GDPR and Your Data 🇪🇺
Audienceful believes strongly in protecting your data and strives to comply with all privacy-related regulation including GDPR.
The General Data Protection Regulation (GDPR) is a data privacy law that regulates the use of EU resident personal data, providing individuals rights to exercise control over their data and requiring organizations that process personal data to meet certain obligations.
In accordance with GDPR, we store only the minimum data required to support our platform, far less than most email marketing platforms. We do not store any IP addresses or location data from people signing up to receive or opening emails sent using our platform. We do not use 3rd party cookies, and we use privacy-focused support and analytics tools whenever possible.
Data Portability & Management
- Import: We provide tools to import your data a number of ways. This includes via CSV upload, syncing via outside integration, website signup forms, or manual input.
- Export: Audienceful allows you to easily export your data at any time from the same place you can import your data (the People tab). We do not believe in 'vendor lock-in' as a business strategy, and do not make it difficult to switch to another platform.
- Account deletion: Your account and all data can be deleted at any time. Soon after your account is deleted, our system will also delete any backups, so you can be sure there will be no trace left of your data on our servers.
- Account settings: We provide tools to manage any personal information associated with account and workspace settings, such as name, members, allowed email domains, and more from our workspace settings menu.
- Requests: If you are unwilling or unable to use our tools to manage your account, we respond to all requests related to data deletion in a timely manner.
We utilize numerous technologies to ensure the safety of your data including SSL, anonymization and SHA-256 encryption as recommended by the National Institute of Standards and Technology.
None of our support staff or contractors have access to your sensitive email list data. We do this to reduce risk of phishing or social engineering (the most common attack vector, re: Mailchimp's latest breaches). Since our founding in 2020 we have had zero data breach incidents.
However, no internet-connected service can ever be 100% secure. In the event of a future data breach, in accordance with GDPR we have protocols for promptly notifying any affected parties.
Standard Contractual Clauses (SCCs)
In accordance with the Schrems II ruling which invalidated the privacy shield framework, we rely on the latest Standard Contractual Clauses to ensure appropriate safeguards for personal data transfers from the EU to countries outside of the EU.
Our servers are hosted in the cloud with Digital Ocean in the east coast region. You can view Digital Ocean's SCCs and Data Processing Agreements here (Schedule 3 relates specifically to our use of Digital Ocean as processor).
*2023 update: EU-US Data Privacy Framework
A new EU-US data privacy framework is expected later in 2023. This is predicted to replace the Privacy Shield Framework invalidated by Schrems II and clear up current uncertainties involved with using US-based cloud software. Once this comes into effect we plan to migrate from SCCs to full certification under the new framework.
In the meantime, before the new EU-US DPF comes into effect, if you have any concerns about the use of SCCs for data transfers, feel free to reach out to firstname.lastname@example.org. In the case of large or enterprise accounts we have options for data region segmentation.