Privacy Policy

Information that we collect, store or process

As a rule, Constant Commerce does not collect and store personal information that is easily attributable to an individual user. When we handle your information, we usually do so on behalf of a business with whom you have an existing relationship, like a retailer you shop with, or a publisher you visit often. This privacy policy explains when and how we handle personal information. Starting with a simple explanation of some key concepts.

What is a cookie?

A cookie is a small data file, which may or may not include a unique identifier. Cookies are sent to your browser from a website and stored on your device. Their content can then be used by the website later in the current session or during future visits to the website (and under certain conditions, other websites too) to do things like recognise a user, recall their preferences, or record user behaviour.

What is a hash?

A hash is a long sequence of characters, usually numbers, that is generated when a formula is applied to a text string like an email address or password. It's not possible to work back from the hash to generate the original text string, so software developers use hashing to store a 'fingerprint' for a piece of information, without storing the information itself.

What is PII?

Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Why does Constant Commerce use cookies?

Constant Commerce uses cookies and similar technologies to personalise and optimise your shopping experience by remembering your preferences (such as store preferences). This means you don’t have to reselect your preferred retailer each time you return to your favourite sites or when you browse from one page to another. Cookies also make it possible to differentiate between separate users' activities so that we can better understand how groups of users with similar or differing requirements interact with our shopping tools, and helps us to improve the shopping experience. It’s important to note that we never use cookies to collect personal information about you.

For GDPR purposes, all websites that have our tools embedded on them are data controllers, and we are a data processor on their behalf. Our privacy policy governs how we process your data in a way that conforms to privacy and data regulations, but it's the controllers' privacy policies which govern how that data, which remains under their control when we've finished processing it, is handled in the long term. Our privacy policy is often cited by the data controllers that we work with, as a component of their overall privacy policy, relating specifically to the work we do with them.

As processors, we process cookies on behalf of these data controllers, making sure to always protect the rights of the data subject (the end user). We won't engage another processor without establishing that they will also protect the rights of the data subject, or without providing prior notification to the data controllers. We will always inform those controllers of any intended changes concerning the addition or replacement of other processors, giving the controllers the opportunity to object to such changes if they are concerned that the data subjects rights might not be appropriately protected under the proposed new arrangement.

Publishers

A 1st party host site running Constant Commerce tools could be a brand website (brand.com), a publisher website (publisher.com) or a retailer website (publisher.retailer.com, if a retailer is also a content publisher). These sites are all referred to below as publishers.

A publisher is always the controller and owner of the data that relates to your journey through their site, but until you interact with our tools, our tools don't make any contribution to the data that the publisher collects, stores or processes.

Once you do interact with our tools, the publisher owns the following data that our tools can generate:

  • User/session counts
  • Site-specific information on impression:
    • Page URL
    • Widgets on a page
    • Truncated IP addresses
    • Information related to your device
    • Browser type
    • High level timestamp

A ‘session’ is a standard browser session – e.g. it terminates when the browser tab is closed. User and session identifier cookies are only ever stored on the publisher.com website, so that the publisher has complete control over this data; they can turn these identifiers off, by overwriting these cookies if they wish to, which lets them opt specific users out of data collection if they choose to. Without these identifiers, our tools can then only collect and aggregate behavioural analytics using an anonymous ‘page impression’ identifier, that is reset on every page load, meaning the only data collected is aggregated, anonymous data with no relationship to an individual end user.

Retailers

When a retailer runs Constant Commerce tools at their website, this can result in cookies written by the constant.co or foodity.com domains, or in some cases, by the retailer domain directly. The same applies when our tools are embedded in publisher pages and the end user has selected a retailer preference.

Once you interact with Constant Commerce's embedded tools to select or confirm a store preference, the retailer is the owner of the behavioural and e-commerce data that is stored by us. No cookies are persisted on constant.co or foodity.com before you select your store preference.

