Privacy and Data Protection

As a service provider and data processor, Lytics assists its customers in enhancing security and meeting privacy and data protection obligations, including the European Union’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act of 2018 (CCPA).

Listed below are the compliance-enabling functionalities Lytics provides. As used below, personal information (PI) has the same meaning in the CCPA and also is meant to include “personal data” as defined in the GDPR. Please consult with your company’s legal counsel or privacy professional as to what privacy and data protection requirements your company is required to comply with in this regard.

Lytics recognizes that its customers are the data controllers of the PI which Lytics processes on their behalf. Each Lytics customer maintains control over which PI sources and destinations to use with Lytics as well as the types and content of PI shared between its sources and destinations. Lytics does not sell PI or supplement its customers’ respective PI with third-party data, except via customer-directed integrations.

Restrict access to personal information by role.

• Role Based Access Controls (RBAC): Account Admins can easily add and remove account users. Lytics has various, defined user roles with respective permissions. Learn more about managing account users.

• Single Sign On (SSO): Add SSO to your user login process to enhance security.

• Multi-factor authentication (MFA): Add MFA to your user login process to enhance security.

• Restrict access to PI: You can indicate any user fields that contain PI via the private fields account setting. These fields will be hidden to anyone who does not have Admin, Data Manager, or User Search roles. You should verify with Lytics Support that the field hiding in the segment scan is also enabled for your account to ensure these fields are also hidden there.

Map personal information processed by Lytics, including sources and destinations.

• Audit your data schema: Use the Schema Audit feature to see what user fields are being populated, the data contained, the source(s), and if that data is being used in audience definitions.

• Determine third-party data sources: You can see the third-party data sources from which you are sending data to Lytics using the Lytics UI by navigating to Data > Data Streams. The "default" stream, unless otherwise configured, will contain your web data. Using the drop down menu at the top right, you will see your other integrations in the list of stream names. Each stream page will show you the last time Lytics received data.

• Determine third-party data destinations: You can view the history of activity for a data destination by using the Lytics UI by navigating to Data > Integrations. Click on the tile for the integration in question. If you're already running the integration you will automatically be taken to the overview page that shows a list of running imports and exports as well as the history of events for those works.

Manage user consent and preference data.

Lytics customers are responsible for obtaining consent for the collection and transfer of PI to Lytics for processing. You can use the Lytics JavaScript Tag to collect PI about customers' online behavior. One consent mechanism is to implement a custom tag and trigger in your Google Tag Manager account and assign that trigger to the Lytics JS tag. See how to manage consent with Google Tag Manager.

For sites not using Google Tag Manager, customer consent on the web can be managed in a few different ways. Consent triggers can be listened for by adding a snippet of custom JavaScript to your site. Another alternative is to use a cookie-consent solution of which there are many. Github has documented a free solution including demos. The Lytics JS Tag can be configured to consume triggers from any of these solutions to manage consent for your customers.

• Recording Proof of Consent: Schema fields may be established for the purpose of storing customer consents.

• Privacy Policy Notice: When you use a Lytics modal to collect user information, you should include a link to your organization’s privacy policy regarding treatment of the PI collected. A link can be added to any modal created using the Experience Editor.

• Age Gating: If you have collected accurate age data, you can build audiences that target or exclude certain ages.

Respond to data subject (consumer) requests in compliance with a variety of regional and state privacy and data protection requirements.

• Personal Data Access: Using the Find a user feature, enter the identifying details provided by the consumer to locate their profile. The profile "created" date refers to the earliest date Lytics collected any data on this user.

• Personal Data Correction: If user profile data requires correction, you need to send the corrected data to Lytics, which will be remapped to correct the resulting user profile information.

• Determining Categories of Personal Data Collected: You can use the Lytics UI to obtain information about the categories and specific pieces of PI collected on a consumer in the past 12 months. Again using the Find a user feature, you can view the fields of populated data and determine the appropriate consumer PI categories to disclose to a requesting data subject/consumer.

• Personal Data Portability: We support the export of profile information via the Lytics UI or APIs. An individual’s profile data from Lytics will be downloaded as a JavaScript Object Notation (JSON) file. JSON is a common, machine-readable file format.

• Personal Data Deactivation/Suppression: You can establish audiences to enforce consumer suppression and “do not market” choices and prioritize those choices when establishing marketing journeys for your consumers. These audiences can be exported from Lytics to your downstream tools or "data destinations".

• Personal Data Deletion: We provide a Delete User option in the Lytics UI. Our API may also be used for this purpose. This will send a deletion request to the Lytics platform, which will process the request for the customer identifier provided.

An independent auditor has examined Lytics platform controls and confirmed they are in accordance with the Service Organization Controls (SOC) 2 Type II Trust Services Principles for Security, Availability, and Confidentiality. You can find out more about our SOC 2 Type II examination in this blog post.

Lytics will continue to engage independent auditors to conduct SOC 2 Type II audits on a regular basis and make our audit report available to our customers as well as prospects under an NDA. In addition, we retain independent security firms to conduct regular penetration tests and vulnerability scans on our systems and code respectively. Google, our underlying cloud services provider, also submits to regular, multiple independent audits, including SOC 2 Type II audits.

• Lytics Data Protection Safeguards: Lytics and its data hosting partner, Google, have implemented numerous safeguards to protect the PI which Lytics processes on behalf of its customers. These safeguards are audited by external auditors on an annual basis. For more information regarding these safeguards, please ask your Lytics account manager.

• Transfers of Personal Data from EU: Lytics participates in the EU-US and Swiss-US Privacy Shield Frameworks regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. We have certified with the U.S. Department of Commerce that we adhere to the Privacy Shield Principles. If your organization requires Lytics to enter into the EU Standard Contractual Clauses regarding the transfer of data from the EU to the U.S., please let your account manager know.