This page is designed to share with you some information regarding the steps WebApps, LLC d/b/a Hitpath is taking to prepare for the General Data Protection Regulation (or GDPR) that is set to take effect on May 25, 2018. The GDPR is a new and sweeping set of privacy regulations adopted by the European Union that will apply to many businesses based in the United States, including WebApps.
This page will provide you with a brief explanation as to what WebApps is doing to protect your data and to ensure that we comply with the new high standard set by the GDPR.
One of the main steps WebApps is taking to comply with GDPR is to update its Privacy Policy. The Privacy Policy explains what data WebApps collects from you and from other data subjects, how it stores, protects, and uses that data, and your various rights relating to that data. We encourage you to follow this link and to review the updated Privacy Policy which goes into effect on April 23, 2025.
WebApps is also updating its Document Retention Policy, which governs how long WebApps will retain documents, both during the life of your License Agreement and generally throughout the business. These changes will also go into effect on April 23, 2025. We strongly encourage you to review this document carefully as it contains significant changes in policy regarding how long certain information will be available to you regarding your account. The updated Document Retention and Destruction Policy is available via this link.
WebApps has also adopted a General Data Protection Regulation Policy. This policy explains the many additional steps WebApps has taken to comply with GDPR and to protect your data. The General Data Protection Regulation Policy is available for your review via this link.
We will continue to update these Policies from time to time. These policies will be posted on our website as updated and available for your review at any time.
While many of the requirements of GDPR are brand new, WebApps has always been and will continue to be committed to protecting your data. The changes that we are designed not only to comply with the new legislative requirements but also to provide you with the highest levels of service and privacy possible.
We want to bring one significant change to the Acceptable Use Policy to your attention. In effort to minimize the security risk inherent with data collection, WebApps is taking steps to reduce the sheer volume of data that it retains. Under the current License Agreement, as subject to the current Acceptable Use Policy, WebApps maintains all of your user data for as long as your License Agreement remains in effect.
We are modifying that system slightly. Under the new Acceptable Use Policy, WebApps will only retain your data for one year while your License Agreement is in effect. This means that after data has been sitting in your database for a year that data will be automatically purged. You have the option to opt out of this system, as explained in the updated Acceptable Use Policy. If you want us to hold your data for longer during your License Agreement, all you have to do is request that we do so and we will be happy to oblige.
Please reach out to us via our website or your customer service representative if you have any questions regarding these policy changes.
General Data Protection Regulation Policy
WebApps, LLC
Effective April 23, 2025
Policy Statement
WebApps, LLC ("the Company"), is a Louisiana limited liability company. The Company provides a multichannel tracking platform which allows companies, advertisers, advertising agencies, and publisher networks to monitor the activity generated by their respective online marketing activities ("the Services").
The Company receives personal data in various forms and from various sources in connection with the Services. Customers provide personal data regarding themselves to the Company so that the Company can provide them with the Services. Customers also provide the Company with personal data of other companies and natural persons that is generated by that end user through his online activities and then flows through the Customer to the Company for processing. Under both of these scenarios, the Company at times receives personal data pertaining to natural personal located in the European Union (EU) and the European Economic Area (EEA). As a result of its control and/or processing of this personal data, the Company falls within the scope of the General Data Protection Regulation ("GDPR").
The purpose of this Policy is to detail the Company's efforts to comply with the requirements of the GDPR and to ensure the protection and confidentiality of personal data.
Other Policies
The Company has enacted a variety of policies to ensure that it is complying with the requirements of GDPR. Some of these policies have been in place for some time and have been updated whereas other policies have been enacted for the first time in order to comply with GDPR.
These policies are all available for review at your request.
These policies include the following:
- Privacy Policy
- Document Retention Policy
- Acceptable Use Policy
- Information Security Policy
Additionally, the Company has amended its contractual relationships to ensure that personal data is appropriately protected. This includes User License Agreements and Data Processing Agreement Addendums. Examples of these documents are also available upon request.
GDPR Compliance
Responsibility
The Company has not elected to appoint a Data Protection Officer at this time. The Company's core activities do not consist of processing operations which require regular and systematic monitoring of data subjects in the EU and/or EAA on a large scale. The Company does not process sensitive data relating to criminal convictions and offenses. The CEO of the Company, Samuel S. Prokop, is responsible for ensuring that the Company acts in compliance with the requirements of GDPR and any inquiries on this subject shall be directed to him.
Risk Assessment
The Company's commitment to minimizing the risk to the personal data it controls and processes is ongoing. To minimize that risk, the Company has implemented an Information Security Policy, Document Retention Policy, Privacy Policy, and Security and Breach Protocols.
