GDPR and Our Plugins

The information on this page is intended for users of our plugins who are interested in understanding how the GDPR legislation relates to our plugins. For text snippets that you can add to your website privacy notice, please refer to this section of the page.

Introduction

Our plugins act as an intermediary between Facebook, Instagram, and Twitter and your website, and allow you to choose which type of information you want to include. As such, it is easy to use our plugins in a way which doesn’t display any personal data.

Below are a list of common questions about our plugins related to GDPR, links on how to make each plugin as GDPR compliant as possible, and some text snippets you can add to your website’s privacy notice.

FAQs

1. Where do our plugins get data from?

Our products make authorized requests to the associated social media platform; Facebook, Instagram, or Twitter via their API.  The social media platform then sends back any publicly available content which their platform has been authorized by their users to share publicly.

2. What data is retrieved by our plugins?

The data which our plugins request originates from the social media platform that the relevant content was posted to. When a user registers with, and posts content to, a social media platform they are agreeing to that platforms terms or service in regards to certain data being accessible to third parties via their developer API.  Each user has the ability to restrict access to their data via their account settings on each social media platform. For example, if a Facebook user has their privacy settings set to not allow apps to access certain types of data, then that data can not be retrieved by our plugin, or any other.

3. Is any of the data personal?

The kind of data our plugins can display varies, and any personal data can be excluded (see Configuring the Plugins to Improve GDPR Compliance). A description of the personal data that can be displayed by each plugin is below:

Custom Facebook Feed
By default, the plugin will not receive any personal information about an individual user either commenting or posting on Facebook.  The only way to choose to display that information is to retrieve a specific type of Access Token (called a Page Access Token) which gives you access to the names and avatars of people who post or comment on a Facebook page which you own.

Instagram Feed (Pro version only)
The Free version displays no personal information.
In the Pro version, if you’re displaying a “User” feed then the only personal information provided by Instagram is the username of users who comment on your posts.

Custom Twitter Feeds
In all feed types, the only personal information provided is the name and avatar of the user who posted the Tweet.

4. Does the plugin track any data?

We don’t track any user data in our plugins, but under some circumstances the social media platforms which the plugins request data from may do. This can happen in two ways:

Embedded Widgets
We offer the option to include embedded widgets from the Facebook and Twitter platforms which may allow tracking and data collection. These widgets can be disabled very easily in our plugin settings (see Configuring the Plugins to Improve GDPR Compliance). If the GDPR setting is enabled in our plugin then these widgets will be automatically disabled.

Third-party Connections
If the GDPR setting in one of our plugins is enabled then no third-party requests are made. If this setting is not enabled then when loading an image or video from a social media platform, a request may be made in the web browser to retrieve that file from the social media platform that it’s hosted on. Any request made by your web browser includes your IP address, which can then be seen by the third-party that it’s being requested from. These requests are made to resource-specific domains with the sole purpose of retrieving content, and do not pass any personal data beyond the IP address of the website user making the request. To make your users aware of this, we have some snippets that you can include in your website privacy notice (see GDPR privacy notice snippets).
GDPR Setting: If the GDPR setting is enabled in any of our plugins then no third-party connections will be made to display images. See here for more information.

5. Is any data forwarded to third parties?

We do not forward or share any data that we receive from each social media platform with any third parties. We simply retrieve the data from the social media platform and display it on your website. We do not send data to our own servers, or anyone else’s.  All data remains on your website.

As mentioned in the section above, the plugins do make some third-party connections to social media APIs (Application Programming Interfaces) and CDNs (Content Delivery Networks) in order to get content, and also have the option to display third-party widgets. When the requests are made to retrieve images or videos then they make the IP address of the person viewing the content/widget accessible to the third-party. To make your users aware of this, we have some snippets that you can include in your website privacy notice (see GDPR privacy notice snippets).

6. How and where is data stored?

When the plugin receives data from a social media platform, it caches this data temporarily in your WordPress database (in the wp_options table).  This cache is temporary, and will expire after the period of time defined in the plugin settings (default is one hour).  When the cache expires, the plugin makes another request to get data from the social media platform, and the process repeats.

There are a few exceptions where data is stored permanently:

  1. In the Instagram Feed plugin we have a feature which creates a permanent/backup cache, which permanently caches the data unless it’s cleared manually. This is enabled by default, but can be cleared and/or disabled by using the following setting: Instagram Feed > Customize > Misc > Enable Backup/Permanent Caching
  2. Also in the Instagram Feed plugin we have a feature which creates a permanent copy of all image files on your server. This is enabled by default, but can be cleared and/or disabled by using the following setting: Instagram Feed > Customize > Misc > Disable Image Resizing
  3. In the Custom Twitter Feeds plugin we have a feature which creates a persistent cache for Search feeds, in order to work around Twitter’s 7-day search restriction.  This is disabled by default, but if enabled then it can be disabled by using the following setting: Twitter Feeds > Customize > Advanced > Persistent Cache Enabled by Default

7. Can users control whether their data is received by and displayed in my feed?

Yes. There are two methods for doing this:

  1. The user can either change their privacy settings on the corresponding social media platform so that their data is no longer accessible by our plugins
  2. You can exclude their content by using the moderation tools built into our plugins

8. Do our plugins load any external scripts?

All of our plugins can be used without loading any external scripts.  There are some specific optional settings in each plugin which require an external script to be loaded, eg: the Facebook “Like Box” widget.  For further information on disabling these features, see Configuring the Plugins to Improve GDPR Compliance.

9. Do our plugins use cookies to store personal data?

No, our plugins do not use cookies to store personal data. The only exceptions to this are the Facebook or Twitter widgets which you can optionally include in your feed, which do use cookies to determine whether a user is logged into their social media account.  These widgets can be completely excluded from your feed so that these cookies are never used (see Configuring the Plugins to Improve GDPR Compliance).

The platforms that the plugin connects to do use some basic cookies, however, they do not store or transfer any personal information, they are used solely for functional purposes. Here’s a more detailed description of the cookies set by each social media platform when using certain features of our plugins:

Custom Facebook Feed
If the “Like Box” widget is enabled, and a user clicks the “Like” button then they will be redirected to Facebook.com and prompted to log into their account, if they are not already. Facebook.com will then add some temporary cookies to their browser in order to keep them logged in. These cookies can be deleted via your web browser privacy settings. Deleting the cookies will log you out of Facebook. These cookies can be disabled completely by simply excluding the Like Box widget in your feed.

Instagram Feed
Since versions 2.0 (free) and 5.0 (Pro) the Instagram plugin does not use any cookies.

Custom Twitter Feeds (Pro Version Only)
If the GDPR setting is enabled in the plugin then no cookies will be used. The plugin is also compatible with many popular cookie consent plugins which require consent before a cookie is used. If consent is given, or the GDPR setting is disabled, then when the feed is loaded, one cookie is set in your browser; tfw_exp. This cookie does not store or transfer personal data of any kind.
When you use the Reply, Share, or Like icons under a Tweet then a popup box is launched which redirects you to Twitter.com. Twitter then sets some cookies in your browser related to interacting with the Tweet that you are replying to, sharing, or liking. These cookies can be disabled completely by simply excluding these Reply, Share, and Like icons from your feed (see Configuring the Plugins to Improve GDPR Compliance).

 

Configuring the Plugins to Improve GDPR Compliance

Below are links to FAQs which describe how to make our plugins as compliant as possible with GDPR:

 

GDPR Privacy Notice Snippets

Below are a collection of snippets you can use to add your website’s privacy notice, depending on which plugin and features you are using.

Custom Facebook Feed

If you have followed the directions in the Configuring the Plugins to Improve GDPR Compliance section above then you can use the following snippet:

We use a Facebook Feed plugin to display social media content on our website. As a result, our website makes requests to Facebook’s servers in order to display images and videos. These requests make your IP address visible to Facebook, who may use it in accordance with their data privacy policy: https://www.facebook.com/about/privacy/update

If you are including the Facebook “Like Box / Page Plugin” widget in your feed, then you can also add the following:

We embed a Facebook widget to allow you to see information about, and “like”, our Facebook page. This widget may collect your IP address, your web browser User Agent, store and retrieve cookies on your browser, embed additional tracking, and monitor your interaction with the widget, including correlating your Facebook account with whatever action you take within the widget (such as “liking” our Facebook page), if you are logged in to Facebook. For more information about how this data may be used, please see Facebook’s data privacy policy: https://www.facebook.com/about/privacy/update

If you are loading the plugin’s icon font from the CDN, then you can also add the following:

In order to improve performance, we load the font file used in the Facebook feed from a Content Delivery Network (MaxCDN). As a result, our website makes requests to the MaxCDN servers in order to retrieve the file. These requests make your IP address visible to MaxCDN, who may use it in accordance with their data privacy policy: https://www.maxcdn.com/legal/#pp

Instagram Feed

If you have followed the directions in the Configuring the Plugins to Improve GDPR Compliance section above then the plugin is 100% GDPR compliant.

Custom Twitter Feeds

If you have followed the directions in the Configuring the Plugins to Improve GDPR Compliance section and enabled the GDPR setting then the plugin is GDPR compliant.  If you don’t have the GDPR setting enabled then you can use the following snippet:

We use a Twitter Feed plugin to display social media content on our website. As a result, our website makes requests to Twitter’s servers in order to display images and videos. These requests make your IP address visible to Twitter, who may use it in accordance with their data privacy policy: https://twitter.com/en/privacy#update

If you are including the Twitter Reply, Share, and Like icons under each Tweet, then you can also add the following:

The Tweets displayed in the Twitter feed include the ability to Reply, Share, or Like the Tweet directly on our website. If you choose to interact with these functions then you will make a connection to Twitter.com, who may collect your IP address, your web browser User Agent, store and retrieve cookies on your browser, embed additional tracking, and monitor your interaction with the widget, including correlating your Twitter account with whatever action you take within the widget (such as “liking” a Tweet), if you are logged in to Twitter. For more information about how this data may be used, please see Twitter’s data privacy policy: https://twitter.com/en/privacy#update