Chameleon is committed to privacy and security and is GDPR compliant as of May 25th 2018. Learn more about our GDPR compliance here.
If you collect data about EU residents, you are likely to be considered a Data Controller under the new regulations. If you send that data to Chameleon, we become a Data Processor.
We are committed to making it easier for you to comply by fulfilling our obligations to you and your users.
Helping you inform and opt-in users
Chameleon can help you inform users inside your product, about changes to your terms or policies, and to collect opt-ins for data usage. To learn more see below.
Providing your users their individual rights
To be compliant, companies have to provide the following rights to their users. If you receive a request from one of your users as per these rights, then Chameleon will help you fulfill it within our system.
The right to be informed
Individuals need to be informed about the collection and use of their personal data in a clear and transparent way.
You can include the following information in your Terms & Conditions, your help articles or wherever else you include information about how you use your user data when dealing with Chameleon:
"We use Chameleon to help our users better learn our web application, using interactive product tours built with Chameleon. Chameleon provides an editor to build these tours, and also delivers them inside our application during their interaction. Chameleon does not automatically collect any personally identifiable information, and uses data we proactively send to Chameleon for the purposes of helping us deliver the right guidance to the right user at the right time. To learn more about Chameleon's security practices, cookie policies and regulatory compliance, please visit https://www.trychameleon.com/security."
The right of access
Individuals can request a copy of their personal data so they can be aware of / validate its lawful processing.
The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
The right to erasure (right to be forgotten)
Individuals can request the deletion of their personal data if it is no longer necessary (for the original purpose) or they no longer consent.
To delete any user data, either:
Email us at email@example.com (from the email address associated with your Chameleon account).
Use our API to automatically delete users. Read more here.
We will automatically delete all user data for all accounts that have not been active for 1 year. This is part of our data retention policy as outlined here.
The right to restrict processing
Individuals can request a restriction on the usage of their personal data (not erasure) if they believe it to be inaccurate or unlawfully processed.
If a user requests their data not sent to Chameleon please do not call
chmln.identify for their profile. Learn more about installing Chameleon here.
The right to data portability
Individuals are entitled to obtain their personal data (in a commonly used format) to reuse for their own purposes across different services.
If you receive a data request for user data sent to Chameleon, please download it via this API and send it to your user.
The right to object
Individuals can object to their data being processed for direct marketing or research.
Chameleon does not ever use the user data you send for direct marketing or research and will never sell that data to any other parties.
Rights in relation to automated decision making and profiling
Companies can only leverage automated decision-making (without the involvement of individuals) that create legal or similarly significant effects upon individuals in very limited and specific circumstances.
Chameleon does not make any automated decisions based on personal data that cause significant effects on individuals.
Data Processing Agreement
If you are a EU based customer then you may need to sign a Data Processing Agreement with us. To do so, please email us at firstname.lastname@example.org so we can send you a copy of this to sign.