The company will also undergo semi-annual Data Protection Impact Assessments. The purpose of these assessments shall be to not only assess the risks facing the company, but also to ensure that the policies that it has implemented to minimize these risks are functional and effective. The Chief Technical Officer shall be responsible for completing the semi-annual DPIA.
Auditing
In additional to the semi-annual DPIA, the Company shall undergo a semi-annual GDPR internal audit. The Company understands that GDPR is new law and as such will likely evolve and change over time. Similarly, new threats and processes will arise which the Company must take into account over time. To that end, the Company will perform a semi-annual GDPR internal audit relying on the GDPR questionnaire published for that purpose by BayLDA. The results of those audits will be retained for no less than three (3) years.
Controller/Processor
The Company operates as a Controller and as a Processor depending on the service provided and the source of the personal data. Customers provide personal data directly to the Company when they sign up for the Services. This data includes information such as Company name, individual name, address, phone number, etc. The Company is the controller of that data as it controls the means by which it is collected, why it is collected, and how it is used.
The Company operates as a processor when Customers provide the Company with information for it to process on their behalf. The Company is in the business of tracking and monitoring behavior relating to certain online marketing and advertising efforts of its Customers. Customers collect data directly from end users and then relay that information through to the Company. The Company then processes that information so it has value and use to the Customer. The Company is only a processor in this scenario as it does not control the means of collection of the data, why it is collected, or how it is used.
Lawful Basis for Processing
The Basis for the Company's process of information depends on the source of the data and the data subject. When a Customer contracts with the Company for the Services, the Customer is asked to provide certain pieces of personal data to the Company. This information is necessary to establish the Customer's instance of the Hitpath Software, the Company's primary product. The Customer consents to the Company's processing of its personal data at that time.
The Company also processes personal data on the basis of a contract. The Company enters into a License Agreement with each of its customers. In order to fulfill its contractual obligations under the License Agreement, the Company must process some of the Customer's personal data. This processing is necessary to the operation of the Services offered by the Company and the software will not function correctly without this personal data.
The Company also relies processes Customer personal data on the basis of legitimate interest of fraud prevention. Specifically, the Company has instituted certain security measures to prevent unauthorized access to Customer accounts. The Company processes the personal data provided by the Customer to ensure that the Customer and only the Customer can access its account. This security related processing is necessary to protect the Customer and other data subjects and the individual's interests do not override this legitimate interest in fraud prevention.
The Company also processes data of other data subjects, including end users, that is provided to it by Customers. The basis for that processing is the legitimate business of the operation of the Company and the provision of the Services to the Customers as well as part of its direct marketing practices. The Company is in the business of taking data that is provided to it by its customers, the controllers of that data, and processing it in a way that allows the customer to understand the value of the Customers online advertising and marketing strategies. The Company has an interest operating its business and in providing an efficient and valuable service to its Customers. The Company does not control the means of collection of the data and relies on its Customers, the controller, to properly notify any end user that it is collecting data at the time of collection. The processing of the personal data of data subjects is necessary for the Company to provide the Services to its Customers and to carry out its business. Further, end users have an expectation that their online activities, particularly their interaction with online advertisements, are being monitored and generating data that is used by advertisers, publishers, and agencies. The interests and fundamental rights of the data subject do not override the legitimate interests of the Company as described herein.
Data Processing Agreements
The Company relies on a number of vendors. It does so both in its capacity as a controller and in its capacity as a processor. The Company relies on vendors to provide a number of services including hosting, servers, geo location, customer intelligence, among others. In order for these vendors to carry out these tasks, the Company must transfer data to them. This data may include personal data of both customers and other data subjects including end users.
In order to ensure that these third party vendors properly protect all data that the Company provides to them, the Company requires these vendors to provide certain assurances regarding their compliance with GDPR. Additionally, the Company requires that each vendor execute a Data Processing Agreement or to adopt terms covered by such a document into existing user agreements.
Data Subject Rights
The Company is keenly aware of the variety of data subject rights memorialized by GDPR. The Company's handling of personal data is addressed at length in the company's Privacy Policy which is available on the Company's website.
Compliance Generally
The Company takes responsibility for complying with the GDPR at the highest management level and through the organization. The company records the steps that it takes to comply with GDPR including implementing a system for regular risk assessments, audits, and the processing of personal data. In addition to implementing certain policies to protect the data it controls and processes, the Company as adopted both privacy by design and privacy by default approaches to ensure that appropriate data protection measures are in place throughout the entire lifecycle of the Company's processing activities. The Company has increased it security measures to protect this data and has instituted policies to heighten security awareness for its employees. The Company has also instituted policies to ensure that data breaches are quickly recognized and appropriately addressed both with the individuals involved and with the appropriate supervisory authorities.