Compliance

Our goal is to provide everything your legal team needs. Contact support@rb2b.com with questions.
Privacy Faqs

We know the landscape of privacy compliance and laws is evolving and changing at a rapid pace. We work hard not only to keep pace with these laws, but also to provide information and solutions for our customers to do so as well.

Thus, we provide the below answers to common questions that our customers ask – we hope you find them useful, and we are always available to confer with our customers about privacy and compliance solutions.

1. Question: Does GDPR apply to Retention.com?

No. Our database of personal information only contains profiles that have been matched to US home addresses, and we use IP ringfencing to only resolve US traffic. In legal-speak, we do not have a product that is intentionally or deliberately focused on providing marketing intelligence to the European or U.K. market.

2. Question: What about U.S. state privacy laws, like the California CCPA and CPRA, and similar laws in Colorado, Virginia, Connecticut and other states? Do those apply to me, and what do they require?

These state laws may apply to you, if you handle substantial amounts of data, have sufficient revenue, and have consumers in the relevant states.

These laws provide consumers a number of rights, and require a variety of disclosures. For instance, California law requires:

  • Website disclosures to indicate that you’re “sharing” personal information – which under California law means that you’re engaging in behavioral or “cross-contextual” advertising, such as our service or other types of retargeting. You can learn more about these disclosures at https://oag.ca.gov/privacy/ccpa/iconsdownload, and other linked pages.
  • Also, a way for consumers to “delete” or “access” the data you have about them.
  • And sometimes, particular contractual terms that apply to your “third parties” or “service providers.” (We provide template terms that do this, which we also describe below.)
  • You should also describe in your privacy policy how you use your customer’s information, and your website cookies, to advertise and market. We have provided recommended language to insert into your privacy policy below. (We of course advise that you talk to your own privacy counsel – our recommendations aren’t a substitute for customized legal advice that you might require.)

“When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or online profiles. We (or service providers on our behalf) may then send communications and marketing to these emails or profiles. You may opt out of receiving this advertising by visiting https://app.retention.com/optout”.

3. Question: How does Retention.com help its customers comply with California’s privacy laws (CCPA/CPRA), and similar state privacy laws?

Retention.com provides a consumer “opt out” page, which its customers can easily link to, at https://app.retention.com/optout. We also provide a Data Protection Addendum, as required by some state privacy laws, which sets out the parties’ respective rights and obligations under those laws. As noted above, we also provide sample language for our customers to insert into their privacy policy, which describes our service.

4. Question: Am I required to comply with the CCPA/CPRA, and other state laws?

You might not be. These laws don’t apply to every company – each of them contain “small business” exemptions, that in many (not all) cases exempt companies below a particular revenue threshold. In California, for instance, many companies with under $25 million in revenue are not subject to most of the California “CCPA” and “CPRA” privacy requirements. (But even if these laws don’t apply, some companies implement privacy disclosures and consumer choice options, to ensure transparency to consumers, and simply for consumer courtesy reasons.)

5. Question: so, is Retention.com “permission-based” marketing?

The objective of Retention.com is to help companies market to consumers who have shown interest in their products. We consider that interest-based marketing. It’s also true that consumers in our database have agreed to provide their information for third party marketing, as a general matter – and many consider that “permission-based” as well.

But even with an “opt-in” at our disposal, we still think it’s important that consumers whose data we release have shown interest in a brand, generally by visiting their website, placing a product in their cart, or some similar activity. Consumers who have done that have shown a level of interest and trust in a brand, product or service, and are unlikely to be put off by a continuation of that marketing conversation.

6. Question: We try to be legally conservative – we don’t like getting consumer complaints and want to be “privacy-forward.” Anything else I should do to comply with privacy laws and consumer expectations?

As we’ve noted about, some customers include a website banner notice, to explain to their site visitors in a robust way how data cookies and technologies are used for marketing. Thus, we provide recommended language for these customers to use, and also to insert into their privacy policies (see #2).

7. Who can answer any additional privacy questions and we (or our lawyers) may have?

You can contact our support any time at support@retention.com. We also have outside privacy counsel available to consult with your own attorney, regarding contracting, privacy and disclosure matters.

Data Services Agreement
Data Protection Addendum (“DPA”)
Information Security Addendum

Vendor has established and agrees to maintain a written information security program (the “Information Security Program”) designed to comply with this Information Security Addendum and applicable Data Protection Law. Terms not defined herein have the meaning set forth in the rest of the DPA.

As part of its program, Vendor has implemented and agrees to maintain administrative, technical, and physical security safeguards designed to protect the confidentiality, integrity, and availability of Customer Data, including but not limited to:

Administrative and Organizational Safeguards
  • Vendor maintains policies and procedures for the security of Customer Data, including the following:
    ◦ Written information security policies that set forth Vendor’s procedures with regard to maintaining the safeguards set forth in this Information Security Addendum.
    ◦ Incident Response Plan, which sets forth Vendor’ procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
  • Vendor conducts regular assessments of the risks and vulnerabilities to the confidentiality and security of Customer Data.
  • Vendor regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
  • Vendor has appointed an individual to oversee and manage its Information Security Program and lead the response to any Personal Data Breach.
  • Vendor maintains role-based access restrictions for its systems, including restricting access to only those Vendor employees that require access to perform the Vendor Services or to facilitate the performance of such Vendor Services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
  • Vendor periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Vendor employees that no longer need such access.
  • Vendor assigns unique usernames to authorized Vendor employees and requires that Vendor employees’ passwords satisfy minimum length and complexity requirements.
  • Vendor regularly provides training to employees, as relevant for their roles, on confidentiality and security.
  • Vendor requires relevant Vendor employees to acknowledge Vendor’ Information Security Program annually.
  • Vendor has a policy in place to address violations of its Information Security Program.

Technical Security
  • Vendor logs certain system activity—including authentication events, changes in authorization and access controls—and regularly reviews and audits such logs.
  • Vendor maintains network security measures, including but not limited to firewalls, to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Supplier to suspicious network activity, and anti-virus and malware protection software.
  • Vendor has implemented workstation protection policies for its systems, including automatic logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
  • Vendor requires multi-factor authentication on its systems for administrative users.
  • Vendor conducts periodic vulnerability scans and assessments on systems storing, processing, or transmitting Personal Data to identify potential vulnerabilities and risks to Personal Data.
  • Vendor remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, transmitting, or otherwise Processing Personal Data.

Physical Security
  • Vendor restricts access to its facilities, equipment, and devices to Vendor employees with authorized access on a need-to-know basis.
  • Vendor tracks the location of its equipment, devices, and electronic media and maintains a record of such locations.
Subproccesors List

Amazon Web Services, Inc.

- Cloud Hosting Solutions: data processing, threat/security/vulnerability monitoring, and data storage (USA)

FullStory

- User support (USA)

Intercom.io

- User support, customer service, automated emails to customers (USA)

Hubspot

- User support (USA)

Redislabs

- Cloud hosting for Redis cache (USA)

Logz.io

- System and technical/developer logging management (USA)

NewRelic

- Technical solution reporting & monitoring (USA)

Sendgrid

- System-generated email message delivery (USA)

Twilio

- System-generated SMS delivery (USA)

Stripe

- Billing & payment processor and service, generating invoices, reporting and analytics (USA)

Baremetrics

- Reporting & analytics (USA)

Profitwell

- Reporting & analytics, revenue recovery (USA)

Salesforce

- Customer relation manager, reporting and analytics, automated processes (USA)