GDPR compliance

Zubi stores, manages, manipulates and presents data. This means that Zubi has to adhere to data protection and privacy regulations. On this page we have gathered all information about the platforms data handling to help you make informed decisions about if and how you need to address data privacy and data protection concerns.


Disclaimer

We recommend actions to the best of our knowledge to help you stay in compliance with privacy regulations such as the GDPR. It is however important to note that we do not provide legal counsil and the recommendations should not be considered as such.

Data capture

Zubi captures data using javascript, APIs and third party platform plugins. This data is then further processed for use in data analytics, marketing, on site user experience improvements and third party applications. It should be noted that Zubi does not store any data in its platform, nor does it send any data to third party applications by default. The user has to enable data storage in Zubi in order for Zubi to start storing and processing data. Furthermore it is required by the user to activate third party platforms in order for Zubi to send any data outside of the platform.

This means that the user is in full control of when and if Zubi manage any data for the user. However, as soon as Zubi is installed on the users website it writes cookies to the end users client (browser).

Cookies

The following cookies are used by Zubi when consent is obtained (or if privacy mode is turned Off). With privacy mode set to Strict, Zubi only set cookies critical to run, like the consent cookie.

NameIdDescription
A Unique User ID (UUID)-zl_udiA random Client (browser) identifier, set to expire after 730 days.
A visit counter-zl_upvA simple counter to keep count of the number of times the browser has visited the website
A session cookie-zl_usiA random Client (browser) identifier, set to expire after 30 minutes.
A ping cookie-zl_pingUsed to ensure no data is sent after the initial ping when no data storage is deactivated.
An extension cookie-zl_extUsed to manage extensions that the user has activated in Zubi.
Conversion deduplication-zl_uocv_Used to ensure orders are counted once in case the order completed event is triggered twice.
Consent cookie-zl_consentUsed to manage consent. This is a critical cookie that control the consent for the user.

Note

Most of these cookies are critical for functionality, hence they may not need to be stated in the privacy policy.

Personal data (PII)

The following Personally Identifiable Information (PII) is captured by Zubi when data storage is enabled and consent is obtained (or if privacy mode is turned Off).

With privacy mode set to Strict, Zubi never collects PII.

When using the javascript tracker:

  • Client IP (Always captured when available)
  • Country (Always captured when available)
  • City (Always captured when available)
  • Coordinates (Always captured when available)
  • Name (Only if included in the user event and order completed event)
  • Email (Only if included in the user event and order completed event)
  • Phone (Only if included in the user event and order completed event)
  • Address (Only if included in the user event and order completed event)
  • UUID (Used to internally identify a user when possible)

When using the platform plugins (in addition to the tracker):

  • Country (Captured from order data)
  • City (Captured from order data)
  • Name (Captured from order data)
  • Email (Captured from order data)
  • Phone (Captured from order data)
  • Address (Captured from order data)

Data use (PII)

The data capture is purpose driven, which means that we do not randomly collect data for possible future use. We collect specific data required for the services we provide. Below are all data points we consider to be PII on the platform and their respective use. Some of these may not always be PII, such as the UUID when there is no identified user connected to the ID. But we treat it as PII in all cases just to be sure.

UUID

  • Used to distinguish new from returning visitors
  • Used to follow a chain of events (e.g. which pages a visitor browse, and in what order) often referred to as a user or customer journey.
  • Used in visitor segmentation and audience creation internally on the platform.
  • Customer reporting such as in an aggregated view of a specific customer.

Client IP

  • Used as back up in analytics when the UUID is not available.
  • Hashed and sent to Facebook/Meta when a user sets up audience sync.
  • Customer reporting such as in an aggregated view of a specific customer.

Country

  • Used to present location based statistics. For example sales by country.
  • Used in visitor segmentation and audience creation internally on the platform.
  • Customer reporting such as in an aggregated view of a specific customer.
  • Hashed and sent to Facebook/Meta when a user sets up audience sync.
  • Hashed and sent to Google when a user sets up segment sync with Google Ads.

City

  • Used to present location based statistics. For example sales by city or visitor by city.
  • Used in visitor segmentation and audience creation internally on the platform.
  • Customer reporting such as in an aggregated view of a specific customer.
  • Hashed and sent to Facebook/Meta when a user sets up audience sync.
  • Hashed and sent to Google when a user sets up segment sync with Google Ads.

Address

  • Customer reporting such as in an aggregated view of a specific customer.
  • Hashed and sent to Facebook/Meta when a user sets up audience sync.
  • Hashed and sent to Google when a user sets up segment sync with Google Ads.

Phone

  • Customer reporting such as in an aggregated view of a specific customer.
  • Hashed and sent to Facebook/Meta when a user sets up audience sync.
  • Hashed and sent to Google when a user sets up segment sync with Google Ads.

Coordinates

  • Used to present location based statistics. For example to show visitors on a map.
  • Customer reporting such as in an aggregated view of a specific customer.

Name

  • Customer reporting such as in an aggregated view of a specific customer.
  • Hashed and sent to Facebook/Meta when a user sets up audience sync.
  • Hashed and sent to Google when a user sets up segment sync with Google Ads.

Email

  • Customer reporting such as in an aggregated view of a specific customer.
  • Customer reporting such as sales attribution, customer lifetime value and other customer centric analysis.
  • Hashed and sent to Facebook/Meta when a user sets up audience sync.
  • Hashed and sent to Google when a user sets up segment sync with Google Ads.

Data storage

As part of the service we provide our customers we need to store data as long as the data is needed in the services.

Data protection

We do our outmost to protect the data we hold. It starts with being selective on what data we collect and store to minimize the risk of losing/exposing sensitive data that we never needed in the first place. Secondly we keep sensitive data encrypted whenever readability isn't required. Our data is located on european servers on the Google Cloud Platform, where it is encrypted at rest and in transit . As an additional level of protection we deidentify sensitive data att ingestion using the Google Cloud Data Loss Prevention (DLP) service.

Data retention

Unless otherways agreed, we retain data for a maximum of 2 years for reporting and statistics purposes as long as the account is active. Inactive accounts or deleted accounts do not retain data.

Data deletion

Data can be deleted at anytime upon request. May it be to delete data for a specific individual or an entire account. Data is also deleted upon account deletion or when an account becomes inactive.

In order to use Zubi in compliance with privacy regulation you should consider obtaining consent from your users to gather, store and process the data as stated below. Read all about Consent Management here .

  • For cookie storage on client device
  • For use of PII data in analytics & reporting
  • For use of PII data in marketing using 3rd party tools

Note

Be as transparent and specific as possible when obtaining consent. It helps the user to understand why and for what their data will be used.