VWO Logo
Request Demo

VWO and the GDPR

VWO’s commitment to data privacy and protection

VWO has always honored its users’ rights to data privacy and protection. Over the years, we’ve demonstrated our commitment to this by consistently exceeding industry standards. We don’t need to collect and process users’ personal information beyond what is required for the functioning of our products, and this will never change. We have a privacy-conscious culture here, and GDPR is an opportunity for us to strengthen this even further.

What Is the GDPR?

The General Data Protection Regulation (GDPR) is one of the biggest legislative changes made since 1975. To be effective from May 25, 2018, the primary goal of these changes is the protection of personal data and rights of EU residents.

GDPR is an EU-wide privacy and data protection law that regulates how EU residents’ data is protected by companies and enhances the control the EU residents have, over their personal data.

The GDPR is relevant to any globally operating company and not just the EU-based businesses and EU residents. Our customers’ data is important irrespective of where they are located, which is why we have implemented GDPR controls as our baseline standard for all our operations. GDPR has taken effect from 25th May 2018.

Data Privacy and Information Security Certifications

We have been certified for the following certifications to ensure GDPR preparedness:

  1. ISO 27701:2019 Privacy Information Management System [PIMS] & GDPR Regulation ComplianceISO 27701 is internationally recognized and built as an extension of the widely-used ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard was developed to help organizations comply with international privacy frameworks and laws.
  2. ISO 27001:2013 Information security management systems [ISMS]: ISMS ensures a systematic approach to managing sensitive company information so that it remains secure. ISMS includes people, processes, and IT systems by applying a risk management process.

VWO Embraces GDPR

VWO has put in place processes and procedures to comply with the various provisions of GDPR—data subject rights, GDPR core principles, data protection addendum, data deletion, data retention, and pseudonymization, which align with our core values of customer trust and data privacy.

What steps did VWO take to become GDPR- ready?

Over the last one year, we have covered a lot of ground toward understanding and analyzing how GDPR will impact our customers and making appropriate changes to our product and processes. This was made possible with the help of a focused group comprising experts on Corporate Security and Compliance and members from our senior leadership. Below is a glimpse of our analysis and the steps we took to ensure we are compliant well in time:

We have acted on many fronts to adhere to this new regulation.

  • We have raised awareness across the organization through frequent discussions in our internal channels, and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.
  • We have assessed all Wingify products, individually, against the requirements of the GDPR and have implemented new features that will give you more control over your data and ease your burden of achieving GDPR compliance.
  • We have constituted an Information Asset Register(IAR), which includes information on all the roles Wingify assumes, such as a data controller and processor. It details on various categories of personal data processed by our organization and which department is getting access to which data and for what purpose. It has a comprehensive coverage of all our processes and procedures.
  • We have assessed our sub-processors (third party service providers, partners) and streamlined the contract process with them to ensure that they have addressed the pressing needs of the current security and privacy world.
  • We have appointed internal privacy champions for all our teams. We have also appointed a Data Protection Officer (DPO).
  • Our application teams have embraced the concept of privacy by design and have provided you more control over the data you store in our systems. We constantly endeavor to provide you with more enhancements, which shall be rolled out in phases.
  • We have amended our Data Processing Addendum to be compliant with the data processing requirements of GDPR, Click Here.
  • We conducted internal audits of our products, processes, operations, and management. The findings were communicated to our teams, who have worked out the solutions to the identified problems.
  • Based on the PIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks.
  • We have cleaned up our databases to ensure that we have only the latest and most accurate information. This cleanup process includes removing terminated and dormant accounts as per our Terms.
  • When needed, breach notifications will be done according to our internal Breach Incident Response policy. Customers will be notified of a breach without undue delay and within the time frame required under Applicable Data Protection Law(s) to Customer’s Designated POC.
  • We have revised our Privacy Policy to incorporate the requirements of the applicable privacy laws based on our data inventory, data flows, and data handling practices.

How VWO is Helping Businesses Become GDPR- ready

At VWO, we take utmost care to ensure that our customer data is secure and easily accessible. While we are constantly working hard to ensure that our internal data practices are GDPR-ready, an equally important part for us is to assist our customers and partners in their journey toward compliance. With that in mind, we have introduced the following updates to the VWO platform:

  VWO Features How It Works
Storing and managing personal data for visitors Visitor Recordings

By default, VWO anonymizes all key presses to avoid storing or transmitting any personal or sensitive data on VWO servers. We’ve added new features to anonymize the following:

  • Hide all text in the html body.
  • Whitelist using CSS selector path: This option can be used to specifically anonymize or whitelist a input/non-input field or text labels.
  • Anonymize a specific element by using the nls_protected class.

Read more

Custom Dimensions

We have updated the process of creating custom dimensions in VWO to include the following new features:

By default, VWO will filter all incoming data for a custom dimension for personal properties like email address, credit card number, and others.

Users are recommended to encrypt all incoming data.

