1. Introduction
This document provides you, our client with background information on and recommendations in relation to the use, privacy and protection of Customer Data within a Mobile App and in particular in the context of Pulsate.
In relation to our client’s use of Pulsate, Customer Data means any electronic data/information in relation to your customers and mobile app users, uploaded by or for you via Pulsate or collected and processed for you using Pulsate.
2. Responsibilities
As Data Controller, you are solely responsible for the accuracy and quality of all Customer Data and for establishing all terms and conditions applicable to your customers and/or mobile app users, including obtaining relevant permissions for the use, transmission and third party storage of their data related to their use of your Mobile App and Pulsate. For a complete list of responsibilities, you should refer to the website of the relevant Information/Data Authority in your country or state. In Ireland it is https://www.dataprotection.ie/
As a Data Processor, Pulsate must only process personal data on the instructions of the Data Controller. Pulsate must keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition all data processors, whose business consists wholly or partly in processing personal data on behalf of data controllers who are required to register, are also required to register with the Data Protection Commissioner as a data processor. Pulsate is registered as a Data Processor (Registration Number 15924/A) with the Irish Data Protection Commissioner (www.dataprotection.ie).
3. Mobile App considerations
To ensure the proper permissions are obtained and that your customers/mobile app users are clear on handling and use of their personal data, there are two areas of action that you should undertake:
3.1 Mobile App Download
When downloading your mobile app with Pulsate integrated, your customers/app users will be asked to grant various permissions i.e. to allow Push Notifications, share Location and turn on Bluetooth. You can encourage users to accept these permissions by clearly explaining the benefits that the user will get e.g.
“Receive messages from us that are relevant to your interests, likes and past-purchases”
“Learn more about our latest offers while in-store”
If a customer/app user chooses to not accept any permissions, the services that they have refused to accept will not be available to Pulsate. For instance, if a user does not accept the push notification permission, you will not be able to send them push notifications through that app. Therefore, it is extremely important that you explain the benefits to the user of accepting the permission so that they understand what they are being asked and why they should accept it.
If users grant permission and later decide to withdraw their permission, they can turn off these functions in their device settings.
Please note that in the latest version of Android (6.0 and above), there is a new provision to enable app developers to ask for permissions in much the same way as currently happens on iOS. On Android 6 and above, you can ask for permission when the functionality is required by the app. In previous versions of Android, the user had to accept all permissions before downloading the app from the Play store or they were unable to download the app.
3.2 Mobile App Privacy Policy
Similar to your Website Privacy Policy, your mobile app should also feature a relevant statement in this regard. You should of course seek legal advice on this. It is likely to be similar to your website Policy, but should also contain mobile app specific provisions. Within the Mobile App, you should include a Privacy Policy/Terms & Conditions (if the app has a signup screen, this would be the best place to have a link to your Privacy Policy/Terms & Conditions). This should contain adequate explanation of the handling and use of their data, their rights and actions they can take.
Explain how you will use your customers’/app users’ data and of course the benefits that they will get by downloading and using the app. You should explain that by downloading your app they agree to e.g.
“use of your data as set out below (subject to the preferences you indicated when registering for the App).”
An important point to bear in mind is that If you pass a customer/user’s email address (that is used in connection with a Social Media Account/profile) to Pulsate, it will attempt to fetch and store additional parameters from various social networks, that can help you understand your customers better and greatly enrich your Pulsate experience. You will need to seek their permission to this also at onboarding stage.
It should contain a statement in relation to respecting their privacy and that you will protect the confidentiality of their personal data.
Give examples of what you mean by their personal data. Also you should refer to usage data re downloads, logins and use of the app.
“Use will include type of mobile device and operating system you use, a device identifier, IP address, IDFA, identity of your network operator, current location data (if you have enabled this for the App) and sessions (when you have the App open in either the foreground or background) which we may use to generate statistical usage data relating to the App.
Refer back to permission (if provided) to use location services which may be based on Geofences or Beacons ( e.g.“hardware devices situated in-store”)
Explain in more detail how you will use their data, describing benefits:
- Register you for special offers
- Register you for loyalty scheme
- Provide product information
- Understand your interests based on in-app behaviours to improve our products and services
- Inform you of new products, promotions and other offers
You should inform them that you will share their data with selected third party providers who you use to process data to offer these services.
You may want to include other elements from your Website Privacy Policy/Terms & Conditions that you or your legal advisors deem appropriate such as right to receive information on their data that you hold and their ability to request that they receive no further marketing messages through any channel.