Information that we collect, store or process
What is a cookie?
A cookie is a small data file, which may or may not include a unique identifier. Cookies are sent to your browser from a website and stored on your device. Their content can then be used by the website later in the current session or during future visits to the website (and under certain conditions, other websites too) to do things like recognise a user, recall their preferences, or record user behaviour.
What is a hash?
A hash is a long sequence of characters, usually numbers, that is generated when a formula is applied to a text string like an email address or password. It's not possible to work back from the hash to generate the original text string, so software developers use hashing to store a 'fingerprint' for a piece of information, without storing the information itself.
What is PII?
Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
As processors, we process cookies on behalf of these data controllers, making sure to always protect the rights of the data subject (the end user). We won't engage another processor without establishing that they will also protect the rights of the data subject, or without providing prior notification to the data controllers. We will always inform those controllers of any intended changes concerning the addition or replacement of other processors, giving the controllers the opportunity to object to such changes if they are concerned that the data subjects rights might not be appropriately protected under the proposed new arrangement.
A 1st party host site running Constant Commerce tools could be a brand website (brand.com), a publisher website (publisher.com) or a retailer website (publisher.retailer.com, if a retailer is also a content publisher). These sites are all referred to below as publishers.
A publisher is always the controller and owner of the data that relates to your journey through their site, but until you interact with our tools, our tools don't make any contribution to the data that the publisher collects, stores or processes.
Once you do interact with our tools, the publisher owns the following data that our tools can generate:
- User/session counts
- Site-specific information on impression:
- Page URL
- Widgets on a page
- Truncated IP addresses
- Information related to your device
- Browser type
- High level timestamp
A ‘session’ is a standard browser session – e.g. it terminates when the browser tab is closed. User and session identifier cookies are only ever stored on the publisher.com website, so that the publisher has complete control over this data; they can turn these identifiers off, by overwriting these cookies if they wish to, which lets them opt specific users out of data collection if they choose to. Without these identifiers, our tools can then only collect and aggregate behavioural analytics using an anonymous ‘page impression’ identifier, that is reset on every page load, meaning the only data collected is aggregated, anonymous data with no relationship to an individual end user.
When a retailer runs Constant Commerce tools at their website, this can result in cookies written by the constant.co or foodity.com domains, or in some cases, by the retailer domain directly. The same applies when our tools are embedded in publisher pages and the end user has selected a retailer preference.
Once you interact with Constant Commerce's embedded tools to select or confirm a store preference, the retailer is the owner of the behavioural and e-commerce data that is stored by us. No cookies are persisted on constant.co or foodity.com before you select your store preference.
The retailer owns the following data that is generated by end user interactions with our tools or with pages that include our tools:
- Retailer preferences: branded state of side-drawer, buttons, etc.
- The retailer shopping list identifier (for anonymous/pre-logged-in shoppers) *
- Click-information relating to the retailer branded calls to actions (usually buttons)
- Hashed email address (and a CRM identifier in the case of some retailers)
- End user interaction and behaviour within our retailer-specific interfaces
- The retailer e-commerce transaction data
*Our shopping list functionality is driven by a Constant Commerce API service called ‘cloudlist’ that allows you to add ingredients and products to a shopping list. By logging into your retailer account on any website that has integrated our tools, the cloud list services let you access your shopping list to add, edit and delete the items within it. The service also allows you to see a history of any of the products you have added to your online basket via our tools. If you have never interacted with or haven't opted in to this service, no retailer shopping list identifier cookie will be stored on your browser or device, even if you use our other tools.
Safari 11 and above
On browsers that offer limited support for third party cookies, e.g. Safari, when you opt to have your store preferences remembered across the web, we will also drop store preference cookies on the first party, i.e. the publisher. This allows store preferences to be remembered for more than 24 hours on these browsers.
Constant Commerce label
When do we collect information?
Constant Commerce only drops 2 cookies that are not specific to retailer and publishers:
- Constant Commerce only drops 2 cookies that are not specific to retailer and publishers:
Where do we store data?
Constant Commerce processes all EU-specific information on remote server sites in the EU, owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data.
We implement suitable measures to prevent these data processing systems from being used by unauthorized persons. We do this by:
- Ensuring that employees who are entitled to use our data processing systems are only able to access data within the scope of and to the extent covered by their respective access permission (authorization). The access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities
- Effective and measured disciplinary action against individuals who access data without authorization
- Industry standard encryption
- In the event of hardware, software, or network failure, platform services and control panels are automatically and instantly shifted from one facility to another so that platform services can continue without interruption
What we do to safeguard the data (against theft and fraud)
We have implemented reasonable security measures to protect the information end users have agreed to share with us. Careful use of encryption techniques in accordance with industry best practice (e.g. when dealing with retailer CRM IDs) is one of the methods we use. Given that webservices like ours are dependent on third party platforms and infrastructure, we can never absolutely guarantee the security of the information we collect, store and process against theft or fraud, but it is a primary company objective to always use the best tools and techniques available to protect the information.
In case of a question, complaint, request to update, change or delete any information, contact us at firstname.lastname@example.org. Individuals can find out if we hold any personal information by making a subject access request under the Data Protection Act 1998 or, from May 2018 onwards, the General Data Protection Regulation. It should be noted that Constant Commerce never retains data that can be easily associated with an individual, but for any other data, we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell you who it could be disclosed to; and
- Let you have a copy of the information in an intelligible form.
Last updated May 2018