BeamPulse and the GDPR

Version of May 25, 2018.

From May 25, 2018, the General Data Protection Regulation (GDPR) is effective. The GDPR enables citizens of the European Union to exercise a better control over their personal data, and will ensure enhanced data security across Europe.

BeamPulse will comply with the GDPR as of May 25, 2018.

Due to its activities, as defined by the GDPR, BeamPulse is both Data Controller and Data Processor. This present document is composed of two parts, which correspond respectively to these two roles.

In the following :

BeamPulse means BeamPulse SAS

Client means the customer of the BeamPulse company (the controller in the GDPR sense).

User means a person to whom the Client has given access to his BeamPulse account.

Visitor means a user who visits one of the Client’s websites.

 

BeamPulse as Data Controller

 

BeamPulse collects the following information :

Clients of BeamPulse:

  • Name
  • First Name
  • Professional email
  • Professional phone number

Prospects of BeamPulse:

  • Name
  • First Name
  • Professional email
  • Professional phone number

 Furthermore, BeamPulse collects personal information about its partners and employees, in compliance with the recommendations of the CNIL and the GDPR. These data is under the control of BeamPulse DPO.

 

Users of the BeamPulse platform (employees of Clients having access to the BeamPulse platform and Clients benefiting from a free trial) :

  • Name
  • First Name
  • Professional email
  • Professional phone number
  • Roles and rights of the user :

Owner: Sites, User, and Account Management

Admin: Sites and User Management

Project: Configuration and usage of Sites

User: Simple user access to sites

 

Restriction: can only see the heatmaps features

Restriction: cannot launch a campaign

·      User access IP address

Note: The connexion IP address of BeamPulse Users allows BeamPulse’s Clients to ensure that only employees designated by them will be able to connect from a set of Client-authorized IP addresses. BeamPulse logs the IP addresses of the Clients employees (the Users accounts that Client create for their employees) for security reasons :

1) the Client can track all actions performed by its users (from a given IP address)

2) the Client can “authorize” only specific IP adresses to connect to BeamPulse (for instance only IP addresses within your premises)

 

Right to be forgotten

Clients may destroy the accounts of their Users at any time.

Prospects may request changes to their information, their preferences for receiving information from BeamPulse, and their removal from mailing lists.

BeamPulse as Data Processor

 

BeamPulse is an online behavioral marketing solution, in SaaS mode, that offers the following services :

  • segmentation of website visitors in real time,
  • analysis of the behavior of Internet users,
  • triggering actions in real time.

 

1) All BeamPulse services are under the full control of the BeamPulse Client.

2) Generally speaking, BeamPulse does not perform any collection nor treatment that does not result from an explicit instruction given by the Client (or one of the Client-designated Users) through its administration interface (accessible online).

3) In its initial configuration, the BeamPulse platform does not collect and process any personal data according to the GDPR. The data collected are all anonymous navigation data that do not identify the Visitor.

 

Use of cookies

BeamPulse uses only 1 cookie. This cookie contains a random value, between 0 and 999. The lifetime of this cookie is less than 13 months as recommended by the CNIL. This cookie is set in the Visitor’s browser.

 

IP address of Visitors collected and anonymized by BeamPulse

At the explicit request of the Client, and only in this case, BeamPulse can collect the IP address of the Visitors, and instantly process this address to deduce the geolocation (at the scale of the city) and the weather (at the scale of the city) during real-time segmentation processing. The IP address of the Visitor is never stored, and its processing is limited to the deletion of the last byte to make it anonymous.

The information is minimized and is only used to provide geolocation and weather services.

In a nutshell, BeamPulse does not store IP addresses of the visitors of the Clients’ websites :

BeamPulse does the following :

  • The Client can ask if the Visitor’s IP starts with the first 3 bytes, and the condition will say « yes » or « no » (it will simply ignore the last byte if the Client supply one). Typically the Client could use this condition to exclude traffic coming from his own company.
  • The Client can geolocate the Visitor by using the 3 first bytes with the geolocation condition, but as BeamPulse removes the last byte, the Client can only geolocate at the city level (therefore it is impossible to trace down to a specific person).
  • The Client can get the local weather forecast from the Visitor’s IP address (at the city level) as BeamPulse removes the last byte.

 

  • Processing of personal data provided by the Client

Beyond the anonymous data collected by BeamPulse, the Customer has the ability to transfer Personal Data coming from his own information system (CRM, DMP, TMS …) to the BeamPulse solution, in particular to enrich the segmentation conditions.

In this case, the Client controls this information at all times and has full responsability to provide BeamPulse only Data authorized by the Visitors of the Client’s  Website. The role of BeamPulse is strictly limited to the processing specified by the Client in the description of the Processing. BeamPulse is not responsible for this data processing involving potentially personal data from the Client information system.

BeamPulse does not store any personal data that may be provided by the Client during the real-time segmentation process, and does not release them to third parties.

 Right to be forgotten

BeamPulse provides its Client with a URL to add to the terms of use of the Website.

This URL allows Website Visitors to request the deactivation of BeamPulse services on their browser.

 

Compliance with the DNT (Do not Track) Directive

By default, BeamPulse respects this directive, and disables its services if this directive is enabled in the Visitor’s browser.

Note: There is no consensus on the compliance with this directive, and the majority of online services do not comply with this directive. The Customer has the option of explicitly asking BeamPulse to ignore this directive.

 

Organizational and technical measures

 

  • The DPO (Data Protection Officer) of BeamPulse can be reached at dpo@beampulse.com
  • All BeamPulse technological developments are part of the “Privacy by design” logic: anonymization and minimization of data.
  • Notification in the event of an incident related to the Client’s Data: in the event of such incident the Client will be informed as soon as possible, in accordance with the GDPR.
  • Location of the servers: the servers used by BeamPulse are located in France.
  • Safety planning: BeamPulse implements safety measures that take into account the state of the art and GDPR obligations.
  • All statistical data – anonymous – are kept by default for 3 months in the BeamPulse platform.