The General Data Protection Regulation (GDPR) framework sets guidelines for the collection and processing of personal data of individuals who live in the European Union (EU). This regulation aims to provide users complete control over their data.
MoEngage complies with the guidelines mentioned in the GDPR and has built industry-standard APIs and SDKs, which enable you to easily respond to the requests raised by individual users.
This article details the rights users have under the GDPR and recommendations on how to comply with each of these rights while using MoEngage.
Right To Erasure
What Is It?
The "Right to Erasure" allows data subjects to delete all information that you have about them from your servers and the servers of your data processors such as MoEngage.
How to Implement It?
To comply with this right, we have hosted the GDPR/CCPA API that removes all personal data associated with specific users who have requested their data to be erased from MoEngage. For more information, refer to GDPR/CCPA API.
The API accepts one of the following parameters as input:
- ID (required for logged-in users)
- Mobile Number
- GAID (required for anonymous users)
- IDFA (required for anonymous users)
Removing a user’s personal data erases their personal data from MoEngage. To maintain the integrity of campaign and application usage analytics, anonymous aggregated data is not modified when an end user is removed (for example, MoEngage does not decrement an app’s MAU numbers or Campaign Stats when an end user is deleted). However, this data is not connected in any way to the profile of the forgotten end user, ensuring that this anonymized and aggregated data cannot be tied back to any individual user.
After the API request is made to remove personal data for specific users, it takes a maximum of 7 days for completing this request. It may, however, take 60 days to remove this data from all our logs and backups. We need to maintain the data for 60 days to justify our processing of erasure requests of personal data related to every user.
For more information on the GDPR erase API, refer to GDPR/CCPA API.
Right to Access
What Is It?
The data subject under the GDPR has the right to Confirmation that the users' data being processed, access to their data, and other supplementary information largely correspond to the information that must be provided in a privacy notice (see GDPR Article 15).
How to Implement It?
You can export user data from MoEngage. Navigate to the Segmentation module on the MoEngage dashboard and download the data as required. For more information, refer to User Data Exports.
MoEngage also hosts an API that returns all the personal data associated with specific users (who have requested data access from MoEngage). For more information, refer to Get User API.
Right to Rectification
What Is It?
Data subjects, under GDPR, are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible.
How to Implement It?
MoEngage customers can update the data of specific users in MoEngage by using one of our Data Import APIs. These are enabled for all clients by default and can be used whenever an end-user requests for their information to be updated. For information on MoEngage Data Import API and how to update user data in MoEngage, refer here.
Right to Data Portability
What Is It?
The right to data portability allows individuals to obtain and reuse their personal data across different services.
How to Implement It?
Similar to Right to Access, MoEngage customers can easily download data of specific users based on any user identifier. MoEngage dashboard users with Admin and Manager access can download user data directly from the dashboard. For more information, refer to User Data Exports.
You can also use the Get User API of MoEngage to request data about specific users. For more information, refer to Get User API.
Right to Restriction of Processing
What Is It?
Data subjects have the right to block or suppress the processing of specific subsets of their personal data in the event of inaccurate or improperly obtained data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future.
How to Implement It?
To comply with the data tracking opt-out requests of users under the "Right To Restriction of Processing" of GDPR, our SDKs have the methods to opt-out of data tracking.
For information on leveraging the capabilities of our SDKs to restrict data processing, refer to:
After the data processing is stopped from the SDK, it does not track any events except the ones which can be tracked anonymously such as:
- Push (Notification Received Android, Notification Clicked Android, Notification Swiped Android)
- iOS Push (Notification Sent iOS, Notification Clicked iOS)
- Web Push (Notification Received Web, Notification Clicked Web)
- In-App (InApp Shown Android, InApp Clicked Android, InApp Closed Android, App Rated)
- In-App (InApp Shown iOS, InApp Clicked iOS, InApp Closed iOS, App Rated)
- Anonymous lifecycle events (MOE_APP_EXIT, TOKEN_EVENT, App/Site Opened, Viewed Web Page)
- Stats events (NOTIFICATION_OFFLINE_MOE,DT_CAMPAIGN_SCHEDULED, EVENT_ACTION_COPY_COUPON_CODE)
Remember the following points when implementing the data tracking opt-out methods of our SDK:
- Opting out of data tracking does not ensure the erasure of data. To restrict the processing of data and also erase it completely, make the erase API request separately.
- Opting out of data tracking does not ensure that push notifications are not sent. To suppress push notifications on devices/users, refer to Opt Out of Campaign Messages.
Right to Object
What Is It?
Data Subjects have the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data.
How to Implement It?
If one of your users invokes their right to object to the processing of personal data, you must restrict the processing of their personal data by following the steps mentioned under the "Right to Restriction of Processing" section of this article.
You must erase the personal data of this user by following the steps mentioned under the "Right to Erasure" section of this article.
Right to Be Informed
What Is It?
Data subjects have the right to be informed about what you do with their personal data.
How to Implement It?
When a user is signing up to use your app or website and before you actually capture their personal data, you must inform them how you are going to use their personal information. You must ask your users before sending them marketing communication such as push notifications, emails, SMS and also inform how you plan to use their personal data if for something else.
MoEngage uses the personal data of your data subjects responsibly and removes it when no longer necessary. You can refer to our privacy policy to know more about how we process the data of your end users.
Opt Out of Campaign Messages
Under the GDPR, you must take consent from your users before sending them Push notifications, SMS, or any other message. If you want to restrict messages for a few users or devices automatically, we recommend the following options:
Using Preference Management
You can take the push permission from every user and set it as a user attribute. After this is done, you can exclude the users who have opted out of push notifications from campaign segmentation. For more information, refer to Preference Management.
Using SDK Methods for Blocking Push Notifications and In-Apps
The MoEngage SDKs allow you to restrict push notifications and In-App messaging on specific devices. If a user, while signing up on your app does not provide consent for sending push notifications and/or In-App messages, you can restrict these from the SDK directly. Refer to the following SDK documentation for more information on opting out of Push notifications and in-app or On-site messaging.
info |
Information Opting out of Push notifications and In-App messaging is not supported anymore from Android SDK version 12 and iOS SDK version 8. |
Android:
iOS:
Web:
- Opt-out of Push Notifications: By default, Web Push notifications need an explicit opt-in from users. To disable Push notifications for specific browsers, you can leverage the existing browser functionality.
- Opt-out of On-site Messaging
Privacy by Design
Opt Out of Advertising Identifiers
As a part of privacy by design, our SDKs allow you to opt-out of the advertising identifiers if and when required.
For more information on this, refer to our SDK documentation
Archival Policies
To protect the privacy of your users, we only save the data of your users until it is absolutely essential. To comply with this, we have certain archival policies in place that allow us to automatically delete data that is no longer necessary.
To know more about our archival policies, refer to Data Archival Policies .
In addition to this, if there are any other queries about GDPR compliance, you can reach out to your MoEngage Customer Success Manager or raise a support ticket. For more information, refer to Raise a Support Ticket Through MoEngage Dashboard.