Ensuring Compliance with use of Wingify Insights

Welcome to the Wingify Compliance Guide for Wingify Insights – Session recordings, a detailed resource designed to empower our valued customers with actionable steps for ensuring privacy and legal adherence when using Wingify Insights for visitor user session recordings. As a responsible Data Processor for your visitor/user data, Wingify is committed to providing support for your compliance efforts under data protection laws such as GDPR, IN DPDP, CCPA, PIPEDA, and more. This guide covers essential information, offering an exhaustive compliance checklist, in-depth considerations, and additional details to help you navigate the complex legal landscape especially when it comes to visitor user session recordings.

We at Wingify owe our growth to our customers and building their trust is our top priority. We understand the importance of data in today’s ever-evolving digital landscape and its significance to our customers’ operations and thus, keeping it secure and compliant is paramount to us.

Recent legal actions highlight the critical importance of meticulous compliance with privacy laws when employing session replay softwares. The main reason behind these lawsuits is not the “session replay software” but the lack of “legitimate grounds for processing of personal data” and non-adherence to privacy principles, typically article 5 and 6 of the GDPR if we talk about EU and UK. It is mandatory to have a legitimate ground for the processing of personal data and adherence to privacy principles while using session recordings. Consent is the legitimate ground in this case and it is mandatory for all data controllers to show all data subjects cookie notice, privacy notice and get consent from the data subject for these things.

To fortify your position and ensure the utmost protection for both your users and your organization, consider the following detailed guidelines:

1. Understand Your Role:

• Recognize your role as the Data Controller while Wingify acts as the Data Processor for your visitor/user data.
• Understand the distinct responsibilities and obligations associated with each role.

2. Privacy Notice and Consent:

• Craft a detailed privacy notice on your website addressing the use of Wingify Insights and session recording feature.
• Clearly articulate the purpose, scope, and duration of data collection in your privacy policy.
• Implement a robust consent mechanism ensuring users are informed and have the option to opt-in or opt-out of session recordings through cookie consent mechanism.
• Users/Visitors can also opt out directly from Wingify website with just one single click, please refer https://wingify.com/opt-out/

3. Wingify Terms and DPA:Wingify Terms and DPA:

• Thoroughly review and understand Wingify’s Terms of Service (Wingify Terms) and Data Protection Addendum (Wingify DPA).
• Ensure your practices align with the contractual obligations outlined in these documents.

4. Default Anonymization Settings:

• By default, Wingify anonymizes all key presses to avoid storing or transmitting any personal or sensitive data to Wingify servers.
• For this, the Anonymize all key presses option in Recordings > Settings > Configuration is checked by default. Wingify will anonymize the following fields to avoid transmitting your personal data through Wingify servers: Password Three consecutive digits of phone numbers, credit card, social security, and CVV.
• Confirm that the “Anonymize all key presses” option in Recordings > Settings > Configuration is enabled.
• Understand the nuances of default anonymization, including the masking of sensitive information such as passwords and numeric sequences.

5. Anonymization of Non-Input Fields:

• Understand the impact of anonymization on different types of non-input data.
• Despite the default setting for anonymizing keystrokes, you can provide additional security to mask certain non-input fields where personal data could be visible. For example, order summary, Checkout page, and others. There are two ways to anonymize such non-input fields.

Anonymization can be done by the owner and admin of the account and whitelisting can only be done by the owner.

For complete details and procedures, refer KB article hosted at https://help.wingify.com/hc/en-us/articles/58760372362649-How-to-secure-your-visitors-data-in-Wingify-Session-Recordings  

6. Regular Review and Update:

• Establish a periodic review process for privacy practices and session recording configurations.
• Stay informed about updates to Wingify features and adapt your configurations to align with evolving legal requirements.
• Establish a comprehensive review schedule, encompassing not only session recording configurations but also broader privacy practices.
• Engage you internal security and privacy teams to conduct thorough audits, ensuring a holistic approach to compliance.

7. Transparency:

• Provide detailed information about your use of session replay tools in your privacy policy, ensuring it is easily accessible to users.
• Clearly explain the benefits of session recordings and how they contribute to an improved user experience.

8. Consent and Cookies:

• Implement granular consent options, allowing users to choose the specific types of data they are comfortable sharing.
• Ensure compliance with applicable laws like PECR and GDPR by taking cookie consent for session recordings. Refer to the cookies stored by Wingify (Wingify Cookies) for detailed information.
• To comply with data protection policies, it is necessary to obtain visitor’s consent before deploying any cookies or trackers to process their data. For this, you may be using third-party consent management tools like OneTrust, Usercentrics etc. Wingify communicates with cookie consent managers via callback when the visitor accepts or rejects the cookie, allowing you to run the SmartCode based on valid consent.
• For more details, please refer https://help.wingify.com/hc/en-us/articles/58793817111961-Configuring-Wingify-SmartCode-for-Your-Website-s-Cookie-Consent  

9. Limited Access:

• Implement robust access controls, ensuring that only individuals with a legitimate need can access and modify session recording configurations.
• Conduct regular access reviews to prevent unauthorized personnel from gaining access to sensitive data.
• All users in a Wingify account are assigned an access level that determines the actions users can perform in the Wingify account. As an account owner or administrator, you can change the access level of a user at any point in time. Refer https://help.wingify.com/hc/en-us/articles/58797461251993-Modifying-the-Access-Permission-of-a-User ,for modifying / granting / revoking any user access permission.

By meticulously adhering to these procedures and guidelines and regularly reviewing and adapting your practices, you can ensure the responsible and compliant use of Wingify Insights. This not only safeguards your users but also strengthens your organization’s credibility in the digital realm. Remember, your commitment to privacy is a testament to your organization’s dedication to user trust and legal integrity.

Please note:

1. This checklist and these procedures only act as a friendly guide and not as a legal advice to our clients. It is advisable client check with your in-house DPO/Compliance team/Attorney for the legal advices.
2. Wingify shall not be responsible for notifying any client about any update in the legal regime or any additions in their region-specific legal requirements.
3. Wingify shall not be liable in case of any non-adherence to regional/sectoral law of client’s jurisdiction by the client as this guide is generic in nature and not cover regional/sectoral compliance requirements.
4. Showing privacy notice and taking user consent is the responsibility of Wingify’s customer as the same is mentioned under 3.4 of the Wingify terms hosted at Wingify Terms and 2.2 of the Wingify DPA hosted at Wingify DPA