This document is a work in progress: last updated 18th April 2018
How we collect and store your data
In order to be fully transparent, we outline the processes used to collect data via our website(s) and how we manage and use that data.
Website Enquiry Forms
We operate standard enquiry forms on our website which collects user data. This is stored in MySQL database on our dedicated servers which are run exclusively by WEBS Ltd.
General enquiries (website audits, standard contact forms, quick enquiry forms) are stored in our website database and backup system. This data is NOT used for entry within mailing lists or CRM.
Customer Management Portal
Only those enquiries which convert to active customers are added to additional data processors such as our website portal, account system, CRM and contacts database.
We store data on our dedicated servers and we hold encrypted backups for 7 days on R1Soft Enterprise Servers. In addition, we hold encrypted data on Amazon S3 servers which automatically expunge after 3 months.
Identifying Personal Data
We collect customer data as follows
- Website Orders
- General Enquiry Forms (Enquiries)
- Website Service Requests (Orders)
- Website Analysis Requests (Audits)
- Direct Email (G-Suite)
We store customer data as follows
- MySQL Database (un-encrypted with MD5 pa)
- R1 Soft Enterprise (encrypted)
- Amazon S3 Servers (encrypted)
- WHMCS Management Portal (secured)
- XERO Accounting System (cloud-based)
- G-Suite (Previously Google Apps) Email
- G-Suite Contacts Database
Our archival and expunge practices are as follows
- 7 Day Archive on R1
- 3 Month Archive on Amazon S3
- Email (no expunge/archive process in place or planned)
- 18 Month – Inactive Client Data Removal
- On-Demand Customer Account Deletion and Purge
In regard to the e-mail, we store all correspondence for active customers in a designated folder, maintained via filters in the G-Suite system. This data is used for purely for our own internal purposes to revert back to past communications in order to better serve our customers.
Access to Data
We would, if required by law (under the GDPR) regulations, be able to supply data or delete data, relating to a past customer with whom we have no further dealings with.
As of April 18th, 2018, we have implemented a new system which provides us with full control over the deletion of data. If we are ever asked to comply with a data removal request, we can perform a one-click deletion of all client data which is purged from our core system and backup system. Using this feature removes all data relating to a given customer including, but not limited to, personal information in the user’s profile, service and invoice history, activity log entries, support ticket and email history.
We do not send marketing e-mails out to prospect customers at all. Customers who visit www.webs4seo.co.uk and/or www.webs.limited can safely submit enquiries without fear of their data being added to mailing lists or shared with 3rd parties. We ONLY communicate with prospect customers via e-mail or telephone for the sole purpose of answering the enquiry. Previous to May 2018, we would have kept this data in our website database (and backup system) and only converted it to active customer state, if the enquiry converted into a paying customer. Under GDPR rules, we will now expunge prospect enquiries which do not become an active customer, once 6 months have passed, or we are requested to remove it, whichever comes sooner.
Contacting Active Customers
Due to the type of service we offer, communication with an active customer is essential. We use a telephone, e-mail and cloud-based tools (Project Management systems) to collaborate. We ONLY store names, addresses, phone numbers and financial information relating to our services, on our systems. The only promotional email we use for active customers is as follows
- Service renewal reminders
- Service expiry notices
- Payment received notifications
- Introduction email for new customers
- Drip System for new customers at 30 days, 60 days, 90 days, 120 days and 360 days (informative and promotional type email)
- Technical News (segmented into sectors e.g social, SEO, hosting, development, industry)
Customer Opt-Out Rights
As our emails are not marketing based, we do not need or seek consent when a prospective client becomes an active one. Our ONLY communication is related to the service we provide and any promotional content, informs an active customer, which additional services may be of interest to them. If a customer wishes to be excluded from our ‘drip email’ which offers related services on the schedule above, they can remove themselves from their account area.
Past Customer Archival Automated Systems
As of April 18th, 2018, we have implemented an archival flush system which expunges obsolete data from our core systems and backup servers in line with our data retention policy. Customers who have been inactive for 18 months or more will be flushed under the new system rules, in addition to any customers who have manually requested account termination.
Client Data Reporting
As of April 18th, 2018, we now have tools in place to generate a customizable export of data for any customer. We can export in JSON format containing the data entity types chosen from a list of over 12 options.
- Completed audit and conducted a gap assessment
- Created internal roadmap to make sure we are compliant by 25 May 2018
- We’ve started to review our key third party vendor arrangements and make sure we have the appropriate contractual protections in place to satisfy GDPR
- We’re working on updating our internal policies and procedures for GDPR compliance
- We’re working on updating our external facing policies to be GDPR compliant and will be publishing those updated policies prior to the GDPR effective date
- Providing visibility and transparency
We are compiling a list of suppliers and software applications which act as ‘data processors’. We are acting as ‘data processors’ in respect of how we collect and manage user data for the purpose of running our own business. Our objective is to provide our customers with the access to effectively manage and protect their user data. W.E.B.S Ltd is exploring ways to make optimal product enhancements without compromising on performance so that we can provide better transparency to our customers.
- Enhancing data integrity and security
We already provide additional security for logging into our website portal via SSL and 2-Step authentication and we are taking every step possible to protect our data in live states and backups. We are ensuring all remote devices connected to our network or cloud-based facilities can be remote wiped if lost.
- Portability and transferability of data
GDPR gives end users the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. As we only hold basic data, we will be able to respond to requests to delete data and/or provide tools to do so from our client portal.