Over the past year, VWO has been preparing to meet the requirements of the GDPR, the new data protection law that came into force on May 25, 2018. GDPR specifically affects European and non-European online businesses that store and use website visitor and apps data in the European Economic Area (EEA).
If you are a VWO user in the EEA or are otherwise subject to the GDPR, please review the following information to understand how VWO tracks and handles user personal data and information.
Session Recording Settings
VWO has introduced different setting configurations to make sure that personal data of your website visitors are anonymized when capturing Session Recordings data. VWO servers do not store personal information of any user and all data passing through our servers is encrypted or hidden to ensure visitor privacy.
As an account administrator, you can review and update your data recording preferences. To learn more about setting recording preferences, click here.
|Key Presses||All key presses are anonymized by default.|
|Hide the Entire Body||You can anonymize the entire HTML body of your website during a recording. Note that only text can be anonymized, but not images.|
|Anonymize/Whitelist by Using the CSS Selector Path||
You can anonymize or whitelist an input/non-input field by using the selector path of the element in VWO. To learn how to find the selector path, click here.
For example, if you want to anonymize a field containing user information in your Order page, you can blacklist the field to hide the data in the recordings.
|DOM mutation and HTML data||All DOM mutation and HTML data tracked during session recordings is encrypted and then sent to VWO servers.|
|Add the nls_protected class to anonymize/whitelist elements||To anonymize or whitelist an element, add the nls_protected class to the element.|
|3 consecutive digits||Always anonymized by default, unless the data is whitelisted.|
|Password fields||Always anonymized, even if data is whitelisted.|
Custom dimensions are used to collect user data, preferences, and personal information. If you are using Custom Dimensions to manage visitor data, it is recommended that you review the updates in our VWO settings to make sure your data is safe and protected. In cases where user information is unavoidable, we recommend that you use salt with minimum hashing requirement of SHA256, with a minimum of 8 characters. To learn more about using Custom Dimensions, click here.
By default, VWO filters all incoming data for any custom dimensions for personal user information such as email addresses and credit card numbers. To override the default settings, you can define regex rules and then add to the specific filter in VWO custom dimensions.
|Flushing data||You can delete all data collected for any custom dimension.|
VWO introduces Privacy Center to help you review or modify user information collected from your website visitors. For example, you can select what location information you want to track like countries, regions, or cities. To learn more about privacy settings, click here.
|IP Address||By default, VWO replaces the last octet of IP Address with 0 (zero) before saving location information. You can customize the setting to choose if you want more numbers to be anonymized for IP addresses. You can even disable tracking any IP address information at all.|
|Location||For location data, VWO tracks the Country, Region & City information of your website visitors. You can change the preference to collect only country or region information. You can even disable storing location information.|
|Detecting personal information in Query Parameters||By default, VWO filters any personal or sensitive information in query parameters and anonymizes them. You can customize the filter conditions for query parameters,|
|Adhere to Visitor’s Do Not Track Settings||All website visitors allow users an option to disable websites and mobile applications from tracking their visits. To honor the visitor preferences, VWO provides an option to Adhere to Do Not Track Settings of the visitor.|
As a VWO administrator, you can seek user consent before your website visitors participate in the On-page Surveys. The consent message is displayed along with a welcome message and links to our Privacy and Security Policies. To learn more about VWO on-page surveys, click here.
Handling Data Subject Rights
VWO is fully committed to upholding the data privacy, security, and rights of both our customers and their users. As a GDPR compliant organization, customer trust and data privacy remain our key focus area. For more understanding, please refer to our Privacy, Security, and Opt-out policies.
|Right to consent||
Adhere to Do Not track Settings
VWO provides an option to account administrators to honor the user’s browser DNT settings. To learn more about Privacy settings, click here.
|Right to access data||
Providing data to a data subject
|Right to erasure||
Deleting Data of a Data Subject
As VWO account admin, you can delete the website and mobile app data for specific data subjects using their UUID.
Please note that removing a specific UUID data record is not possible for some campaigns like AB test or personalization. To completely remove UUID data from a test, you must flush the entire test data and start it again. To learn more about managing UUID data access, click here.