MoEngage and GDPR

At MoEngage, we are committed to and help our partners in achieving GDPR compliance. We firmly believe in respecting our partners and their respective users’ privacy rights. MoEngage has carried out the necessary changes to its platform to meet GDPR standards worldwide, and we will continue to invest in industry-leading data privacy initiatives.

How MoEngage supports GDPR compliance for our partners

What is MoEngage’s take on GDPR?

At the onset, GDPR may look intimidating making it harder for marketers to access user information. However, it also provides marketers with an opportunity to reconnect with their audience and strengthen the brand-consumer relationship. Take the opportunity to inform users of the data you collect and how you use them, make them aware of their rights which can be reassuring and builds trust.

How does GDPR apply to MoEngage?

When it comes to using of our platform by MoEngage clients, those clients are the controllers and MoEngage is a processor—and that means that MoEngage will follow the instructions of its clients when it comes to the processing of personal data on their behalf. However, MoEngage is the controller when it comes to personal data that it collects from its employees (well, the employees who are EU citizens) and from EU citizens who visit the MoEngage website or have their data collected in other ways through our marketing programs.

MoEngage’s commitment to data security and privacy?

At MoEngage, we believe in “security by design,” meaning that we have built security into the core of our product and have made it a key focus area since day one. MoEngage’s security by design committee meets on a regular basis to review, discuss and implement privacy principles in the design and development of the features, functionalities, and operations of the MoEngage. MoEngage’s security by design committee includes manager level employees from product, engineering and operations organizations together with MoEngage’s privacy and security teams.

How we enable our customers to be GDPR compliant?

As a data processor, MoEngage is focused on automating—as much as is technically feasible—the ability of its clients to comply with the rights of EU citizens. For instance, MoEngage has already updated its platform so that clients can respond to requests of individual data subjects. MoEngage already provides a way for the customers to export the user data. If required, clients can raise a support ticket to delete the customer data on demand.

Rights of Users

Under GDPR citizens of EU have right to consent, reject, erase, and control personal information companies collect for business purposes. In general, it provides users with more freedom and control over what information they share with companies and how companies can make use of it.

  • Right to be informed

    What does this mean?

    The GDPR throws emphasis on how data controllers handle user personal data. Under GDPR, data subjects need to be made well aware of how brands collect, store, and process critical customer data.

    MoEngage recommendation Under GDPR, MoEngage customers, as Data Controllers must facilitate mechanisms that enable Data Subjects to understand how their personal data is being collected and processed. Many Data Controllers fulfill this obligation by means of a Privacy notice on their website. Data Controllers are also required to ensure easy access to the privacy policy by the users of products and services. Additionally, your Privacy Policy should also disclose that you may share personal data with third parties who may process that personal data on your behalf, and provide sufficient disclosure about that processing so that the Data Subject is informed about what you and your Data Processors will be doing with personal data.

  • Right to Access

    What does this mean?

    The data subject under GDPR has the right to:
    Confirmation that their data is being processed; Access to their personal data; and Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see GDPR Article 15).

    How is MoEngage compliant with this right?

    As a data processor, MoEngage has established mechanisms that help customers, as data controllers, access specific information about data subjects. MoEngage customers can download data for particular users based on any user identifier. MoEngage dashboard users with Admin and Manager access can download user data directly from the dashboard.
    For more information on this, you can refer our help article

  • Right to Rectification

    What does this mean?

    Data subjects, under GDPR, are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible.

    How is MoEngage compliant with this right?

    MoEngage customers can update the user data of specific users in MoEngage by using one of our data import APIs. These are by default enabled for all clients and can be used whenever an end user requests for their information to be updated. For information on MoEngage Data Import API and how to update user data in Moengage, please refer the docs here.

  • Right to Erasure

    What does this mean?

    The Right to Erasure, also known as the ‘right to be forgotten’ allows users to have their data removed from specific systems used for processing or holding their data. As a MoEngage customer, your end users can request you to erase their personal data.

    How is MoEngage compliant with this right?

    To help MoEngage customers delete personal data of users from MoEngage database, we recommend the below two solutions -

    1. An Erase API is available which erases the personal data of specific users entirely from within MoEngage. For more details on the delete API, you can refer this article. Please note that deleting the data does not automatically stop processing additional data that you send to MoEngage for a given user.

    2. Alternatively, you can ask your end users to uninstall the app from all their devices.

    Deleting a user from the MoEngage platform will permanently remove the user profile for that particular user. This includes all personal data as mentioned under GDPR guidelines.

    Analytics within MoEngage is tied to an anonymous MoEngage User ID. Once the user profile is deleted, the MoEngage user id effectively becomes a wholly anonymized identifier, as we cannot tie it back to any personally identifiable information.

  • Right to Restriction of Processing

    What does this mean?

    Data Subjects have the right to ‘block’ or suppress processing of specific subsets of their personal data in the event of inaccurate or improperly obtained data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.

    How is MoEngage compliant with this right?

    MoEngage SDKs are shipped with the functionality to suppress tracking of personal data for a particular user. As of now, we cannot suppress the tracking of specific categories of data, but we will stop tracking all the data entirely. For more information on disabling data tracking from the MoEngage SDK, you can refer this implementation doc

  • Right to Data Portability

    What does this mean?

    The right to data portability allows individuals to obtain and reuse their personal data for their purposes across different services.

    How is MoEngage compliant with this right?

    Similar to Right to Access, MoEngage customers can easily download data of specific users based on any user identifier. MoEngage dashboard users with Admin and Manager access can download user data directly from the dashboard. For more information on this, you can` refer our help article