In this article
An overview of Permutive's role in GDPR and user Privacy
- Q. What data does Permutive receive
- Q. What does Permutive do with collected data
- Q. Processor or Controller
- Q. Do Third Parties have access to the data we collect
- Q. How to Withdraw Consent
- Q. How can I submit a Subject Access
- Q. What we don't collect
Q. What data does Permutive receive?
Permutive collects user data on behalf of the publisher. As the data controller, the publisher configures Permutive to decide which data points they want to send to Permutive for processing. Standard events collected can be seen here.
Q. What does Permutive do with the data it collects?
As a user interacts with the site, a
permutive.track call is encountered and a user-event is recorded. This event is sent to the Permutive API for processing and storage, and internally, to the segmentation engine in the SDK for decisioning and actioning. At the Permutive API level, the event sent by the user is validated against the event schema setup by the publisher, and is rejected if it does not conform. The event is also enriched with geo information based on the IP address of the user. The Permutive API initiates a data flow that aims to store the event for posterity and analytics, and trigger any server side integration for SegmentEntry and SegmentExit events. At the segmentation engine in the SDK, the user-event causes an update to every segment. For every segment defined, when an event is fired, the user’s segment state is updated to either true or false, denoting the user having membership or not of the segment, respectively.
Q. Is Permutive a Processor or a Controller?
Permutive is a data processor. Permutive processes personal data on behalf of a controller and has been audited with a ‘Technical evaluation of data privacy for the product “Permutive, version 2.0”’ by ePrivacyseal, who have classified Permutive as a processor.
Q. Do any third parties have access to or use the data Permutive collects for each publisher?
No third parties have access to/use the data we process for our publishers unless they decide, as a controller, to enable this.
Q. How would our users withdraw consent from Permutive data collection?
This process is documented here.
Q. How can I submit a Subject Access Request for info or erasure?
Catalog your list of SAR users by the user ID in a list or spreadsheet and email it to firstname.lastname@example.org . We will action this within 20 days of receipt and confirm when the request is complete.
Q. What types of data does Permutive not collect?
A range of sensitive data points must not be collected by Permutive. These include:
- Credit card numbers
- Passport numbers
- Social security numbers
- Genetic data
- Physical health information and mental health data
- Sex life or sexual orientation data
- Religious or philosophical beliefs
- Political beliefs
- Trade union membership