User data, security & GDPR
What user data we track
We are committed to maintaining the highest standards of privacy and data protection. Here is an overview of the data we track and store on our servers.
- The user information object - This includes the information you pass to Product Fruits.
- The only required user information is the username of the current user. A unique identifier is needed to ensure users do not see the same content repeatedly. This can be any string identifier e.g. user database IDs, usernames, emails, or hashed identifiers.
- Other user properties are optional, e.g. user roles, sign-up dates, or other custom properties.
Learn more about the user identification process here.
- The state of Product Fruits content for the user - We store information about the content the user has interacted with to ensure our features work. This includes:
- Tours the user has finished or skipped
- Hints that have been displayed to the user
- Announcements the user has read
- Checklists the user has completed or dismissed
- Other similar information
- Sent feedback - If you use our feedback widget, the gathered feedback is also stored on our servers.
Data usage policy
Limited data tracking - We only track data necessary to operate Product Fruits and data that you explicitly consent to us tracking. Consent is granted by passing the information to Product Fruits, meaning that when you provide us with user data, you are giving us permission to store and use that data for the specified purposes.
We highly recommended not to insert any sensitive content (e.g., passwords, other users' emails) into Product Fruits content (such as tours, hints, announcements). Additionally, hashing user data whenever possible enhances security by protecting user identities.
Our servers
We utilize Amazon Web Services (AWS) for our server infrastructure.
All data is stored in an AES-256 encrypted database. Data transmitted to your end-user browser is encrypted via SSL/TLS.
Product Fruits systems and infrastructure are continuously monitored through automated systems and we are able to detect and respond to potential threats in real-time. Third-party security experts conduct regular penetration tests to identify and mitigate vulnerabilities. Our infrastructure is also regularly monitored and tested by AWS.
By default, our servers and all data are stored in the EU region. Your account and associated data are automatically managed within this region. Our default server location is in Ireland.
GDPR and ISO Compliance
We are fully compliant with GDPR and have ISO 27701, SOC 2 Type 2 certification. Regular audits are conducted by certification authorities for ISO 27001 and SOC 2 Type 2.
Upon making an account with us, you agree to our Data Processing Addendum.
For further details, you can download our security certifications: