- 63,609
- 50,737
- Joined
- May 23, 2005
yup class action coming SOONIn 2017 I asked Stock X to close my account and delete my data. Even though the account was closed, they retained all of my data, which was subsequently part of the hack. So I emailed them again a month ago asking for them to explain why they didn't originally delete my data. I also made a request under the GDPR to disclose exactly what data they still hold on me, and to also delete it. This is the response I got:
Dear xxxxx,
Data Subject Erasure Request
I write further to your Personal Data Erasure Request, as set out in your email dated 8/3/2019. We have undergone a review of the personal data that we hold about you and have deleted your personal data to which the right of erasure applies.
We can confirm that we have erased the following personal data about you.
We have not been able to erase the following information because we need to retain certain information for our legitimate legal, audit, and tax purposes.
- Your personal preferences and settings, including:
- Payment methods
- Subscription to mailing lists
- Encrypted password
- User devices
- IP addresses
We have complied with your request to the extent possible, but note that some of your data is held in back-ups. This information is inaccessible due to how our back-ups are stored. In the event that we need to use a back-up containing your personal data to restore the other information, your personal data has been flagged for deletion, and will be erased prior to the back-up data being accessed, or will be deleted manually upon the back-up being restored.
- Your name and contact details including:
- First and Last Name
- Phone number
- Billing addresses
- Shipping addresses
- Your transaction history
The categories of recipients to whom we disclose personal data are:
In respect of the companies listed above, this includes processing in countries outside the EEA, including in the USA, and these transfers of personal data are subject to appropriate safeguards such as the use of European Commission-approved model clauses, or privacy shield certification.
- Payment processing providers who provide secure payment processing services, such as PayPal Inc. (including Braintree) and Riskified Ltd.
- Analytics, search engine providers and digital marketing providers that assist StockX in the improvement and optimization of its site and to grow and develop its business, such as Criteo, Facebook, Google, Ask Nicely Limited, AppsFlyer Inc., Snap Inc. and LiveRamp Holdings Inc.
- Service providers of StockX who assist StockX in administering your account and to process and deliver your orders, such as Salesforce, Dropbox, Intercom, Inc., UPS, DHL, and Leanplum, Inc.
Personal data is held for as long as you have an account with us in order to meet our contractual obligations to you and for six years after that to identify any issues and resolve any legal proceedings. We may also retain aggregate information beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.
Your rights under data protection law include the rights to request your personal data are, where relevant, corrected or erased or restricted or under certain circumstances to object to the processing of personal data. You also have the right to make a complaint to a data protection regulator.
Yours sincerely,
Maureen Lesko
Senior Counsel, StockX