This page is designed to share with you some information regarding the steps WebApps, LLC d/b/a Hitpath is taking to prepare for the General Data Protection Regulation (or GDPR) that is set to take effect on May 25, 2018. The GDPR is a new and sweeping set of privacy regulations adopted by the European Union that will apply to many businesses based in the United States, including WebApps.
This page will provide you with a brief explanation as to what WebApps is doing to protect your data and to ensure that we comply with the new high standard set by the GDPR.
WebApps is also updating its Document Retention Policy, which governs how long WebApps will retain documents, both during the life of your License Agreement and generally throughout the business. These changes will also go into effect on May 24, 2018. We strongly encourage you to review this document carefully as it contains significant changes in policy regarding how long certain information will be available to you regarding your account. The updated Document Retention and Destruction Policy is available via this link.
WebApps has also adopted a General Data Protection Regulation Policy. This policy explains the many additional steps WebApps has taken to comply with GDPR and to protect your data. The General Data Protection Regulation Policy is available for your review via this link.
We will continue to update these Policies from time to time. These policies will be posted on our website as updated and available for your review at any time.
While many of the requirements of GDPR are brand new, WebApps has always been and will continue to be committed to protecting your data. The changes that we are designed not only to comply with the new legislative requirements but also to provide you with the highest levels of service and privacy possible.
We want to bring one significant change to the Acceptable Use Policy to your attention. In effort to minimize the security risk inherent with data collection, WebApps is taking steps to reduce the sheer volume of data that it retains. Under the current License Agreement, as subject to the current Acceptable Use Policy, WebApps maintains all of your user data for as long as your License Agreement remains in effect.
We are modifying that system slightly. Under the new Acceptable Use Policy, WebApps will only retain your data for one year while your License Agreement is in effect. This means that after data has been sitting in your database for a year that data will be automatically purged. You have the option to opt out of this system, as explained in the updated Acceptable Use Policy. If you want us to hold your data for longer during your License Agreement, all you have to do is request that we do so and we will be happy to oblige.
Please reach out to us via our website or your customer service representative if you have any questions regarding these policy changes.
General Data Protection Regulation Policy
Effective May 24, 2018
WebApps, LLC (“the Company”), is a Louisiana limited liability company. The Company provides a multichannel tracking platform which allows companies, advertisers, advertising agencies, and publisher networks to monitor the activity generated by their respective online marketing activities (“the Services”).
The Company receives personal data in various forms and from various sources in connection with the Services. Customers provide personal data regarding themselves to the Company so that the Company can provide them with the Services. Customers also provide the Company with personal data of other companies and natural persons that is generated by that end user through his online activities and then flows through the Customer to the Company for processing. Under both of these scenarios, the Company at times receives personal data pertaining to natural personal located in the European Union (EU) and the European Economic Area (EEA). As a result of its control and/or processing of this personal data, the Company falls within the scope of the General Data Protection Regulation (“GDPR”).
The purpose of this Policy is to detail the Company’s efforts to comply with the requirements of the GDPR and to ensure the protection and confidentiality of personal data.
The Company has enacted a variety of policies to ensure that it is complying with the requirements of GDPR. Some of these policies have been in place for some time and have been updated whereas other policies have been enacted for the first time in order to comply with GDPR.
These policies are all available for review at your request.
These policies include the following:
- Document Retention Policy
- Acceptable Use Policy
- Information Security Policy
- Acceptable Use Policy
Additionally, the Company has amended its contractual relationships to ensure that personal data is appropriately protected. This includes User License Agreements and Data Processing Agreement Addendums. Examples of these documents are also available upon request.
- GDPR Compliance
The Company has not elected to appoint a Data Protection Officer at this time. The Company’s core activities do not consist of processing operations which require regular and systematic monitoring of data subjects in the EU and/or EAA on a large scale. The Company does not process sensitive data relating to criminal convictions and offenses. The CEO of the Company, Samuel S. Prokop, is responsible for ensuring that the Company acts in compliance with the requirements of GDPR and any inquiries on this subject shall be directed to him.
The company will also undergo semi-annual Data Protection Impact Assessments. The purpose of these assessments shall be to not only assess the risks facing the company, but also to ensure that the policies that it has implemented to minimize these risks are functional and effective. The Chief Technical Officer shall be responsible for completing the semi-annual DPIA.
In additional to the semi-annual DPIA, the Company shall undergo a semi-annual GDPR internal audit. The Company understands that GDPR is new law and as such will likely evolve and change over time. Similarly, new threats and processes will arise which the Company must take into account over time. To that end, the Company will perform a semi-annual GDPR internal audit relying on the GDPR questionnaire published for that purpose by BayLDA. The results of those audits will be retained for no less than three (3) years.
The Company operates as a Controller and as a Processor depending on the service provided and the source of the personal data. Customers provide personal data directly to the Company when they sign up for the Services. This data includes information such as Company name, individual name, address, phone number, etc. The Company is the controller of that data as it controls the means by which it is collected, why it is collected, and how it is used.
The Company operates as a processor when Customers provide the Company with information for it to process on their behalf. The Company is in the business of tracking and monitoring behavior relating to certain online marketing and advertising efforts of its Customers. Customers collect data directly from end users and then relay that information through to the Company. The Company then processes that information so it has value and use to the Customer. The Company is only a processor in this scenario as it does not control the means of collection of the data, why it is collected, or how it is used.
Lawful Basis for Processing
The Basis for the Company’s process of information depends on the source of the data and the data subject. When a Customer contracts with the Company for the Services, the Customer is asked to provide certain pieces of personal data to the Company. This information is necessary to establish the Customer’s instance of the Hitpath Software, the Company’s primary product. The Customer consents to the Company’s processing of its personal data at that time.
The Company also processes personal data on the basis of a contract. The Company enters into a License Agreement with each of its customers. In order to fulfill its contractual obligations under the License Agreement, the Company must process some of the Customer’s personal data. This processing is necessary to the operation of the Services offered by the Company and the software will not function correctly without this personal data.
The Company also relies processes Customer personal data on the basis of legitimate interest of fraud prevention. Specifically, the Company has instituted certain security measures to prevent unauthorized access to Customer accounts. The Company processes the personal data provided by the Customer to ensure that the Customer and only the Customer can access its account. This security related processing is necessary to protect the Customer and other data subjects and the individual’s interests do not override this legitimate interest in fraud prevention.
The Company also processes data of other data subjects, including end users, that is provided to it by Customers. The basis for that processing is the legitimate business of the operation of the Company and the provision of the Services to the Customers as well as part of its direct marketing practices. The Company is in the business of taking data that is provided to it by its customers, the controllers of that data, and processing it in a way that allows the customer to understand the value of the Customers online advertising and marketing strategies. The Company has an interest operating its business and in providing an efficient and valuable service to its Customers. The Company does not control the means of collection of the data and relies on its Customers, the controller, to properly notify any end user that it is collecting data at the time of collection. The processing of the personal data of data subjects is necessary for the Company to provide the Services to its Customers and to carry out its business. Further, end users have an expectation that their online activities, particularly their interaction with online advertisements, are being monitored and generating data that is used by advertisers, publishers, and agencies. The interests and fundamental rights of the data subject do not override the legitimate interests of the Company as described herein.
Data Processing Agreements
The Company relies on a number of vendors. It does so both in its capacity as a controller and in its capacity as a processor. The Company relies on vendors to provide a number of services including hosting, servers, geo location, customer intelligence, among others. In order for these vendors to carry out these tasks, the Company must transfer data to them. This data may include personal data of both customers and other data subjects including end users.
In order to ensure that these third party vendors properly protect all data that the Company provides to them, the Company requires these vendors to provide certain assurances regarding their compliance with GDPR. Additionally, the Company requires that each vendor execute a Data Processing Agreement or to adopt terms covered by such a document into existing user agreements.
Data Subject Rights
The Company takes responsibility for complying with the GDPR at the highest management level and through the organization. The company records the steps that it takes to comply with GDPR including implementing a system for regular risk assessments, audits, and the processing of personal data. In addition to implementing certain policies to protect the data it controls and processes, the Company as adopted both privacy by design and privacy by default approaches to ensure that appropriate data protection measures are in place throughout the entire lifecycle of the Company’s processing activities. The Company has increased it security measures to protect this data and has instituted policies to heighten security awareness for its employees. The Company has also instituted policies to ensure that data breaches are quickly recognized and appropriately addressed both with the individuals involved and with the appropriate supervisory authorities.
Document Retention and Destruction Policy
The purpose of this Policy is to ensure that necessary records and documents of WebApps, LLC (“WebApps” or “the Company”) are adequately protected and maintained and to ensure that records that are no longer needed by the Company or are of no value are discarded at the proper time. This Policy is also for the purpose of aiding employees of the Company in understanding their obligations in retaining electronic documents – including e-mail, Web files, text files, sound and movie files, PDF documents, and all Microsoft Office or other formatted files.
This Policy represents the Company’s policy regarding the retention and disposal of records and the retention and disposal of electronic documents.
Attached as Appendix A is a Record Retention Schedule that is approved as the initial maintenance, retention and disposal schedule for physical records of the Company and the retention and disposal schedule of electronic documents. The Data Protection Officer (the “Administrator”) is the officer in charge of the administration of this Policy and the implementation of processes and procedures to ensure that the Record Retention Schedule is followed. The Administrator is also authorized to: make modifications to the Record Retention Schedule from time to time to ensure that it is in compliance with local, state and federal laws and includes the appropriate document and record categories for the Company; monitor local, state and federal laws affecting record retention; annually review the record retention and disposal program; consult with outside counsel, and monitor compliance with this Policy.
Suspension of Record Disposal In Event of Litigation or Claims
In the event the Company is served with any subpoena or request for documents or any employee becomes aware of a governmental investigation or audit concerning the Company or the commencement of any litigation against or concerning the Company, such employee shall inform the Administrator and any further disposal of documents shall be suspended until shall time as the Administrator, with the advice of counsel, determines otherwise. The Administrator shall take such steps as are necessary to promptly inform all staff of any suspension in the further disposal of documents.
This Policy applies to all physical records generated in the course of the Company’s operation, including both original documents and reproductions. It does not apply to independent contractor records as we rely upon the governing boards of third party vendors to set appropriate retention policies for their members. It also applies to the electronic documents described above.
This Policy was approved by the Members of the Company.
APPENDIX A RECORD RETENTION SCHEDULE
The Record Retention Schedule is organized as follows:
- Accounting and Finance
- Contracts and Memorandums of Understanding
- Corporate Records
- Correspondence and Internal Memoranda
- Electronic Documents
- Legal Files and Papers
- Customer Datav
- Data Subject Data
- Personnel Records
- Property Records
- Tax Records
- Contribution Records
4. CORRESPONDENCE AND INTERNAL MEMORANDA
General Principle: Most correspondence and internal memoranda should be retained for the same period as the document they pertain to or support. For instance, a letter pertaining to a particular contract would be retained as long as the contract (7 years after expiration). It is recommended that records that support a particular project be kept with the project and take on the retention time of that particular project file.
Correspondence or memoranda that do not pertain to documents having a prescribed retention period should generally be discarded sooner. These may be divided into two general categories:
Those pertaining to routine matters and having no significant, lasting consequences should be discarded within two years. Some examples include:
- Routine letters and notes that require no acknowledgment or followup, such as notes of appreciation, congratulations, letters of transmittal, and plans for meetings.
- Form letters that require no followup.
- Letters of general inquiry and replies that complete a cycle of correspondence.
- Letters or complaints requesting specific action that have no further value after changes are made or action taken (such as name or address change).
- Other letters of inconsequential subject matter or that definitely close correspondence to which no further reference will be necessary.
- Chronological correspondence files.
Please note that copies of interoffice correspondence and documents where a copy will be in the originating department file should be read and destroyed, unless that information provides reference to or direction to other documents and must be kept for project traceability.
Those pertaining to nonroutine matters or having significant lasting consequences should generally be retained permanently.
5. ELECTRONIC DOCUMENTS
Electronic Mail: Not all email needs to be retained, depending on the subject matter.
Staff will strive to keep all but an insignificant minority of their e-mail related to business issues.
Staff will not store or transfer Company related e-mail on non-work-related computers except as necessary or appropriate for Foundation purposes.
Staff will take care not to send confidential/proprietary Company information to outside sources.
Electronic Documents: including Microsoft Office Suite and PDF files. Retention also depends on the subject matter.
- PDF documents – The length of time that a PDF file should be retained should be based upon the content of the file and the category under the various sections of this policy. The maximum period that a PDF file should be retained is 6 years. PDF files the employee deems vital to the performance of his or her job should be printed and stored in the employee’s workspace.
- Text/formatted files – Staff will conduct annual reviews of all text/formatted files (e.g., Microsoft Word documents) and will delete all those they consider unnecessary or outdated. After five years, all text files will be deleted from the network and the staff’s desktop/laptop. Text/formatted files the staff deems vital to the performance of their job should be printed and stored in the staff’s workspace.
Web Page Files: Internet Cookies
All workstations: All web browsers should be scheduled to delete Internet cookies once per month.
Skype, G-Chat, Slack, and other Messaging documents
All documents produced or stored as part of any messaging service used by any employee for Company purposes, including internal and external communications, shall be scheduled to be deleted automatically six (6) months after the date the communication took place and/or the document was generated. If the employee/user is unable to alter the document retention schedule of the particular chat serviced used, the document retention policy of that service shall control the handling of those documents.
Employees may from time to time utilize their mobile devices include their personal cell phones to exchange work related text messages. All employees shall adjust their mobile device text setting to automatically delete text messages after thirty (30) days. The Company does not automatically delete electronic files beyond the dates specified in this Policy. It is the responsibility of all staff to adhere to the guidelines specified in this policy.