Data Processing
Outlined in this document is a concise overview of how modern data protection law (namely, GDPR) relates specifically to us as your data processor (or subprocessor).
The exact details can be found in the Terms of Service.
What personal data do we process and why
Our aim is to collect as little information (personal or otherwise) through you as possible, while providing a service that is secure, reliable, fast and accurate as reasonably possible.
This means we will only collect information about you if it is required to:
- Provide you access to our services
- Secure our services from malicious activity
- Measure the performance of our services (i.e. speed, reliability and accuracy) with a view to implementing improvements
As such, we currently only intercept the following datapoints:
- Address Queries
- Browsing Data (for client side integrations only)
- Sublicensee Data (for users of our Sublicensing Platform)
1. Address Queries
We store addressing query strings both in our server logs and for your retrieval via the /keys/:key/lookups
API.
This data is required in the short term reasons to perform our role in validating and cleansing addresses.
We keep this data for up to 28 days. This allows us to diagnose performance issues (i.e. slow running queries) and provide us with actionable data to improve our service. It is also a useful resource for clients integrating against the API or diagnosing buggy integrations.
2. Browsing Data
Browser Data is information included in HTTP requests sent to our APIs. This includes IP address as well as HTTP headers (language, user-agent, origin and refer(r)er being the most salient). Typically this data is stored in the form of server logs.
We only intercept this in the form of personal data if you have developed a client side integration. If you have a server or proxied integration, it is likely we capture no client Browsing Data.
Browsing data is collected short term for rate limiting and whitelisting purposes.
We also store this information for up to 28 days. We use it to analyse any suspicious activity and troubleshoot any issues. There are also a significant ad-hoc instances where being able to query over recent server logs has been immensely useful for clients with specific support requests.
3. Sublicensee Name and Address
For users of the Sublicensing Platform, we also need to store the names and addresses of sublicensed organisations and submit these to Royal Mail.
We are contractually required to preserve this information for 6 years.
Who are our subprocessors?
Click here for more information.