Privacy Policy - Clarification of CRM data exchange related to in-store transactions

Last update : July 19, 2022

Preamble

This document informs you of the manner in which the company E Retail Development – SAS RCS de Lyon n°751 652 934 – 6 Cours André Philip – 69100 Villeurbanne (acting under the trade name Smart Traffik) processes, in its capacity as joint controller with its Brand customers, your personal data collected via a sharing of personal data by the Brand customer and relating to your checkout in shop, carried out on the basis of its retained lawfulness; the purpose of such processing, the responsibilities of the parties involved and how you can, if you wish, object to it.

What data is collected by Smart Traffik through this sharing?

The Brand customer may, as part of Smart Traffik’s oKube service (see below “Purpose of processing”), share with Smart Traffik the data below:

Data relating to a customer’s in-store transaction (no information on the product or product category purchased is transmitted):

Amount of the transaction
Timing of the transaction
Location (Transaction shop)

Personal data linked to the person who carried out the transaction, which are known to the customer via his loyalty programme (these are data from customer relationship management programmes, known as “CRM“). This data is transmitted to Smart Traffik in an encrypted way only, i.e. the original data is transformed by the application of a technology allowing the transformation of an initial data into a string of random characters, without the possibility of returning to the original data without knowing the data in clear. The data that undergoes a transformation can be, depending on the data transmitted by the person to the Sign customer (the encrypted email address being in most cases the minimum data communicated) :

First name
Name
Email
Telephone number(s)
Postcode

Purpose of the processing

The purpose of this processing is to lawfully collect data used for Smart Traffik’s Omnichannel Audience Platform (oKube) processing (learn more about Okube processing) and thus shares the same purpose, which is to allow Smart Traffik’s Retail customers to:

Measuring the impact of online marketing levers on the performance of the brand/brand online and in-store;
Optimise marketing investment management through multi-touch attribution (i.e. understanding the contribution of different marketing efforts to omnichannel performance)
Visualise data on the basis of intelligible and accessible business indicators according to several levels of information;

Smart Traffik relies on the correlation of pseudonymised or anonymised data from online interactions (which may take place on different browsers and devices) and in-store interactions of end customers with its Retailer client, as well as data from Smart Traffik’s partners; all of which allows for the matching of data and/or (depending on the source of the data) the constitution of an omnichannel identifier (also known as an “omnichannel graph”) allowing for measurement.

It is therefore a question of producing global aggregated statistics, revealing no information relating to an individual, for the sole purpose of measuring performance. These statistics are made available within a dashboard for Smart Traffik’s Brand clients, in order to help them better manage their marketing investments. Under no circumstances is this data communicated to third parties or used for advertising targeting purposes.

Data controllers

Smart Traffik is co-responsible for the processing of this exchange of CRM data and OKube with its customers. Thus, each of the co-controllers at the source of the collection of the processed data undertakes to inform the customer of the processing and to offer them the means of exercising their rights, in particular concerning the right of information, access and opposition (see below). In the case of this exchange of data, the customer Ensign provides via its privacy policies and via its conditions of use of its loyalty programme the information relating to this processing and the ways of opposing the said processing, in particular by referring to Smart Traffik and this page.

Legal basis chosen

Smart Traffik attaches particular importance to the protection of personal data, and in view of its purpose of measuring performance, collects little personal data. Encrypted CRM data is collected lawfully from the Signs of which you are a customer, generally collected by the Sign customer on the basis of your consent, or in some cases of the Sign customer’s legitimate interest, while preserving and guaranteeing the rights and freedoms of individuals, in particular the privacy of personal data.

Recipients of the data collected

E RETAIL DEVELOPMENT, a simplified joint stock company, whose registered office is located at 6 cours André Philip, 69100 Villeurbanne and registered under the number 751 652 934 RCS Lyon (“Smart Traffik”), is the recipient of this data.

Note that Smart Traffik’s retail customers have access to a dashboard presenting the aggregated statistical measures but cannot in any case have access to the data shared and transformed by Smart Traffik once transmitted, in order to avoid overlaps between encrypted data that will have been subject to statistical processing and unencrypted data without the authorisation of the persons concerned.

Certain partners and advertising companies (more information) may also have access to Smart Traffik data, strictly for the purpose of using this data to meet Smart Traffik’s performance measurement objectives, and without retaining this data following the necessary reconciliation operation. It should be noted that in the case of Facebook, this is the Facebook Ireland entity, which has subscribed to the Standard Contractual Clause (https://www.facebook.com/help/566994660333381) validated by the European Commission, and related to the protection of data that would be transferred to its parent company, outside the European Economic Area.

