Privacy, Security and Compliance
      Back to home
      1. Success center
      2. Privacy, Security and Compliance

      Trendemon's GDPR Compliance

      We believe that customers should be able to control their data and trust that information is protected when stored on its servers. To support this, TrenDemon holds itself to strict data security and privacy standards, including compliance with the General Data Protection Regulation (GDPR).

      The following serves as an overview of the key information about the GDPR and the services that TrenDemon provides that align with the regulation.

      What is the GDPR?

      The General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law in the European Union (“EU”) that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. The GDPR goes into effect on May 25, 2018.

      How does GDPR impact TrenDemon and its customers?

      The GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use, of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of the GDPR. Additionally, the GDPR defines personal data very broadly and includes name, email, demographic information, real-time location, online activity, and health information, to name a few. As the leading user analytics platform, TrenDemon receives billions of data points from all over the globe, including data points that are or contain personal data from data subjects. This means that both TrenDemon and our customers, who send us data will need to comply with the requirements of the GDPR.  

      Is TrenDemon collecting data?

      As defined between TrenDemon and our customers, TrenDemon is the “data processor” and the customer is the “data controller”, as such terms are defined under the GDPR. The data controller collects data from our data subjects (i.e. a customer’s end users) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.

      Will TrenDemon be compliant with GDPR?

      Yes.  TrenDemon is committed to complying with GDPR and enabling our customers to comply with GDPR. TrenDemon has an ongoing commitment to providing leading data protection to our customers. We maintain a robust privacy and security program that we continually assess and improve to meet the needs of our customers and to maintain industry leadership in data protection among product analytics companies.

      Will TrenDemon enter into a Data Processing Agreement (“DPA”) with me?

      Yes. We understand the GDPR has robust requirements and obligations for both data collectors and data processors and we are committed to helping our customers use TrenDemon in a compliant manner. We have made our DPA available online so that our customers can be confident that their data is processed in a lawful manner.

      Supporting Data Subject Rights

      As controllers of personal data, TrenDemon and its customers must uphold certain rights as stated by the GDPR, including:

      Right to Access and Data Portability

      TrenDemon will support individuals’ right to access and the right to portability of their personal data through individual export requests. Any TrenDemon account holder will be able to request an export of one’s own personal data, as well as the personal data of their own end-users. The process for submitting individual personal data export requests will be made available upon request.

      Right to Deletion

      We plan to support individuals’ right to erasure through a permanent deletion of personal data upon request. Requests for deletion of one’s own personal data or the personal data of end-users will be accepted by request.

      Right to Object

      Our customers control what data is sent to TrenDemon, and may decide to halt the sending of personal data at any time. To assist with supporting individuals’ right to object to the collection of one’s personal data, TrenDemon also has built dedicated methods for our client-side SDKs that can be used to opt end users out of tracking.

      TrenDemon collects information about how customers use the product and use this data to identify product gaps and improve existing products. While this information is useful, TrenDemon recognizes the importance of an individual’s right to object.  TrenDemon has therefore streamlined opt-out systems for its customers, and starting May 25th they will be able to opt-out of tracking by request.

      Privacy by Design

      TrenDemon builds products with privacy and security as central parts of its design. See the information below for more details about the safeguards that TrenDemon puts in place to protect customer data.

      Incident Response

      • TrenDemon takes the safeguarding of personal data seriously.
      • Any data breach may impact TrenDemon’s customers as well as their customers and prospects.
      • The responses listed within TrenDemon’s response plan are in accordance with the timeframes of the GDPR regulations.
      • In case of a suspected data breach, TrenDemon shall notify the affected customers (as defined below) and the appropriate Supervisory Authority.
      • All suspected data breaches shall be recorded on a TrenDemon log at the time of the discovery of the suspected data breach.
      • Suspected data breaches shall trigger by an employee an email alarm to Trendemon security managers.
      • The email subject is **Suspected Data Breach ** and shall detail the reason for the suspicion.
      • The employee will immediately follow up with a phone call to verify that Trendemon security managers have received the alert.
      • The security manager or in his absence, any employee selected him/her shall:
        • Try to ascertain the breach. If unclear, the security manager shall have the final say as to whether there is a reason to believe that a data breach has occurred.
        • The security manager shall document in the log his decision and the reasoning behind it.  
      • If the security manager decides that a breach has likely occurred the following steps shall be taken immediately:
        • Determine what data was compromised.
        • Whether  that data was encrypted
        • The potential TrenDemon customers that may have been affected by the data breach
      • Trendemon customers relations person shall notify immediately the TrenDemon customers that were impacted by the suspected data breach with the following information:
        • Time of discovering of a suspected data breach
        • The customers of the TrenDemon Customers whose personal data information may have been compromised
        • The nature of the data that has been compromised.
        • What remediation actions TrenDemon is doing to prevent the recurrence of similar data breaches

