Zinrelo's GDPR Compliance

This document describes what Zinrelo has done to comply with GDPR that came into effect on May 25, 2018.

The EU's General Data Protection Regulation (GDPR) sets a new standard for how companies use and protect EU citizens’ data. It took effect from May 25, 2018. Later, the Schrems II judgement on July 16, 2020, affected how GDPR compliance was handled by companies. 

At Zinrelo, we’ve worked hard to comply with GDPR, to ensure that we fulfil its obligations and maintain our transparency about customer messaging and how we use data.

In GDPR terminology, Zinrelo clients who launch a loyalty program for their end customers are data controllers. They control what data is collected from the end-customer. Zinrelo is a data processor that processes data when explicitly instructed by the data controller. Zinrelo does store EU customer data on servers in the United States.

We worked with our teams and lawyers to figure out how to convert GDPR legal provisions into tangible actions. We’ve been asking lots of questions, and our clients have been asking us questions.

Here’s an overview of GDPR and how we, at Zinrelo, are ensuring GDPR compliance:

What’s GDPR?

The EU General Data Protection Regulation ("GDPR") is a new comprehensive data protection law that came into effect on May 25, 2018. It replaced an earlier EU Data Protection law to strengthen the protection of "personal data" and the rights of the individual. It is a single set of rules which governs the processing and monitoring of EU data.

Does GDPR affect me?

Yes, most likely. If you hold or process the data of any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.

Is Zinrelo GDPR Compliant?

Yes, Zinrelo is GDPR compliant. All EU clients are covered by a Data Processing Addendum that includes exact Standard Contractual Clauses (SCCs) approved by the European Commission on June 4, 2021.

What is EU-US Privacy Shield Framework and Schrems II?

When GDPR came into effect, the EU-US and Swiss-US Privacy Shield Framework that was approved by the European Commission on July 12, 2016 was considered adequate to comply with the data protection requirements for transferring data from the EU to the United States. This framework is important to protect EU/Swiss companies who are transferring data to US companies holding EU data on servers in the US.

However, on July 16, 2020, the Court of Justice of the European Union issued a judgement declaring as "invalid" the European Commission’s Decision (EU) 2016/1250 of July 12, 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield Framework. This was called the Schrems II judgment.

As a result of the Schrems II judgement, on June 4, 2021, The European Commission published the final version of the standard contractual clauses ("SCCs") that completely satisfy the GDPR requirements of the Schrems II judgement. These SCCs ensure GDPR compliance in the case of data being transferred from a Controller-Processor from the US to non-EU countries such as the USA.

How is Zinrelo ensuring GDPR compliance?

Our teams have worked hard to comply with GDPR. There has been a massive overhaul of processes to make sure we’re meeting our legal obligations, and doing the best thing for our clients while still letting us move fast, scale and build great products.

Here are the main things we have done to ensure that we are setting ourselves and our clients up to meet GDPR obligations:

We have built new features

Our teams have built the necessary features that will enable our clients to easily meet their GDPR obligations.

Zinrelo can help you meet your data portability requirements for GDPR. You can easily export all of your data or granular subsets linked to an individual and permanently all data linked to an individual user.

We have updated our Privacy Policy

We take the privacy of our users very seriously. We’ve recently made updates to our Privacy Policy to increase transparency and comply with the European Union’s General Data Protection Regulation (GDPR). We encourage you to read our policies in full, but here are some highlights of what’s changed:

  • added information to our Privacy Policy about the types of data we collect, how we use it, and the security measures we employ;
  • added new choices for users to manage their privacy, and
  • provides more details about data collection and your choices.

We have added a Data Processing Agreement (DPA)

Strong data protection commitments are a key part of GDPR’s requirements. To clearly outline our obligations to our Clients as a data processor, we have added a Data Processing Agreement to our Terms of Service. This DPA shares our privacy commitments and sets out the terms for Zinrelo and our Clients to meet GDPR requirements. This DPA also includes all Standard Contractual Clauses approved by the European Commission on June 4, 2021 to ensure GDPR compliance in case of Data being transferred from a Controller-Processor from US to Non-EU Countries such as the USA.

We have appointed a Data Protection Officer

We’ve a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch by emailing [email protected].

We have coordinated with our vendors (sub-processors)

We have reviewed our vendors and arranged GDPR-ready data processing agreements with them.

We have put in place strong information and data security measures

Data security is a priority for us. We have regular external audits, penetration tests, and bug bounties. 

Zinrelo is SOC 2 Type 1 Compliant. System and Organization Controls (SOC) are developed by the American Institute of CPAs (AICPA). SOC 2 defines criteria for managing customer data based on five "trust service principles"—security, availability, processing integrity, confidentiality, and privacy. Zinrelo's SOC Compliance indicates that Zinrelo follows the highest standards for protecting customer data.

GDPR Compliance

Zinrelo also employs a detailed Information Security Policy to ensure best practises for the protection of data. While we do not have official ISO certification, our Information Security Policy is modelled on the guidelines of ISO 27001 and ISO 27002 requirements. A copy of our Information Security Policy document is available upon request.

Should I add any verbiage to my website?

Our team has included some language that you could include in your privacy policy and your terms of service. Of course, it is difficult to create a one-size-fits-all verbiage. The needs of different clients tend to vary. Therefore, we recommend that you always review the suggested verbiage with your lawyers.

We are working hard to help our clients and prospective clients be GDPR compliant. Feel free to reach out to us at [email protected] if you have any questions about GDPR – we would be happy to chat about it.

Suggested Addition to your Privacy Policy

Add the following verbiage or something similar to clearly indicate to your users that you are using Zinrelo as a data processor for your loyalty program and passing information to Zinrelo. We recommend adding this verbiage in the section “Will my personal information be shared?” or “Do you plan to share my personal information?”

"Use of Zinrelo Services: We use third-party services such as Zinrelo to offer a loyalty rewards program and other services to you on our website. In particular, we provide a limited amount of your information (such as sign-up date and some personal information like your email address, name, phone number, social profiles and purchase data) to Zinrelo and utilize Zinrelo to show the rewards program and social components when you visit our website or use our product. As a data processor acting on our behalf, Zinrelo processes your information to display the rewards program data such as points earned, points redeemed, tiers, eligible rewards etc. We may also use Zinrelo to send you messages regarding the rewards program.For more information on the privacy practices of Zinrelo, please visit Zinrelo’s Privacy Policy. If you would like to opt out of having this information collected by or submitted to Zinrelo, please contact us."

Suggested Addition to your Terms of Service

Add the following verbiage to your Terms of Service to let your users know that when they log in or register on your website, they will receive the rewards program as an integral part of your site’s offering. This will eliminate the need to have a separate opt-in for the rewards program. It will also let the users know that the rewards program is powered by Zinrelo. When the users explicitly accept your terms of service, they also agree to the terms of the Rewards program, because that program is an integral part of your site. The understanding is that every user whether already registered or new registration, will be sent the updated Terms of Service.

"Inclusion in the Rewards Program: Our Rewards program is an integral part of our Site’s offering. By creating an account or signing in, you agree to be included in the Rewards Program to receive rewards for activities you do on our site and agree to the Rewards Program Terms (add a hyperlink to your Rewards Program Terms). We use third-party services such as Zinrelo to power this rewards program. For more information on the privacy practices of Zinrelo, please visit Zinrelo’s Privacy Policy. You may opt-out of the rewards program at any time by visiting your rewards program dashboard or by contacting us."