Breaking it down
Yotpo’s Data Processing Agreement details our comprehensive data policy. Because it can be a bit dry, we’ll break down the most important parts.
- For this guide we will use the term “merchant” to refer to a business that has entered into an agreement with Yotpo to use its services and “customer” to refer to the merchant’s customers
- This guide was written for our merchants. If you are the customer of a Yotpo merchant, and you have questions or concerns about your data, please contact the merchant directly
What personal data do we collect from your customers?
We process personal data relating to customers who purchase products and/or services from our merchants’ stores, or customers who submit reviews via the on-site reviews widget on our merchants’ websites. We also collect and process the contact information of our merchants’ employees, who serve as the points of contact with Yotpo’s Customer Success Managers.
Here is a list of the personal data that we collect from customers, and why we use it:
- Name: Enables us to personalize our communication with your customers and use a partially anonymized version of a customer’s name when they leave a review
- Email address: Enables us to communicate with your customers on your behalf
- Phone number: Enables us to contact your customers via a text message, a feature we have recently implemented
- IP address: Provides customer location information so that you can have better analytics about where reviews are originating
- Shipping address: Allows us to monitor the use of referral links as part of our rewards and referral program
In compliance with the principle of data minimization, we only collect, store, and process data that is absolutely necessary for carrying out the purpose for which the data is processed.
How long do we retain your customers’ personal data?
We retain the data only as long as is necessary for the purposes of processing the information, or as is required by applicable law.
Please note that applicable law in the U.S. requires us to be able to verify that all user-generated content displayed on our merchants’ sites is authentic and attributable to an actual person. Therefore, we retain the personal data of a customer who submits UGC for as long as the content is active in the Yotpo system or until removed in response to a valid request from a customer.
Where does this personal data go?
As soon as the data is submitted to Yotpo, it’s protected by secure data encryption protocols. This encryption occurs throughout data transmissions, including its transmission from your servers and your customers’ devices.
If you or your customers are located in the EU, the data transfer is protected by the Standard Contractual Clauses that we sign with our customers and partners, which addresses our adherence to privacy and security standards and practices.
Our data center is located in northern Virginia in the United States and is hosted with Amazon Web Services (AWS). While it’s hosted, all data is encrypted by AWS/KMS best encryption method. We also have a comprehensive Disaster Recovery Plan (DRP).
We can provide you with a copy of our SOC 2 Type 2 report upon request.
What do we do with the data?
Yotpo is committed to protecting the personal data that we process.
- We only share the data with the sub-processors mentioned in the following section
- We do not use the personal data for any purpose other than what is described in your agreement with Yotpo
- We do not sell the data that we receive from you or collect from your customers
Who do we share data with?
As part of operating procedure, Yotpo may share personal information about end users with some or all of the following Yotpo partners, depending upon which features you enable.
*Yotpo employees are only able to access your customers’ personal data when absolutely necessary (i.e. to resolve a support ticket). Each request for access must be approved by management on a case-by-case basis.
- Amazon Web Services (AWS): Hosts the content that Yotpo processes for customers
- SendGrid: Sends emails to your customers on your behalf
- Google: Displays customer reviews in your Google Seller Ratings and/or Google Shopping Ads. Google only receives your customers’ first name and last initial
- Segment.io: Keeps you updated about your customers’ submitted content and personal information, providing you with insights
- Customer.io: Keeps you updated about your customers’ submitted content and personal information via email
- ViSenze: Provides artificial intelligence-based visual search and image recognition to improve the shopping experience for your customers by identifying additional products that appear in the images displayed on your website
- Qubole: Provides a cloud-based platform for data processing and data analytics
- Looker: Provides you with advanced data analytics and business metrics dashboards
- Tableau: Allows Yotpo to develop data analytics dashboards for processing and displaying your data
- Bazaarvoice: Yotpo distributes customer reviews across a network of retail partners through a syndication partnership with Bazaarvoice, Inc. This relationship is subject to a separate agreement between you and Bazaarvoice
If you’re using our SMS service (SMSBump), we also share your customers’ personal data with the following partners, all of which provide features and service to allow communication with customers via SMS, chat, and voice:
- Intercom: A marketing and support software service provider which we use to communicate with you
- Twilio: Provides features and services to allow communication with customers via SMS, chat, and voice
- Nexmo: Provides features and services to allow communication with customers via SMS, chat, and voice
- Bandwidth: Provides features and services to allow communication with customers via SMS, chat, and voice
Additionally, we share your employees’ personal data with the following partners:
- Customer.io: A cloud email services provider which uses your employees’ behavioral data for targeted email communications
- Zendesk & Salesforce: Customer relations management software and a customer support platform that enable us to support and manage our relationship with your team
For more information about our sub-processors, please see the full list here.
How are we supporting your management of customers’ privacy rights?
Right of access: Your customers may ask to access any of the personal data your company keeps. To that end, we’ve developed a new API to probe our systems and verify if Yotpo processes any data related to a specific user. This API also enables you to retrieve this data via a secure email from Yotpo once requested.
Right to rectification: Your customers have the right to change or amend any inaccurate personal data that a merchant may be storing. Yotpo’s Support Team has undergone specific training to help you fulfil these requests if and when they come in from your customers.
Right to erasure: Certain privacy laws allow for customers to request that you remove their personal data from your records. As your user-generated content partner, we have built a functionality to erase your customers’ personal data quickly and easily on request. For more information, contact our Support Team or your Customer Success Manager.
Laura Doonin, Commercial Director
