The General Data Protection Regulation (GDPR) framework sets guidelines for the collection and processing of personal data of individuals who live in the European Union (EU). This regulation aims to give users complete control over their data.

MoEngage complies with the guidelines mentioned under GDPR and has built industry-standard APIs and SDKs which enable you to easily respond to the requests raised by individual users.

This article details the rights users have under GDPR and recommendations on how to comply with each of these rights while using MoEngage.

Right To Erasure

What is it?

The "Right to Erasure" allows data subjects to delete all information that you have about them from your servers and the servers of your data processors like MoEngage.

How to implement it?

To comply with this right, we have hosted an API that will remove all the personal data associated with specific users who have requested to be erased from MoEngage.

For information on using this API, please refer to our implementation docs here.

The API accepts one of the following parameters as input:

- ID (required for logged-in users)
- Email
- Mobile Number
- GAID (required for anonymous users)
- IDFA (required for anonymous users)

Removing a user’s personal data will erase personal data from MoEngage. To maintain the integrity of campaign and application usage analytics, anonymous aggregated data will not be modified when an end user is removed (for example, MoEngage will not decrement an app’s MAU numbers or Campaign Stats when an end user is deleted.) However, this data will not be connected in any way to the profile of the forgotten end user, ensuring that this anonymized and aggregated data cannot be tied back to any individual user.

Once the API request is made to remove personal data for specific users, it will take up to 7 days for completing this request. It may, however, take 60 days to remove this data from all our logs and backups. We need to maintain the data for 60 days to justify our processing of erasure requests of personal data related to every user.

You can refer to this article for more details on the GDPR erase API.

Right to Access

What is it?

The data subject under GDPR has the right to Confirmation that their data is being processed; Access to their data; and Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see GDPR Article 15).

How to implement it?

To export a user's data from MoEngage, we allow you to navigate to our dashboard and download the data of users as required.

Follow the steps mentioned in this document to know more about downloading data from MoEngage.

Right to Rectification

What is it?

Data subjects, under GDPR, are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible.

How to implement it?

MoEngage customers can update the user data of specific users in MoEngage by using one of our data import APIs. These are by default enabled for all clients and can be used whenever an end-user requests for their information to be updated. For information on MoEngage Data Import API and how to update user data in MoEngage, please refer to the docs here.

Right to Data Portability

What is it?

The right to data portability allows individuals to obtain and reuse their personal data across different services.

How to implement it?

Similar to Right to Access, MoEngage customers can easily download data of specific users based on any user identifier. MoEngage dashboard users with Admin and Manager access can download user data directly from the dashboard. For more information on this, you can refer to our help article

Right to Restriction of Processing

What is it?

Data Subjects have the right to ‘block’ or suppress the processing of specific subsets of their personal data in the event of inaccurate or improperly obtained data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future.

How to implement it?

To comply with the data tracking opt-out requests of users under the "Right To Restriction of Processing" of GDPR, our latest SDKs are now shipped with the methods to opt-out of data tracking.

For information on leveraging the capabilities of our new SDKs to restrict data processing, please have a look at the below implementation docs:

- ANDROID

- iOS

- Web

Once the data processing is stopped from the SDK, the SDK will not track any events except the ones which can be tracked anonymously like 

• Push (Notification Received Android, Notification Clicked Android, Notification Swiped Android)
• iOS Push (Notification Sent iOS, Notification Clicked iOS)
• web Push (Notification Received web, Notification Clicked web)
• InApp (InApp Shown Android, InApp Clicked Android, InApp Closed Android, App Rated)
• InApp (InApp Shown iOS, InApp Clicked iOS, InApp Closed iOS, App Rated)
• Anonymous Lifecycle Events (MOE_APP_EXIT, TOKEN_EVENT, App/Site Opened, Viewed Web Page)
• Stats Events (NOTIFICATION_OFFLINE_MOE,DT_CAMPAIGN_SCHEDULED, EVENT_ACTION_COPY_COUPON_CODE)

Please note the below points when implementing the data tracking opt-out methods of our SDK- 

- Opting out of data tracking does not ensure the erasure of data. To restrict the processing of data and also erase it completely, please make the erase API request separately.

- Opting out of data tracking does not ensure that push notifications will not be sent. In order to suppress push notifications on devices/users, please refer to the Opt-out of push notifications section below.

Right to Object

What is it?

Data Subjects have the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data.

How to implement it?

If one of your users invokes their right to object to the processing of personal data, you need to restrict the processing of their personal data by following the steps mentioned under the "Right to Restriction of Processing" section of this article.

You would also need to erase the personal data of this user by following the steps mentioned under the "Right to Erasure" section of this article.

Right to be Informed

What is it?

Data Subjects have the right to be informed about what you do with their personal data.

How to implement it?

When a user is signing up to use your app/website and before you actually capture their personal data, it is your responsibility to tell them how you are going to use their personal information. You need to ask your users before sending them marketing communication like push notifications, emails, SMS, etc., and also call out how you plan to use their personal data if for something else.

MoEngage uses the personal data of your data subjects responsibly and removes it when no longer necessary. You can refer to our privacy policy to know more about how we process the data of your end users.

Opt out of campaign messages

Under GDPR, you are required to take consent from your users before sending them Push notifications, SMS, or any other message. In case you want to restrict messages for a few users or devices automatically, we recommend the below options:

Using Preference Management

You can take the push permission from every user and set it as a user attribute. Once this is done, you can exclude the users who have opted out of push notifications from campaign segmentation. Please refer to this doc on Preference Management to use this.

Using SDK Methods for blocking push notifications and in-apps

The MoEngage SDKs allow you to restrict push notifications and in-app messaging on specific devices. In case, a user while signing up on your app does not provide consent for sending push notifications and/or in-app messages, you can restrict these from the SDK directly. Please refer to the below SDK documentation for more information on opting out of push notifications and in-app/on-site messaging.

Note:  Opting out of push notifications and in-app messaging is not supported anymore from Android sdk version 12 and iOS sdk version 8

Android:

• Opt-out of Push Notifications
• Opt-out of In-App Messaging

iOS:

• Opt-out of Push Notifications
• Opt-out of In-App Messaging

Web:

• Opt-out of Push Notifications: By default, web push notifications need an explicit opt-in from users. To disable push notifications for specific browsers, you can leverage the existing browser functionality to disable notifications.
• Opt-out of On-site Messaging

Privacy by design

Opt-out of advertising identifiers:

As a part of privacy by design, our SDKs allow you to opt-out of the advertising identifiers if and when required.

Refer to our SDK documentation for more information on this. Android | iOS

Archival policies

To protect the privacy of your users, we only save the data of your users until it is absolutely essential. To comply with this, we have certain archival policies in place that allow us to automatically delete data that is no longer necessary. 

To know more about our archival policies, refer to this article.

In addition to this, if there are any other queries about GDPR compliance, you can always reach out to your MoEngage Customer Success Manager or write to us at support@moengage.com