The Showroomprivé iOS app, subscribed to trackers
After analyzing Fnac, let's now study another French e-Commerce site, competitor of Veepee (the leader in private sales, formerly vente-privee.com): the company Showroomprive. In order to analyze its iOS app, I followed the following steps:
- Closing the various background applications.
- Launch of the Charles Proxy application and activation of tracking.
- Launch of the Showroomprive application, then navigation in the App: I consulted some products.
- Export of logs from my Charles Proxy session to my computer, in order to easily analyze the requests sent by Showroomprive.
Here are some companies that track you during your purchases on Showroomprive:
- Google : Via its developer toolbox Firebase, Showroomprive using Crashlytics (crash tracking) and Firebase Remote Config, which allows them to personalize their app without having to redeploy it. No personal information sent here (unlike a Bolt), but identifiers (pseudonymized data for which Showroomprive should inform you and ask for your consent).
- Facebook : Via its developer toolbox used by Showroomprive, your private sales consultations are known to the American giant, even if you do not have a Facebook account. Here again, no information from Showroomprive.
- FollowAnalytics : via the domain follow-aps.com. French analytics and targeted campaign tool (push notifications and in-App messages).
- Adjust : another mobile analytics and marketing tool. Here Showroomprive leaked CRM data: your gender, your number of orders, your RFM score, the total amount of your orders, etc.
- Mediarithmics : French company offering an advertising space purchasing platform, and a data management solution (better profile you to better target you). Here, Showroomprive leaks your CRM data, your navigation on the application, but also much more sensitive data like your email address, postal code or date of birth.
- Accengage : French push notification tool, acquired in 2018 by the mobile marketing company Airship. Showroomprive leaked here your email address.
A vague privacy policy
As Showroomprive does not directly inform its customers about how it allows third parties to track them, let's read the Showroomprivé privacy policy, we can read in section 5. Recipients of your Personal Data:
The recipients of your Personal Data are as follows: [...] Our service providers in charge of carrying out analyzes and segmentations, marketing and commercial studies and personalized advertising campaigns
Thus the customer still has no information on the identity of the recipients, nor on the personal data transferred.
Limited control over trackers, well hidden
By browsing the settings of the Showroomprivé App, I managed to find the page allowing you to configure tracking. You need to go to “Account”, then to “My personal information”, and finally “Manage my data”:
By default, everything is allowed! And here again, no information is given on the identity of the recipients or the personal data transferred. However, if we uncheck all the boxes, we can observe a reduction in trackers.
So the Mediarithmics and Accengage trackers, which notably retrieved my email address, are now not triggered. On the other hand, Showroomprive still leaks my identifiers to Google and Facebook, so it is impossible to deactivate the services of the heavyweights of generalized surveillance.
Mediarithmics, provider of monitoring tools, offloads to its customers
We had already seen in a previous article how Fnac leaked your personal data to Mediarithmics and Accengage, 2 French “data marketing” companies. As part of the Gravity alliance (150 French sites which exchange your personal data), Fnac leaked a hash of your email address and your journey on site to Mediarithmics.
Here, Showroomprive goes "further" by leaking your email in plain text to Mediarithmics. What does the "Personal data protection charter" from Mediarithmics? In summary:
- The client (Showroomprive) must inform users and obtain their explicit consent before collecting the data (Showroomprive does not respect the contract, no information or explicit consent, but a hidden opt-out).
- Mediarithmics does not cross-reference the data of its different clients (no cross-referencing between Showroomprive and the Gravity Alliance for example)
- The exercise of rights of access, rectification, opposition or deletion of my personal data must be carried out directly with Mediarithmics Customers (Showroomprive)
In summary: Mediarithmics discharges itself, Showroomprive is responsible. Here is the data that Mediarithmics authorizes itself to collect on behalf of its clients:
Mediarithmics provided the "weapon", tasking Showroomprive with obtaining the consent of its customers upstream. For its part and as already seen with the example of Fnac, Accengage does not even indicate that it can collect personal data such as email.
Showroomprive website leaks your personal data when you are not logged in
As we have just seen, Showroomprive leaks your personal data without your consent on its iOS app, what about his website ? Let's look at the queries exchanged when I browse the Showroomprive website from Chrome, still with Charles Proxy, but this time the Desktop version (after deactivating my ad blocker and deleting cookies):
Before you can even click on the “cookies banner” at the bottom of the page, Showroomprive sends your personal data to Google and Facebook, a violation of the GDPR. The "cookie banner" refers to the privacy policy. To manage your data, you must connect to Showroomprive (reminder: you have already been tracked by Google and Facebook, there is no going back).
When you log in and have previously unchecked all the tracking options ("Account" > "My personal information" > "Manage my data"), Showroomprive does not trigger additional third-party tracking (no Google or Facebook, therefore, unlike the iOS app). But when you disconnect, unsurprisingly, the Google and Facebook trackers are triggered again.