The retailer owns the following data that is generated by end user interactions with our tools or with pages that include our tools:

  • Retailer preferences: branded state of side-drawer, buttons, etc.
  • The retailer shopping list identifier (for anonymous/pre-logged-in shoppers) *
  • Click-information relating to the retailer branded calls to actions (usually buttons)
  • Hashed email address (and a CRM identifier in the case of some retailers)
  • End user interaction and behaviour within our retailer-specific interfaces
  • The retailer e-commerce transaction data

*Our shopping list functionality is driven by a Constant Commerce API service called ‘cloudlist’ that allows you to add ingredients and products to a shopping list. By logging into your retailer account on any website that has integrated our tools, the cloud list services let you access your shopping list to add, edit and delete the items within it. The service also allows you to see a history of any of the products you have added to your online basket via our tools. If you have never interacted with or haven't opted in to this service, no retailer shopping list identifier cookie will be stored on your browser or device, even if you use our other tools.

Safari 11 and above

On browsers that offer limited support for third party cookies, e.g. Safari, when you opt to have your store preferences remembered across the web, we will also drop store preference cookies on the first party, i.e. the publisher. This allows store preferences to be remembered for more than 24 hours on these browsers.

Constant Commerce label

As you browse the Internet, you may see or interact with our tools embedded on host websites, and these may be labelled with “Constant Commerce”. This indicates that Constant Commerce widgets are being used to optimize your shopping experience on that website. It’s important to note that Constant Commerce does not operate or control the websites where our tools are embedded, so this Privacy Policy does not apply to your usage of those websites, only to your use of our tools at those websites. Retailers can choose to write end-user CRM identifiers as a cookie when their domain loads along with our tools, and that's also outside the control of Constant Commerce, and subject to the retailer's Privacy Policy. To see relevant Privacy Policy information, please refer to the Privacy Policies found at host websites and at retailers' websites.

When do we collect information?

We make a clear distinction between publishers and retailers, who are the controllers and the owners of any data we collect. If you don't interact with any of our widgets embedded on a publisher website, the only data that is generated by our tools are anonymous cookies owned by that publisher and subject to their Privacy Policy, and which are not shared with any other party. When you interact with our tools, and have opted into the services, we then drop retailer specific cookies, which become retailer owned data.

Constant Commerce only drops 2 cookies that are not specific to retailer and publishers:

  • We make a clear distinction between publishers and retailers, who are the controllers and the owners of any data we collect. If you don't interact with any of our widgets embedded on a publisher website, the only data that is generated by our tools are anonymous cookies owned by that publisher and subject to their Privacy Policy, and which are not shared with any other party. When you interact with our tools, and have opted into the services, we then drop retailer specific cookies, which become retailer owned data.
  • Constant Commerce only drops 2 cookies that are not specific to retailer and publishers:

Where do we store data?

Constant Commerce processes all EU-specific information on remote server sites in the EU, owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data.

We implement suitable measures to prevent these data processing systems from being used by unauthorized persons. We do this by:

  • Ensuring that employees who are entitled to use our data processing systems are only able to access data within the scope of and to the extent covered by their respective access permission (authorization). The access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities
  • Effective and measured disciplinary action against individuals who access data without authorization
  • Industry standard encryption
  • In the event of hardware, software, or network failure, platform services and control panels are automatically and instantly shifted from one facility to another so that platform services can continue without interruption

What we do to safeguard the data (against theft and fraud)

We have implemented reasonable security measures to protect the information end users have agreed to share with us. Careful use of encryption techniques in accordance with industry best practice (e.g. when dealing with retailer CRM IDs) is one of the methods we use. Given that webservices like ours are dependent on third party platforms and infrastructure, we can never absolutely guarantee the security of the information we collect, store and process against theft or fraud, but it is a primary company objective to always use the best tools and techniques available to protect the information.

Changes to this Privacy Policy

Constant Commerce reserves the right to change this Privacy Policy.

Contact information

In case of a question, complaint, request to update, change or delete any information, contact us at privacy@constant.co. Individuals can find out if we hold any personal information by making a subject access request under the Data Protection Act 1998 or, from May 2018 onwards, the General Data Protection Regulation. It should be noted that Constant Commerce never retains data that can be easily associated with an individual, but for any other data, we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to; and
  • Let you have a copy of the information in an intelligible form.

Last updated May 2018