users about any data sharing with third parties.
Create clear policies about data breaches.
Delete data on canceling subscription or account deletion.
Patch web vulnerabilities.
Supported GDPR Features:
Adios, Application: Once you cancel your subscription or delete your account, we give you the option to delete all your data existing or related to your account. Note that this action is irreversible. When you say yes to deleting, all your data will be erased from the database and server forever. You can back up data before deleting it in case of re-subscribe or re-register it.
Secrecy is my right: We encrypt most of your data on the database. If any bad things occur (data breach), the hacker will get the encrypted hash, not your personal on plain text. So your secrecy will be intact even in case of a data breach. Note that some data cannot be encrypted because we need to show it upon login to the account (like username). We will hide all your data as much as possible.
No cookie and session saving: We will give the option to save or not save cookies and sessions. Even if you hold cookies and sessions, these will be destroyed after logout. We strongly suggest you not keep your credential in the browser. Please memorize your credential or use tools like Bitwarden to manage your credential.
Destroy footprints: We do not save or track any of your activities for commercial purposes. We may store your login time or IP for security purposes only. Every piece of your data will be deleted from the server when you delete your account.
Social engineering is bad: We do not record any of your activity on the application. Recording a user’s activity, analyzing it, trying to sell a product, or motivating the user to pursue a specific thought upon interpreted data is malpractice. We do not do such things.
Notify me: Get notified about all your activity relating to your account (account creation, password change) by email. We suggest you change your credential if any unusual things occur.
Connect without worry: We enforce HTTPS everywhere. Data sniffing is not possible in this case. Even if possible, the sniffer will get an encrypted hash. So feel safe using our application.
No data collecting: We do not collect any data on users. No backdoor, No hidden option to collect data. Once the application is uploaded to the server, we cannot enter the application without the app admin password. So do not worry about any hidden data leaks.
Data breach policy: We implement all the security to store your data carefully on the database (data encryption, MySQLi, SQL injection prevention, input checking, etc.). But we do not take any responsibility for data breaches from the server because it is the app admin’s and server admin’s total responsibility to secure your data from a breach.
Any weak or predictable password of the app admin or server admin could compromise the database. Any inherent fault in the database config can give away the database (MySQL security fault). Any security flaw on the server can lead to data leaking. Don’t hesitate to contact your app admin in this regard.
Is sending bulk messages to Facebook leads using our system GDPR compliant?
Yes, sending bulk messages using our system is GDPR compliant. Because people OPTIN to our Facebook page by starting messenger conversations, we can prove it. They become our lead in a good way. All the messages we send must have unsubscribed links (we already have this feature) or another way so people can unsubscribe at any time.
If you have any additional questions or concerns, please let us know at [email protected] Demo.com.