The Ultimate BFCM 2022 Guide
Download

Principles for Government Requests for Customer Data

Triple Whale’s Principles for Government Requests for Customer Data

This document provides information on how Triple Whale and its affiliates (“Triple Whale”, “we” or “us”) address requests received from government, law enforcement, supervisory authorities or courts, to give access to, or otherwise disclose to them, personal data (“government data requests”) processed by us on behalf of our customers (“you”), while ensuring compliance with our Terms of Use and Privacy Notice. 

We always aim to protect our customers’ data while complying with applicable laws. Accordingly, we will never voluntarily provide authorities with access to personal data that we process on your behalf; but we may disclose such data under a compelling legal obligation to do so, such as a valid subpoena, court order or search warrant (e.g., issued in connection with an official criminal investigation), issued to us by a court of competent jurisdiction.

Importantly, Triple Whale is not the ‘controller’ of the personal data that we process on our customers’ behalf (which is typically data relating to your shoppers or end-users), and we strongly believe that our customers should have as much control as possible over handling any such data disclosure requests. Accordingly, our first response to any government data request will always be to inform the requesting authority that any and all requests or demands for access to our customer’s data should be made directly to the customer concerned, and explain that Triple Whale is the ‘processor’ of such data on behalf of the customer. 

Only where this is not possible will we continue to examine the request – for example, if the requesting authority declines to communicate the request to the customer or under exceptional circumstances as described below.

In order to give you the opportunity to challenge any government data request relating to your data, we will notify you before disclosing any such data to the requesting authority, unless: 

  1. Triple Whale is prohibited by law or court order from informing you; or
  2. We have reason to believe there is an immediate risk of serious harm to people or to property that merits compliance with the request; or 
  3. Prior notice would be counterproductive - for example, if we firmly believe that an account was hijacked.

If Triple Whale is legally prohibited from notifying you of the request prior to disclosure, we will:

  1. Review each government data request on a case-by-case basis, taking into account all applicable laws, so we can determine whether or not the request is lawful. If we find that the request is invalid or unlawful, we will challenge it using commercially reasonable means;
  2. Strive to minimize the amount of personal data disclosed to the greatest extent permissible; and
  3. Take reasonable steps to notify you as soon as the confidentiality requirement expires.

Lastly, Triple Whale commits to preparing a bi-annual report (“Transparency Report”), which reflects the number and type of government data requests it has received in the preceding six months, as may be limited by applicable law or court order. Triple Whale shall publish the Transparency Report on its website, and make the report available upon request to competent data protection supervisory authorities.

Last updated: November 2022