MAAPs obligations as a data processor in handling personally identifiable information (PII) are shaped by general data protection principles (including GDPR and CCPA) but also reflect industry-specific practices, including online tracking, customer profiling, loyalty schemes, and third-party integrations (like payment gateways and marketing platforms).
Secure Handling of Customer Data
- Use HTTPS for all transactions
- Store passwords using secure hashing algorithms
- Encrypt sensitive data both at rest and in transit
Transparent Data Collection & Consent
- Provide a clear privacy notice at the point of data collection
- Obtaining explicit opt-in consent
Customer Profiling and Behavioural Advertising
- Inform users of automated decision-making or profiling (e.g., product recommendations)
- Allow customers to opt out of profiling where required
- Use legitimate interest assessments (LIAs) or obtain consent for behavior-based advertising
Third-party Integrations & Data Sharing
- Conduct due diligence on any third-party services
- Ensure data transfers comply with cross-border regulations
- Disclose these integrations in our privacy policy
Data Subject Rights
- Provide access to customers to view profile and order history
- Provide access to customers to update personal information
- Provide mechanism to allow customers to request deletion of account and associated data
- Provide mechanism to allow customers to opt out of marketing or profiling
Retention & Deletion Policies
- Define and publish retention periods
- Securely delete or anonymise data when no longer needed
- Respect users' right to be forgotten
Security & Breach Response
- Maintain robust cybersecurity measures
- Monitor for unauthorized access to customer data
- Have a Data Breach Response Plan