Privacy protection
Privacy safeguards have been implemented across all Instacart Data Hub analytics.
Core privacy principles
- Privacy by design. Privacy protections are built into the foundational architecture, not added as an afterthought.
- Data minimization. Only the minimum necessary data is processed and exposed for each analysis.
- Purpose limitation. Data is used only for the specific analytical purposes agreed upon by partners.
Technical safeguards
Technical safeguards describe some of the security measures and protocols designed to protect sensitive information.
Minimum user thresholds
Most analytical templates enforce minimum user count requirements to ensure statistical anonymity.
- Standard threshold. ≥ 100 users are required for analysis results.
- Pre-aggregated templates. No minimum threshold are needed (data already aggregated).
- Time-based analysis. Minimum thresholds are applied per time period.
Specific threshold requirements are documented within each template's privacy section.
Aggregated results only
- Individual customer records never exposed.
- All results are statistical aggregations.
- No drill-down to individual level are possible.
Secure processing environment
- All processing occurs within Snowflake clean rooms.
- Data never leaves the secure environment.
- Access is logged and monitored.
Data validation controls
Data validation controls maintain the integrity of data systems and prevent errors, inconsistencies, or vulnerabilities that could negatively impact decision-making, compliance, and system performance.
Parameter validation
- Date ranges are limited to prevent overly historical analysis.
- Aggregation levels are restricted to approved dimensions.
- Invalid parameters result in empty results, not errors.
- Snowflake clean room template validation ensures queries resolve to single SELECT statements.
- Built-in Snowflake policies are enforced (join policies, column policies, aggregation policies).
Input sanitization
- All parameters are validated before query execution.
- SQL injection prevents through parameterized queries.
- There is type checking for all input values.
- Snowflake clean room template security: variables resolve to string literals requiring IDENTIFIER() function
- Template execution is isolated within the clean room application context.
- There is no direct data access - all queries executed through controlled template framework.
Compliance framework
A compliance framework that organizations use to ensure they meet legal, regulatory, and industry standards.
Regulatory compliance
- General Data Protection Regulation (GDPR). Right to erasure, data minimization, purpose limitation
- California Consumer Privacy Act (CCPA). Consumer privacy rights, data disclosure limitations
- Industry Standards: IAB, MRC measurement guidelines
Audit capabilities
- All query execution is logged.
- Parameters are tracked for compliance verification.
- Results are tracked for audit purposes.
Partner responsibilities
Partner responsibilities refer to the duties and obligations each party agrees to to achieve mutual goals.
Data preparation
- Identifiers are Properly hashed before upload.
- PII is removed from raw datasets.
- Is compliant with data governance policies.
Result handling
- Has appropriate use of analytical results.
- Is compliant with data sharing agreements.
- Securely stores query results.