OnDigital QR Business ECards

 

OnDigital's Guide to Protecting Client & Customer Data

 

At a glance

This policy is our playbook for protecting the data we handle for our clients and their customers. Here’s what you need to know:

  • Our #1 Job: We protect the privacy of our clients and their customers. Their trust is our most important asset.

  • Be a Minimalist: We only collect the data we absolutely need for a project, and we delete it as soon as we're done.

  • When in Doubt, Ask: If something feels off, or you're not sure, ask first. Send any questions to [email protected].

  • Spot & Report: If you see a weird email, click a bad link, or get a "delete my data" request, don't try to fix it. Immediately forward it to [email protected]

 

1. Purpose

This policy explains how we protect the personal data we handle for our clients and their customers. Our goal is to be open, careful, and respectful with all data. This builds trust and is a core part of our promise to our clients.

 

2. Who this applies to

This guide is for everyone at OnDigital, including:

  • All full-time, part-time, and temporary employees

  • All contractors and freelancers

  • All interns and volunteers

 

3. Key terms

Let's keep these terms simple.

  • Personal Data: Any information that could identify a specific person. This includes a name, email address, phone number, IP address, or photo.

  • Processing: Anything we do with data. This means collecting, storing, using, sharing, or deleting it.

  • Data Subject: The person the data is about. This is the client, the client's customer, or a website visitor.

  • Data Controller: The company that decides why and how data is used. Sometimes this is us (OnDigital), and sometimes it's our client.

 

4. Our commitments

This is our promise. We will always:

  • Be Transparent: We will be clear and honest about how and why we use data.

  • Have a Purpose: We will only use data for the specific, approved reason we collected it.

  • Collect Less: We will only collect the minimum data we need for a project. This is called "data minimization".

  • Protect It: We will guard all data with strong security, like encryption, secure networks, and access controls.

  • Be Accurate: We will take reasonable steps to keep data accurate and up-to-date.

  • Not Be Hoarders: We will securely delete data when we no longer need it for the project or for legal reasons.

  • Honor Rights: We will respect everyone's privacy rights, including their right to see, correct, or delete their data.

 

5. Your responsibilities

This is what we need from you. You must:

  • Treat Data Like a Secret: Handle all client and customer data as confidential information.

  • Stay Trained: Complete your annual privacy and security training. This is mandatory.

  • Lock It Down: Use strong, unique passwords and two-factor authentication (2FA) for all your accounts.

  • Use Safe Storage: Only store client data on OnDigital's approved, secure systems (like our network drives). Never save customer lists or other personal data to your personal desktop, a USB drive, or a personal cloud account.

  • Report Incidents Immediately: Report any suspected data breach, lost laptop, or security incident to [email protected] right away.

  • Forward Requests: Forward any email from a person asking to "delete my data," "see my data," or "stop sharing my data" to [email protected] immediately. Do not try to handle it yourself.

 

6. How it works

We handle data in a four-step cycle.

  1. Plan (Take Stock): Before you start a new project, you and your manager must confirm what data you need, why you need it, and how you'll protect it.

  2. Collect (Scale Down): Only collect the minimum data needed for the task. If you don't need their phone number, don't ask for it.

  3. Secure (Lock It): You must store the data on OnDigital's secure servers. Our security team's job is to make sure our systems (like Google Analytics) are locked down and encrypted.

  4. Delete (Pitch It): When the project is over or the client contract ends, you must follow the process to have the data securely deleted or returned. The compliance team manages this.

 

7. Examples

Here are some real-life scenarios and what to do.

  • Scenario 1: You get an email from [email protected] that says, "Delete all my data and stop sharing it!"

  • What to do: Do not reply. Do not just unsubscribe them. This is a legal request. Forward it immediately to [email protected] Our compliance team will log it and handle the deletion across all systems.

  • Scenario 2: A client emails you a list of 10,000 customer emails for a "lookalike" ad campaign.

  • What to do: Do not upload this list anywhere. Reply to the client and copy [email protected]. We must first confirm (in writing) that the client got proper consent to use this list for advertising and check it against our "do not contact" records.

