PDAT-06

Does any part of this service/project involve a web/app tracking component (e.g., use of web-tracking pixels, cookies)?

Explanation

This question is asking whether your service or application uses any technologies that track user behavior or collect user data through web browsers or mobile apps. Web tracking components include technologies like: 1. Cookies: Small text files stored on users' devices that remember user preferences, login status, or browsing activity 2. Web pixels/tracking pixels: Tiny, invisible images embedded in websites or emails that record when a user views a page or opens an email 3. Session identifiers: Unique IDs assigned to track a user's journey through a website 4. Browser fingerprinting: Techniques that identify users based on their browser configuration 5. Analytics scripts: Code that collects data about how users interact with your site This question is being asked in a security assessment because tracking technologies have privacy implications. They collect user data that may be subject to privacy regulations like GDPR, CCPA, or HIPAA. Organizations need to know if your service collects user data, how it's used, who has access to it, and whether users are properly informed about this collection. To best answer this question: 1. Be transparent about any tracking technologies your service uses 2. Explain the purpose of the tracking (analytics, personalization, etc.) 3. Describe what data is collected and how it's protected 4. Mention any consent mechanisms in place (cookie banners, privacy policies) 5. Explain your data retention policies 6. Note any third parties who may receive this tracking data Even if tracking is minimal or standard practice, it's important to disclose it fully in your response.

Guidance

Web tracking can be used to identify users via their IP address, login information, browser information, etc.

Example Responses

Example Response 1

Yes, our service uses several tracking components We implement Google Analytics to collect anonymized usage data that helps us improve our application We use session cookies to maintain user login states and functional cookies to remember user preferences We also deploy Facebook and LinkedIn tracking pixels on our marketing pages to measure ad campaign effectiveness All tracking is disclosed in our privacy policy, and we implement a cookie consent banner that allows users to opt out of non-essential cookies We retain analytics data for 26 months, after which it is automatically deleted All collected data is encrypted in transit and at rest, and we have data processing agreements with all third-party analytics providers.

Example Response 2

Yes, our application uses minimal tracking components We implement first-party session cookies solely to maintain authenticated user sessions (these expire after 24 hours of inactivity) We also use Mixpanel for product analytics to track feature usage patterns, but we've configured it to anonymize IP addresses and disable persistent user identification We do not use any third-party tracking pixels or social media trackers Our privacy policy clearly discloses our limited use of tracking technologies, and we provide users with the ability to opt out of analytics collection through their account settings All tracking data is stored in our secure environment and is not shared with external parties.

Example Response 3

No, our service does not implement any web tracking components Our application is a standalone enterprise solution that operates within the customer's network environment and does not connect to external analytics services We do not use cookies, tracking pixels, or any other user tracking mechanisms The application does maintain standard server logs for security and troubleshooting purposes, but these logs only contain basic information like timestamp and action performed, without storing personally identifiable information or persistent identifiers This approach was specifically designed to address the privacy concerns of our healthcare and financial services customers who handle sensitive data subject to strict regulatory requirements.

Context

Tab
Privacy
Category
Privacy of Sensitive Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron