Personal Data

This is for:

Developer

What is personal data?

Personally Identifiable Information (PII) is a commonly used term in the United States to refer to data that could be used to distinguish or trace an individual'`s identity.

In approaching this subject, Qubit adheres to the broader definition of personal data outlined in the European Union data protection directive, 95/46/EC, which has a broader definition of what is considered to be that part of a customer’s data that could be used to distinguish or trace an individual'`s identity, and includes social media posts, photographs, lifestyle preferences, and transaction histories:

Article 2a: ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity

This article will help our customers understand:

  • How they can maintain complete control over the geographic locations where their data is stored and accessed, and other relevant compliance considerations

  • The respective roles that they and Qubit play in managing and securing data collected, processed, and stored in Qubit’s systems and how customers can comply with EU law, address their security needs, and encrypt, and otherwise protect their content

  • How Qubit’s products use customer data

  • How Qubit responds to requests for data access (Data Subject Access Request)

How is customer data treated?

Qubit only accesses customer data to provide the selected Qubit products and professional services. Qubit does not access customer data for any other purpose.

Qubit does not know what data customers choose to collect and store and cannot distinguish between personal data and non-personal data. Qubit therefore treats all customer data in the same way, applying the same robust security measures to all data, irrespective of whether it is personal data or not.

Where is customer data stored?

All customer data collected by Qubit is stored on remote server sites owned and operated by Amazon Web Services (AWS), located in Dublin and Google Cloud Platform (GCP), located in Belgium. For EU-based customers, all customer data is stored within the European Economic Area (EEA).

Both AWS and GCP provide a wide range of information regarding their IT control environment through white papers, reports, certifications, accreditations, and other third-party attestations.

See http://aws.amazon.com/security and https://cloud.google.com/security/compliance for more information.

How does Qubit apply the European Union’s directive on data protection?

Within the European Union, data protection is legislated for in the Directive 95/46/EC. This directive sets out a number of data protection requirements, which apply when personal data is being processed.

In short, the Directive requires data processing carried out on behalf of a customer to be covered by a contract or legally binding act that ensures any processing is only carried out on instruction from the customer and in compliance with any national law designed to protect personal data. Protection covers accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, and all other unlawful forms of processing.

Qubit understands processing to include all collection, transfer, storage, and querying of data.

Qubit is a provider of technology and infrastructure that is completely under each customer’s control, including how and whether the data is processed. Qubit does not have any control over what data customers are collecting, storing, or uploading and, importantly, whether or not that content includes any personal data.

In each case, it is the customer that determines what data is collected or uploaded and sent through to our systems for storage.

Qubit therefore considers itself to be a Data Processor within the meaning of the Directive, and each customer a Data Controller. This distinction is recorded in each customer contract, which incorporates Qubit’s standard terms and conditions for the supply of its technology, as well as a Statement of Work where professional services are to be delivered.

Under the Directive, the Data Controller is responsible for implementing appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.

Where processing is carried out by a data processor on the data controller’s behalf, the data controller is also responsible for choosing a processor that provides sufficient technical and organizational measures governing the processing to be carried out.

What are the fundamental data protection principles?

We summarize in the table below some of the key data protection principles that customers generally consider in this context. We also discuss aspects of the Qubit services relevant to these principles.

Fairness

Summary of Data Protection Obligation Considerations

Data subjects should be given accurate and full information about the identity of the controller, the purposes of the processing, and any other information necessary to guarantee fair processing

Customer It is the customer that decides what data it collects and for what purpose it is used. In most cases, the data subject will be an end-user of the customer’s website or mobile application and there will therefore be a direct relationship between them. In particular, the customer is responsible for giving fair notice to the data subjects, and in obtaining any consent necessary to collect and process any personal data through Qubit’s systems

Qubit Qubit has no control over what types of data the customer chooses to collect and store, and for what purpose. Qubit has no direct relationship with data subjects, and is therefore not able to provide any information to them.

Lawful basis

Summary of Data Protection Obligation Considerations

The controller must have a lawful basis for data processing, which satisfies at least one of the criteria set out in the Directive

Customer When deciding whether and for what purpose it will process personal data, the customer will need to consider whether it satisfies one of the criteria in the Directive. These include, for example, that the data subject has given his consent, or that the processing is necessary for the performance of a contract to which the data subject is a party

Qubit As stated above, Qubit has no control over what types of data the customer chooses to collect and store, including whether or not it includes personal data. Qubit plays no role in the decision making process that determines whether and for what purpose this data will be processed. Accordingly, Qubit is not able to ascertain whether there may be a lawful basis for the processing

Purpose limitation

Summary of Data Protection Obligation Considerations

Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes

Customer It is the customer that decides the purpose for collecting and storing personal data. When making this decision, the customer must ensure that it has a specified, explicit, and legitimate purpose. It is the customer that decides whether the data will be subsequently processed for any other purpose, and whether this is compatible with the initial purpose

Qubit Qubit has no control over the purpose for data collection and storage. To the extent that the customer data contains personal data, Qubit only processes that data to provide those products and/or services selected by each customer to that customer, except in limited cases, where required to comply with law or a valid and binding order. At the end of any customer relationship, Qubit will transfer the data back to the customer and/or permanently delete it from its systems

Rights of data subjects

Summary of Data Protection Obligation Considerations

Data subjects must be able to access their personal data, and obtain the rectification, deletion, or blocking of personal data which is processed otherwise than in accordance with the Directive

Customer The customer retains control of data stored on Qubit’s systems, and therefore can decide how data subjects may access their personal data included in that data. Similarly, it is the customer who is best placed to be able to respond to a request or complaint from a data subject regarding the lawfulness of the customer’s data processing activities

Qubit As explained above, Qubit has no control over what types of data a customer chooses to collect and store and for what purpose. Qubit is not the data controller of this data, and is therefore not able to provide any information to data subjects. Qubit has a limited ability to connect stored data to any particular person. That information is exclusively under each customer’s control

Accuracy

Summary of Data Protection Obligation Considerations

Data controllers must ensure that personal data is accurate and, where necessary, kept up to date

Customer The customer has control over the personal data that it chooses to collect and store. It’s therefore responsible for verifying and maintaining its accuracy

Qubit Qubit has no control over what types of data the customer chooses to collect or store. Qubit does not enter or modify any data on a customer’s behalf, other than batch uploads of customer data which is performed strictly according to a customer’s instructions. It’s therefore unable to verify data or update it

Data security

Summary of Data Protection Obligation Considerations

Data controllers must implement appropriate technical and organizational measures to protect personal data from accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure, or access

Customer Only the customer is in a position to determine whether any particular security architecture it designs or implements is appropriate to any particular type of data including personal data

Qubit Qubit uses external auditors to verify the efficacy of its security measures, including the security of the physical data centers from where Qubit provides its services. Upon a customer’s written request and signature of an NDA, Qubit will provide customers with a summary of the auditors’ report so that customers can reasonably verify Qubit security measures. Qubit will also provide this summary to data protection authorities on request.

In addition, Qubit is ISO 27001 certified. This confirms Qubit’s commitment to certain information security principles and procedures

Data Retention

Summary of Data Protection Obligation Considerations

Personal data should not be kept in an identifiable form for longer than is necessary for the purpose for which it was collected or processed

Customer It is the customer that decides the purpose of personal data collection and storage in Qubit’s systems, what it will be used for, and accordingly, how long it is necessary to retain that data. The customer can delete or anonymize the personal data when it is no longer needed

Qubit As Qubit does not determine whether customer data includes personal data or the purpose for data processing, it cannot determine for how long it is necessary to retain the data in order to achieve that purpose.

On expiry or termination of the contract between Qubit and a customer, the data is rendered unreadable or disabled in accordance with Qubit’s standard policies and deletion timelines. Qubit procedures also include a secure decommissioning process conducted prior to the disposal of storage media used to provide Qubit’s technology and services

Transfer

Summary of Data Protection Obligation Considerations

Personal data should not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Customer The customer can choose to locate their content and servers either globally or exclusively in the EEA.

How is customer data is used in the Qubit platform?

Data collection

Qubit’s on-site JavaScript collects the contents of any QP events emitted on a page, as well as some metadata such as the page URL, session number, and IP address. We do not collect any other data unless explicitly requested. This data is transmitted, using the same protocol as the page, to Qubit’s servers. It is then processed and stored in our secure systems.

For customers that have not implemented QProtocol, the data layer can be built by reading values off the page, known as page scraping. We will only scrape pages to build up as close a data picture as that achieved with QProtocol.

Analytics

The Qubit Analytics pipeline can provide data at varying degrees of aggregations. At its highest level, reports can be built which contain just high level metrics of groups of users. When scoping out a report with your Qubit Strategist, you may have the option to pull through personal data into a dashboard for your use, as long as those fields have been populated into the QProtocol events on the page.

Targeting

Ingested data can be made available for targeting through our managed services offering. The data to be ingested must be provided to Qubit without personal data fields, and with an understanding that the dataset will be made available for lookup keyed off a common user identifier.

Basket abandonment

For our Abandonment recovery solution, the user’s email and basket contents must be collected and stored. This data is kept in our secure storage where it is encrypted before being saved to disk.

Offline import

Qubit’s Datasets allows you to import data from external datasets for use throughout the Qubit platform. The contents of the ingested file will be accessible openly over the web. You should bear this in mind before uploading any personal data, such as names, email addresses, or any similar personal data. See A focus on Lookup availability for more information.