of your mobile app or website users and what choices your users have with
respect to the information.
is an easy and effective way to ensure that you are covering key elements
Information Collection and Use
inform users about what kind of their personal information you collect and how
you are using that information.
Following is the checklist for this section:
- Do you require a user to provide personally identifiable information (Customer
Data)? If yes, which all information a user needs to provide? How are you going
to use that information?
Example of user information that you may be asking for could include name,
email, phone, date of birth, gender etc.
You may also collect user information if a user signs in to your site or mobile
app using Facebook, Google or Linkedin.
- There may be other types of information (Other Information) that you may
be collecting such as:
Services metadata: Example - content read, link clicked, time spent, files
shared, 3rd-party services used etc.
Log data: Example - user's IP address, browser type and version, pages visited
before using your website, browser configuration and plugins, language settings,
time spent, referrer, buttons and linked clicked etc.
Mobile device information: user's mobile devices (mobile and tablets) accessing
the website, including type of device, operating system, device settings, unique
device identifiers and crash data.
Location information: user's location information using IP address received from
the browser or mobile device.
- How you use user's information? Some examples are:
To provide, update, maintain and protect your website and mobile app including
service / product that you offer.
As required by applicable law, legal process or regulation.
To communicate with a user by responding to service requests, comments and
To develop and provide additional features and personalized search/suggestions
based on historical use and predictive models.
For billing, account management and other administrative matters.
To investigate and help prevent security issues and abuse.
- Put a disclaimer if you do not allow the use of your website or services by
anyone younger than 16 years old.
- Do you retail user's data?
- Is data retention based on time? For example - 3 months after a user deletes his
- Is data retention based on an event? For example - as long as you need to pursue
legitimate business interests, conduct audits, comply with legal obligations,
resolve disputes and enforce your agreements.
- Can a user customize his data retention settings?
- Do you collect user's information while browsing your site or using your mobile
- Example of user information that you may be logging are user's IP address,
browser type and version, pages visited before using your website, browser
configuration and plugins, language settings, time spent, referrer, buttons and
linked clicked etc.
- Do you set cookie to the user's laptop / mobile phone? Even if you use
third-party tools such as Google Analytics or Facebook Pixels, you are using
- Cookies are text files containing data that you specific to identify the user.
For example, you can set a cookie to check if a user has already registered on
your site and, if yes, you may want to show a different website home page.
- You may show explicit confirmation to a user to accept usage of Cookie. If a
user refuses, he may not be able to use some portion of your services. You may
use Cookie Consent notice as shown below:
- Do you share and disclose user information with third-party? If yes, put a
disclaimer such as:
Third-Party Services are not owned or controlled by you and third parties that
have been granted access to user Information may have their own policies and
practices for its collection and use. Please check the privacy settings and
notices in these Third-Party Services or contact the provider for any questions.
For example, you may be using MailChimp to collect email addresses from users
subscribing to your newsletter.
- Put a disclaimer if you need to share user information with your corporate
affiliates, parents and/or subsidiaries. If you enters into a merger,
acquisition, insolvency, dissolution or reorganization proceedings, or steps in
contemplation of such activities (e.g. due diligence), some or all user
Information may be shared or transferred.
- Put a disclaimer if you need to disclose or use aggregated or identified user
information for any legitimate business purpose. For example, you may want to
tell your prospective customers average time that a user spent in using your
- Put a disclaimer that if you receive a request for information, you may disclose
user Information if you reasonably believe disclosure is in accordance with or
required by any applicable law, regulation or legal process.
- Put a disclaimer to protect and defend the rights, property or safety of your
company or third parties, including enforcing contracts or policies, or in
connection with investigating and preventing fraud or security issues.
Compliance with GDPR
- Identify the Data Controller and Data Processor
For example, a user (the Customer) is the controller of Customer Data (defined
above) and you are the processor of Customer Data (defined above) and controller
of Other Information.
Do you have multiple legal entities to cater to customers from different
geographies? Identify controller and processor if that varies based on
geographies. For example, you may have a legal entity in Ireland that is
controller of Other Information and processor of Customer Data for customers
outside of the US and Canada. You also may have a USA entity that is controller
of Other Information and processor of Customer Data for customers in the US and
- Mention email of your Data Protection Officer
- Mention contact details of your Data Protection Authority in European Economic
Area for a resident user to direct his questions or complaints about your
- Mention how a user can access, update or delete his personal Information. For
example, you may have a settings page that a user can access after signing in to
data is well protected, but you may also want to note that no method is 100%
Here is an example disclosure: You work hard to protect users personal
information from loss, misuse and unauthorised access or disclosure. Given the
nature of communications and information processing technology, you cannot
guarantee that Information, during transmission through the internet or while
stored on your systems or otherwise in your care, will be absolutely safe from
intrusion by others.
Links to Other Sites
Do you link to other sites? If yes, put a disclaimer that you have no control or
responsibility towards those sites.
laws, regulations and industry standards evolve or your business changes. To
changes, he should deactivate his account and request for removal of his
Mention your email and/or postal address for a user ask any questions about your
Always use the clickwrap method to get your users to agree to your terms.
With clickwrap, a user is informed of the legal agreements and must take some
action that demonstrates that they're clearly accepting the terms.
Lets look at an example from Dropbox.com, which uses a checkbox for a user to
demonstrate that he has accepted the terms of Dropbox.com that includes its
If you are looking for insights on more contracts, check-out my blog at
Now I�d like to hear from you:
Which insights from today's post are you going to use in your review of Privacy
Are you drafting or reviewing any other contracts for new-age technology
Either way, let me know by leaving a comment below right now.