How long is this data kept?

Identification data (title, first name, last name, telephone numbers, postal code): 24 months from the last interaction between the user and the Enseigne customer. Note that this data is ingested encrypted, so it is not in clear text in the Smart Traffik database.
Transaction data: 24 months

How to exercise your rights

The following rights (in addition to your right to information, to which Smart Traffik responds on this page) apply:

Right to object: you may object to the sharing of your data with Smart Traffik via the tools set up by the Enseigne client (opt-out avoiding sending to Smart Traffik upstream) if applicable or directly via Smart-Traffik. You may object to the processing of your data by Smart Traffik in the context of this exchange, upon request to gdpr@smart-traffik.io. At the very least, you will be asked for an email address to check whether you have already been the subject of the said processing (by re-encrypting this data) and to tell you more about the encrypted data that could potentially be linked to it.

You can also, if you wish, object directly to this processing via Smart Traffik, by entering your email address below (used for your loyalty programs with the Brand(s)):

Right of access: Smart Traffik can provide you with a copy of your processed data, upon request to gdpr@smart-traffik.io (proof of identity will be requested). Please note, however, that as Smart Traffik only uses encrypted (pseudonymised) data, we will need to have an original piece of data to be able to tell you if we can find it (by re-encrypting it), such as an email address.
Right to portability: you have the right to request the recovery of your data or their transfer to another service provider under the right to portability, upon request to gdpr@smart-traffik.io (proof of identity will be requested). Please note, however, that as Smart Traffik only uses encrypted (pseudonymised) data, we will need to have original data to be able to tell you if we can find it (by re-encrypting it), such as an email address.
Right of rectification: you have the right to rectify, correct and update your data at any time, upon request to gdpr@smart-traffik.io (proof of identity will be requested).
Right of limitation: you can also ask us to limit the processing operations to the sole conservation of your data, under certain conditions, under the right to the limitation of processing, on request to gdpr@smart-traffik.io (proof of identity will be requested).
Right to erasure: you can ask us to erase your data, upon request to gdpr@smart-traffik.io (proof of identity will be requested).

Smart Traffik is a member of the IAB and, as such, adheres to the use of the Transparency and Consent Framework proposed by the association. The Transparency and Consent Framework (TCF) proposes common rules to be adopted when processing personal data or accessing and/or storing information on a user’s terminal, such as cookies, advertising identifiers, device identifiers and other tracking technologies.

Your data and transfers outside the EU/EEA

Smart Traffik does not at any time transfer data outside the EU/EEA area on its Smart-Traffik.io website or within the current oKube solution.

However, the service providers and any subcontractors we use may transfer data outside the EU/EEA. Where this is the case, we ensure that such transfers are made on the basis of appropriate safeguards to ensure the security of your data.

How do we ensure the security of your data?

In addition to the encryption measures described above, in order to ensure and guarantee the security of your data, we have put in place all the technical and organisational measures at our disposal to prevent your data from being unintentionally and accidentally lost, used, altered, or made available to the public without your authorisation. The data collected by Smart-Traffik is stored on servers that protect it by encryption.

Should an event of this nature occur, we have implemented measures to react promptly and to inform you and the CNIL when necessary.

Data ownership

The data collected and processed via our software solutions remain at all times the exclusive property of our customers as co-processors and of SMART TRAFFIK acting as co-processor of its customers and acting according to the contractual terms defined in the defined co-processing agreements.

With the consent of our customers, we reserve the right to publish aggregated data on all sites using SMART TRAFFIK solutions. These aggregated data are global statistics allowing us to promote our solutions but do not contain any personal data or commercial information.

Data of minors

We do not knowingly collect or request information from minors (date of birth or age of users is not collected. It is not possible to determine age). If we discover that we have collected personal data from a minor, we will delete it as soon as possible.

Contact us

If you have any questions or complaints about the protection of your personal data, you can contact us at the following address

Paris

41-43 rue Paul Bert – 92100 Boulogne-Billancourt

Tel : +33 (0)1 46 55 55 24

contact@smart-traffik.io

Lyon

6 cours André Philip – 69100 Villeurbanne

Tel : +33 (0)1 45 32 32 71

contact@smart-traffik.io

You can also contact Smart Traffik’s Data Protection Officer (DPO) at the following address

Smart Traffik

6  cours André Philip – 69100 Villeurbanne

Phone: +33 (0)1 45 32 32 71

gdpr@smart-traffik.io