      Sub-processors

      1. All agreements with Controllers shall mention explicitly the use of Amazon Web Services as a TrenDemon Sub-processor in the Processor contract with Controller. This is mentioned explicitly in the standard TrenDemon contract in Annex 1
      2. If TrenDemon is connected to a customer’s Marketing Automation Platform (Marketo, Pardot, HubSpot, Act-On, or IBM), TrenDemon shall mention explicitly the integration with the Marketing Automation Platform in Processor Contract with Controller.
      3. All new 3rd party software used by TrenDemon shall require written approval by Trendemon’s security manager as not being a TrenDemon Sub-Processor for GDPR purposes.
      4. As of May 1st, 2018, the only TrenDemon subprocessor is Amazon Web Services. Accordingly, all TrenDemon data processing agreements with Controllers shall be checked that they comply with AWS.
      5. In addition, TrenDemon shall explicitly notify the Controller on the use of AWS.

      Data Retention Policy

      Introduction

      At Trendemon, we are committed to safeguarding the privacy and personal data of our business clients and their end-users while providing an exceptional website personalization experience. This Data Retention Policy outlines our practices for the collection, storage, and deletion of personal data on our platform and sets forth Trendemon’s guidelines on data retention and is to be consistently applied throughout the organization.

      Trendemon strives to ensure that data is only retained for the period necessary to fulfill the purpose for which it was collected and is fully deleted when no longer required. 

      Purpose

      The purpose of this policy is to establish guidelines for the retention and disposal of personal data collected through our platform, in accordance with data protection regulations, including but not limited to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

      Scope

      This policy applies to all personal data collected, processed, and stored by Trendemon in the course of providing services through our platform.

      Data Retention Periods

      Trendemon will retain personal data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, or contractual requirements. The specific retention periods are as follows:

      1. Personal data used for personalization and analytics purposes: retained for the duration of the active account.
      2. Data of customers that have stopped using the service will be retained for a period of up to 90 days. Additionally, customers' data can be deleted by request to Trendemon.
      3. Website events such as clicks and page views older than 5 years are automatically deleted on an ongoing basis from all projects.
      4. Client account and contact information: retained for the duration of the business relationship and an additional 12 months after its termination.
      5. Billing and financial information: retained for a minimum of 7 years, as required by applicable tax laws and financial regulations.

      Data Deletion and Disposal

      Upon reaching the end of the applicable retention period, personal data will be securely deleted in a manner that ensures the data cannot be reconstructed or re-identified.

      Data Subject Rights

      Data subjects have the right to request access, rectification, erasure, or restriction of processing of their personal data held by Trendemon. To exercise these rights, data subjects should contact privacy@trendemon.com  .

      Policy Review

      This Data Retention Policy will be reviewed and updated periodically to ensure it remains compliant with current data protection regulations and industry best practices.

      Contact Information

      For questions or concerns related to this policy or our data protection practices, please contact our Data Protection Officer at dpo@trendemon.com.

      Additional Information and Resources

      Data Processing Addendum

      TrenDemon has updated its DPA to ensure compliance with all GDPR-specific requirements. This supplements TrenDemon’s Terms of Use and provides contractual safeguards to its customers for the processing of personal data sent through TrenDemon. The DPA enables TrenDemon’s customers to comply with the GDPR.

      Data Protection Officer

      TrenDemon has a dedicated Data Protection Officer (DPO), along with a team of privacy and security professionals dedicated to our compliance and to helping you maintain your compliance when using TrenDemon.

      If you would like to reach our DPO or have or have follow-up questions please reach out to us at compliance@trendemon.com.