Read More

Location Information

Customers now can customize what location information of visitors is stored or completely disable storing any location information.

Read more

IP Address – By default, VWO replaces the last octet of IP Address with 0 before saving it. Customers can now customize this setting and disable storing the IP address.

Read More

Collecting Consent On-page Surveys

We have added the option to display a consent message at the beginning of each survey. The message can also include links to policies and other information.

Read More

Browser Privacy Settings

Customers can configure their privacy settings in the VWO app to stop recording any information of the website visitors who have “Do Not Track” settings enabled on their browsers.

Read More

Data Subject Rights Security Settings

Customers can request data for their website or mobile app visitors through a visitor’s UUID. A link will be generated by VWO that will collect all the data for a specific UUID or potential personal data such as URLs and visitor recordings for a defined time period.

Read More

Security Settings

Customers can request deletion of data for their website or mobile app visitors through their visitor’s UUID.

Read More

What We Are Doing to Ensure You Can Use VWO Product in a GDPR Ready Manner

The GDPR is focused on organizational compliance instead of product-level compliance. However, we attach the utmost importance on how we build our products and have adopted a Privacy and Security by Design approach. Our products are designed with privacy and security in mind and as a core component of our development process.

As a data controller, you will need to ensure you are compliant with your own obligations under the GDPR. However, if you buy a VWO product, we aim to ensure that you can use our product in a GDPR-Ready manner, helping you to satisfy your obligations under the GDPR. For example, we design our products to facilitate data minimization and provides better insight into and control over your data flows in order to make it easier for you satisfy your GDPR obligations as a data controller.

I am customer of VWO payment security. How I can rest assured that it is complying with the GDPR requirements around security?

VWO has strong security policies in place to comply with the GDPR. We maintain a high standard for security and have multiple third-party validations for many of our SaaS offerings. VWO payment security adheres to the strict PCI standards that include encryption of data in motion and data in rest. We maintain a robust incident response plan, reviewed monthly with annual table top exercises to ensure that we are prepared to respond to any security event. Should we experience a personal data breach that affects you, VWO will tell you without undue delay, to enable you to comply with your obligations under the GDPR.


What is GDPR?

The EU’s General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents’ personal data.

Who does it apply to?

GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.

Where does the GDPR apply?

This law doesn’t have territorial boundaries. It doesn’t matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.

What are the penalties for non-compliance?

A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).

Who are the key stakeholders?

  • Data subject- A natural person residing in the EU who is the subject of the data.
  • Data controller- Determines the purpose and means of processing the data.
  • Data processor- Processes data on the instructions of the controller.
  • Supervisory authorities- Public authorities who monitor the application of the regulation.

What is personal data or Personally Identifiable Information (PII)?

Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender etc).

What does GDPR mean by “data protection by design and by default”?

Data protection by design means, ensuring only that personal data which is required is collected, and also incorporate privacy features and functionality into products and services from the time they are first designed.

Data protection by default means, businesses must implement appropriate measures to mitigate privacy risks at the time of collection of the data, as well us by extending it at the time of processing it.

What are the lawful bases the data controller can use to process customer data?

The data controller can choose from six data processing bases. These are:

Consent – Consent is also a lawful basis to process data. Consent of the data subject means “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Contract – This applies when you need to process the customer’s personal data to fulfill your contractual obligations, or to take some action based on the customer’s request (e.g. sending a quote or invoice).

Legal Obligation – This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).

Vital Interests – This applies to urgent matters of life and death, especially with regards to health data.

Public Task – This applies to activities of public authorities.

Legitimate Interests – Legitimate interests can include commercial interests, such as direct marketing, individual interests, or broader societal benefits. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.

What is LIA?

  • LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer’s personal data. The organization must also conduct an LIA to show that the processing is necessary.

  • The assessment of whether a legitimate interest exists. The establishment of the necessity for processing.

Where is my data located?

All VWO customer’s data reside in the US datacenters location.

Does the GDPR require EU data to stay in the EU?

The GDPR does not stop personal data from leaving the EU but enforces control requirements and mechanisms. Data transfers from the EU to outside can be legitimized in many ways. VWO uses the Standard Contractual Clauses as per Article 46-c to legitimize data transfers.

Where can I find additional resources on GDPR?

Here are some links you can refer to for additional reading on the GDPR:

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it will not require any enabling legislation to be passed by the government; meaning it will be effective from May 25, 2018.

Whom does the GDPR affect?

The GDPR applies not only to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the location of the companies.

What is the difference between a data processor and a data controller?

A controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while a processor is an entity that processes personal data on behalf of the controller.

Please feel free to ask questions and share concerns with us at [email protected]

Last updated: Oct 15, 2018

Enterprise-Grade Data Security
You Can Trust

With certifications such as ISO 27001:2013 and ISO 27701:2019, VWO upholds a high level of data privacy and security, as expected by world-class businesses.


All you Need to Know About Conversion Optimization Get the Guide