Mavrck Data Privacy & Security: Frequently Asked Questions
Mavrck prioritizes consumer trust. We know that personal data is important to both our customers and the individuals which may work with our customers on influencer marketing campaigns. That is why we keep personal data private and safe.
Mavrck helps customers and individuals maintain control of their privacy and data security in a myriad of ways:
- Disclosure of Personal Data: Mavrck only discloses Personal Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
- Trust: Mavrck has developed security protections and control processes to help our customers and recipients ensure a secure environment for their information.
What is Personal Data?
Personal Data is any information, which is stored in or transmitted via the Mavrck services, by, or on behalf of, our customers or influencers. It typically will include an influencer’s name, gender, age, location, phone, and email, which are all necessary for Mavrck to deliver its influencer marketing services.
What is sort of data is processed by Mavrck?
The data and information collected and processed by Mavrck in the context of the provisioning of the Mavrck platform and services for our customers includes the following categories:
Customer Account Information
Personal data related to the customer’s employees using the Mavrck platform required for the usage of the platform.
Customer Campaign Data
- Customer data related to campaigns that are to be executed via the Mavrck platform, such as:
- Copy & creative describing the campaign.
- High level information about customer product’s
- Performance data associated with campaigns
- Information about incentives awarded to influencers
- Communications between the customer and influencers that they are collaborating with
The Mavrck platform processes data collected from influencers who login to the Mavrck platform as part of participation in a customer campaign.
- Contact information, such as email, mailing address, & phone numbers
- Demographic information, such as age & gender
- Social data, such as account names/handles and posts made by the influencer
- Campaign content, such as surveys, reviews, images, and blog posts.
Mavrck does not store, collect, or process any of the following:
- Social security numbers or any other form of government issued identification
- Medical information or records
- Credit card / payment data
- Non public information about an influencers followers / friends / etc.
Who owns and controls Personal Data?
From a privacy perspective, the Customer is the controller of Personal Data, and Mavrck is a processor. This means that throughout the time that a Customer subscribes to services with Mavrck, between Mavrck and the Customer the Customer retains ownership of and control over Personal Data in its account.
Who are Mavrck’s sub-processors?
Mavrck works with a number of third parties to provide hosting, analytics and other services that may use data to help Mavrck perform its contractual obligations to its Customers. Mavrck works with companies like: Amazon Web Services, Snowplow, SendGrid, ZenDesk, BazaarVoice, PowerReviews, ClickMeter, Tine, Oracle BlueKai, Adobe, Sentry.io, Loggly, TraceView, Netra and others. To the extent that data is shared with any of these entities or others like them it is done under contract with appropriate data protections and restrictions and the shared data is limited only to such data to allow the sub-processors to perform their services for Mavrck.
How does Mavrck use Personal Data?
We use Personal Data to help brands evaluate who they wish to work with for an influencer marketing campaign, the performance of the individual, to improve our services, and occasionally to fulfill incentives or rewards.
Where will Personal Data be stored?
Mavrck has data centers in the United States. Personal Data managed by Mavrck is only stored in the United States.
How does Mavrck Respond to Information Requests?
Mavrck recognizes that privacy and data security issues are top priorities for customers and influencers.
What is Mavrck’s process for data deletion requests?
Mavrck shall promptly notify our customer if we receive a request from an individual (GDPR Data Subject) to exercise their right to access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to processing, or right to not be subject to automated individual decision making. These requests are known as ‘DSR Requests’ by GDPR.
Mavrck will make reasonable efforts to respond to a DSR request, either from the Data Subject or from the customer, within 7 business days of the request.
Upon completion of the DSR request, Mavrck will notify the customer via email.
How does Mavrck respond to legal requests for Personal Data?
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe it to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law.
What is Mavrck’s process for notification of data breaches?
Mavrck will notify our customers within 48 hours of becoming aware of a personal data breach. We will provide the customer with sufficient information to allow the customer to meet any obligations to notify authorities and/or data subjects of the breach.
The EU Data Protection Directive (also known as “Directive 95/46/EC“) addresses the processing of personal data and the free movement of such data. Broadly, this Directive sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.
Directive 95/46/EC established the Article 29 Working Party (“WP29”), which is comprised of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. WP29 works to harmonize the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.
Effectively this means that anyone using personal data needs to have a legal reason to use a subject’s data. That reason could be consent (they opted in) with notice (you told them what they were opting into), performance of a contract (e.g. they are your customer and you want to send them a bill), or what the GDPR calls “legitimate interest” (e.g. they are a customer, and you want to send them products related to what they currently have).
How does the EU Directive apply to Customers and Influencers?
Mavrck customers which collect and store personal data are considered data controllers under Directive 95/46/EC. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including Directive 95/46/EC and the GDPR as of May 25, 2018.
What are the “Model Clauses”?
The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside the European Economic Area (“EEA”). If you believe that our customers are using or providing your data to us in error, and your are located in the EU, we encourage you to seek any remedies that may be available to you through the EEA.
Does Mavrck replicate the Personal Data it stores?
Mavrck periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information and attachment files.
Since our inception, Mavrck’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To be compliant we have put in place systems and processes that will allow us to:
- Respond to requests from data subjects to correct, amend or delete personal data.
- Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
- Demonstrate compliance with the GDPR as pertaining to Mavrck’s Services.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a new European privacy regulation which will replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.
To whom does the GDPR apply?
The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
What implications does GDPR have for organizations processing the personal data of EU citizens?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
How has Mavrck been preparing for the GDPR?
Mavrck will be compliant with the GDPR when it becomes enforceable in May 2018. Our privacy team is reviewing Mavrck’s current product features and practices to ensure we are able to support our customers with their GDPR compliance requirements.
Does Mavrck currently provide any product specific features/functionality in its product to assist us with our GDPR compliance program?
- Mavrck customers can view all Personal Data collected by viewing their reports in their account. Mavrck customers can email Mavrck at [email protected] to request the removal of any personal information.
- Other individuals that may have provided Mavrck with personal information can email Mavrck at [email protected] to request details on their information or to request their information be removed.
What is the Privacy Shield?
The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to provide companies with a mechanism to transfer personal data from the European Union to the United States in a manner that provides an adequate level of protection for the purpose of European data protection law.
Is Mavrck certified under the Privacy Shield?
Mavrck has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.
This is great news for our customers, providing them with an even better data transfer mechanism than the former U.S.-EU and U.S.-Swiss Safe Harbor Frameworks. Mavrck moved quickly to adopt the Privacy Shield principles as part of our ongoing commitment to privacy and protecting our customers’ data.