Skip to Content
Data collectionPrivacy & Security

Privacy & Security

The General Data Protection Regulation (GDPR) is the European Union’s legal framework for protecting personal data. It defines how organizations must collect, process, store, and delete personal information, and gives individuals specific rights over their data.

Roles and responsibilities

Before getting into the practicalities for ensuring GDPR compliance, it’s important to understand the key roles and responsibilities when using Prepr CMS to process personal data of web app visitors.

Controller

Under the GDPR, you, as our customer, have the role of the controller. This means, you decide which personal data is collected, why it’s collected, and how long it’s retained. As the controller, you must ensure that there is a lawful basis for processing and that all data subject rights can be fulfilled.

Processor

We, as Prepr, perform the role of the processor. We process personal data only according to your documented instructions and we don’t decide the purposes of processing. As a processor, we implement appropriate technical and organizational measures, ensure confidentiality, work only with vetted sub-processors, and support you in fulfilling GDPR obligations.

Complying with GDPR

Now that you understand your GDPR responsibilities when using Prepr CMS, follow the practical steps below to stay compliant.

Manage access and security

GDPR requires that data be kept secure. Use our role-based access control to ensure only specific team members have access to sensitive customer data.

Review sub-processors

Make sure to review our sub-processor list  and check that it aligns with your vendor management and compliance requirements.

Now that you know what’s required, here are the Prepr tools and features to help you stay compliant.

Using Prepr to process personal data

You can process personal data directly in Prepr via the UI, make REST API requests to fetch or update customers, and track visitors using the tracking pixel or the Rest API.

Best practices

Before we look at specific features and tools, here are some best practices to follow.

Default data set

You should only collect what is strictly necessary for your web app to function or for your specific business goal.

  • Prepr tracking pixel: Prepr uses client-side data collection through a first-party tracking pixel. This ensures data accuracy and bypasses most ad-blockers.

  • Additional data: If a piece of data doesn’t have a clear, documented purpose, do not collect it.

Retention periods

By default, we delete inactive customers after 90 days. You can send a SignUp event to make sure that customers who’ve signed up to your web app will not be deleted.

Important restrictions

  • No sensitive personal data: We strongly recommend against storing the following in the CMS:

    • Financial information like credit card details or bank account numbers.
    • Health or medical information.
    • Racial or ethnic origin.
    • Political opinions or religious beliefs.
    • Biometric or genetic data.

  • No personal data in Assets: Don’t store personal data inside uploaded assets (like images, or PDFs).

Now that we’ve covered these ground rules, let’s look at some features and tools we provide to help you manage these responsibilities effectively.

Right of Access: Exporting customer data

To support the Right of Access, if customers request to access their personal data, you can either use the Prepr UI or the the Rest API to export customer data.

To export a a single customer profile directly in Prepr, follow the steps below.

GDPR export

  1. Open the Segments tab to see All customers.
  2. You can search for the customer profile by their ID, email, or reference ID
  3. Hover over the customer and click the icon to start the GDPR export.

A JSON file containing the full customer record with the following details is downloaded.

  • personal details
  • full address
  • email address
  • events (such as likes, views, bookmarks)
  • tags

This export can be shared with the customer as part of a GDPR access request.

Right to Erasure: Deleting customer data

The right to erasure, also known as the “Right to be forgotten,” allows individuals to request the complete deletion of their personal data.

To delete a customer directly in Prepr, follow the steps below.

Deleting a customer

  1. Open the Segments tab to see All customers.
  2. You can search for the customer profile by their ID, email, or reference ID
  3. Hover over the customer and click the icon to delete the customer.

All personal data for this customer is deleted immediately once you click the Yes, delete button to confirm.

This deletion is irreversible and removes the customer’s profile, events, and all associated personal data from Prepr CMS.

Right to Rectification: Updating customer data

The right to rectification allows individuals to have inaccurate or outdated personal data corrected.

To update a customer’s information directly in Prepr, follow the steps below.

Updating a customer

  1. Open the Segments tab to see All customers.
  2. You can search for the customer profile by their ID, email, or reference ID
  3. Click the customer to open the profile and click the Edit details button.
  4. Update the relevant fields, such as name, email address, or other personal details.
  5. Click the Save button to save the changes.

The corrected data is applied immediately and reflected across all systems that rely on Prepr.

Right to Data Portability

The Right to Data Portability allows individuals to obtain their personal data and reuse it for their own purposes across different services.

As described in the Right of Access section, you can simply use the GDPR export feature directly in Prepr.

How we comply with GDPR

We support GDPR compliance by implementing strong operational, security, and privacy measures as a processor. These include:

Processing instructions only

We process data exclusively based on the your configured settings and documented instructions.

Data security

You can find detailed information on how we ensure data security with technical and organizational measures in our trust hub . At a high level, this information includes the following points.

  • Encryption at rest and in transit
  • Access controls, such as SSO
  • Logging and monitoring
  • Secure infrastructure
  • Backup and disaster recovery
  • Regular security testing

Sub-processors

We provide the following information on our sub-processors .

  • a list of sub-processors
  • their roles and data categories
  • links to their compliance policy

EU data residency

We store and process all personal data inside the EU unless you explicitly approve otherwise.

Data breach notification

We notify you without undue delay (target 48 hours) if any personal data breach occurs. As an Enterprise service level customer, we’re happy to make custom arrangements with you.

GDPR assistance

We support you by forwarding DSAR requests, helping with DPIAs where needed, and if you’re an Enterprise service level customer, we also provide documentation for audits and compliance checks.

End-of-contract data handling

We ensure the deletion or return of all personal data upon termination of the agreement.

Through these measures, we ensure all processing performed on your behalf meets GDPR requirements and follows the contractual obligations in the data processing agreement.

Last updated on
Managing customers manuallyPersonalization