  • Scenario 3: You get a call from someone who says they are from IT and need your password to "fix your account."

  • What to do: Hang up. This is a scam. OnDigital IT will never ask for your password. Report the incident to [email protected] so we can warn the team.

  • Scenario 4: You're on a coffee shop's free Wi-Fi and you realize you just sent a customer list to a client over an unsecure connection.

  • What to do: This is a data breach. Report it immediately to [email protected]. The faster we know, the faster our security team can assess the risk and help the client.

 

8. Do / Don’t

 

Do

Don't

DO use your OnDigital-approved password manager.

DON'T write passwords on a sticky note or share them.

DO store client files on our secure, shared network drives.

DON'T save customer lists to your personal desktop or a USB stick.

DO ask "why?" before collecting any piece of personal data.

DON'T collect data "just in case" you might need it later

DO report a lost company laptop or phone immediately, 24/7.

DON'T wait until tomorrow to see if it turns up.

DO forward any "delete my data" email to [email protected].[22, 4]

DON'T try to delete the data yourself. You might miss a system.

DO use approved tools like Google Analytics only in the way we've configured them.

DON'T sign up for a new "free" marketing tool or add a new script without approval.

 

9. Reporting issues & getting help

If you see something, say something.

  • For any question or to report a privacy concern, email [email protected].

  • For suspected data breaches (like a lost laptop, clicked a bad link, or sent an email to the wrong person): Report it immediately to this email.28 This is our top priority.

  • For user privacy requests (like "delete my data"): Forward the request immediately.

  • For all other questions: We will acknowledge your email within 2 business days.

 

10. Handling breaches or non-compliance

When a privacy incident happens, we follow four steps.

  1. Report & Contain: You report the issue. Our security team acts immediately to stop any further data loss (like isolating a system or remotely wiping a lost laptop).

  2. Assess: Our team investigates what happened, what data was affected, and who is at risk.5

  3. Act: We will follow our legal duty. This may mean notifying regulators (sometimes within 72 hours) and the people who were affected.

  4. Learn: We will review the incident to improve our training and security to make sure it doesn't happen again.

 

11. Data & privacy notes

  • Collection & Use: We only collect and use client/customer data to do the work our clients hired us to do. This includes running marketing campaigns or analyzing website traffic with tools like Google Analytics.

  • Retention: We don't keep data forever. We delete personal data after we no longer need it for the project or for legal reasons.

  • People's Rights: Everyone has privacy rights. We help our clients honor these rights for all their customers, no matter where they live. This includes:

  • The right to know what data is being used.

  • The right to access a copy of their data.

  • The right to correct inaccurate data.

  • The right to delete their data.

  • The right to opt-out of their data being "sold or shared" for advertising.

 

12. Exceptions & approvals

There are no exceptions to this policy. Protecting our clients' data is a core part of our business.

If a new tool, vendor, or process is needed that isn't covered here, you must get written approval from the compliance team before you start. Send your request to [email protected].

 

13. Oversight & review

  • Policy Owner: The Compliance Team

  • Review Cycle: Every 12 months

  • Next Review Due: 1-11-26

 

14. Version history

إصدار

تاريخ

Changes

1.0

1-11-24

First edition of our new, friendly policy.

 

 

Quick compliance checklist

Ask yourself these questions before you start a project:

  1. Do I have written approval for this new marketing tool?

  2. Am I collecting only the data I absolutely need for this campaign? 

  3. Am I storing this client file on the secure network, or is it on my desktop? (It must be on the network).

  4. Did I forward that "delete my data" email to compliance? 

  5. Do I know who to report a data spill to? (Yes: [email protected]).

  6. Is this data encrypted, and am I using a strong, unique password?

  7. When this project is done, what is my plan to delete the data?.1

 

This policy provides general guidance and is not legal advice.

 

 

نحن نستخدم ملفات تعريف الارتباط

سيتم تحسين تجربتنا على هذا الموقع من خلال السماح بملفات تعريف الارتباط

OnDigital QR Business ECards

ابدء

حسابي

Useful Links

القانونيون

© حقوق الطبع والنشر 2025. جميع الحقوق محفوظة بواسطة OnDigital Cards.