GDPR - Adding your privacy policy and terms of service

We understand that ConvertFlow plays an integral role in our customers’ GDPR compliance strategy. That is why we're committing to supporting our customers as they work towards being GDPR compliant. 

First, we recommend you  read our post on GDPR, where we've put together a plain-English overview of what you need to know, how GDPR affects your business, how you can prepare, and what ConvertFlow is doing to help.

Below, you'll see how ConvertFlow supports the privacy rights of ConvertFlow’s customers and their contacts, and how we're supporting our customers in being GDPR compliant. 

We hope to provide answers to most of your questions about ConvertFlow and GDPR below. However, if you have any further questions, please feel free to reach out to our team –  support@convertflow.com


What is GDPR?

General Data Protection Regulation (GDPR) is designed to hold organizations (like ConvertFlow & your business) more accountable for keeping personal data secure and gives data subjects more rights and control over their data by regulating how organizations should handle and store any personal data they collect. 

This new legislation applies to all organizations that process personal data (names, email addresses, tracking, etc.) of citizens of the European Union (EU) and European Economic Area (EEA) – regardless of where in the world your business (and data) is based. 


How ConvertFlow helps you with GDPR

While your business is ultimately responsible for its own compliance, ConvertFlow has implemented changes to our product to make it easier for you to be GDPR compliant and plans to add additional functionality to help with processing your Data Subject Requests.

Data Processing Agreement (DPA)

GDPR specifies that any Controller that is subject to GDPR will need to have a signed Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.
If you’re collecting any personal data (name, email address, etc.) from someone located in the EU/EEA, you’re considered a controller. The organization/application that stores that data on your behalf (ConvertFlow, for example) is the processor. 

Customers of ConvertFlow who are considered to be Controllers under the terms of GDPR should sign a DPA with ConvertFlow. 

ConvertFlow will offer a Data Processing Agreement (DPA) for customers processing information on behalf of EU/EEA citizens. If you want to sign a DPA with ConvertFlow, please fill out this form to request a DPA from our team.

Collecting consent

When using forms on your website and landing pages, collecting “active consent” means having the contact give consent by clicking checkboxes to agree to your processing of their personal data.

Inside ConvertFlow's builder, you can easily start gaining consent from leads and subscribers located in the EU/EEA with active-consent checkboxes in your forms. The checkbox displays next to a customizable statement (such as “Accept privacy policy and terms”).

The checkbox can’t be checked by default, so the visitor has to click the checkbox to give “consent” before submitting the form.

To be as transparent as possible, your checkbox should have a link to your privacy policy where you state how you’re processing their personally identifiable data.

In certain cases, you may also want your checkbox to link to your terms of service as well.

If your form isn’t a direct subscription to your marketing, you may need to enable another checkbox to gain consent for ongoing marketing.

In ConvertFlow, controlling the messaging and links on all your website form’s consent checkboxes is easy by using the site-wide settings.

Store a record of your contact having given consent

By using ConvertFlow’s consent checkboxes, you’ll easily be able to document and send a record of the contact’s consent to any of your custom fields in your integrated email marketing tool and/or CRM.

Just connect your email marketing tool, map ConvertFlow’s  “privacy_consent” and “marketing_consent” to your chosen custom field’s name into and it will send a “true” value into your email tool’s custom field when a contact submits any of your ConvertFlow forms.

If you’re custom coding forms on your website, you’ll need to have your developer connect your checkboxes to your email tool’s API in order to store proof of consent.

Updating consent for your existing contacts on your website

If you have existing contacts in your email service provider, or in ConvertFlow, that you want to gain consent from, here’s an easy way to do so using ConvertFlow.

You can create a simple website popup that targets existing subscribers returning to your website, which asks them to give consent of your processing their personal, stores record of your consent custom fields, and tags them as “resubscribed” in your CRM.

Visitor Anonymity

ConvertFlow's visitor tracking isn't personally identifiable until associated with a form submission or a subscriber, upon which a user of ConvertFlow should collect consent from the visitor to your processing of their personal data. 

In early 2018, we released an update to no longer store IP addresses when tracking anonymous visitors. This makes ConvertFlow's visitor tracking similar to Google Analytics, until the point of capturing personally identifiable contact info through a form.

Data Subject Rights

A major part of GDPR is the rights granted to EU/EEA citizens in regards to their personal data. 

Under GDPR, a user or contact has the right to access their data (in a commonly-used and machine-readable format) and the right to be forgotten (have all of their personal data erased). In the case of ConvertFlow, once a visitor has provided their email address to you via a form, we can show you a timeline of which pages they visited, calls-to-action they've engaged with, as well as the UTM parameters and referral source they are associated with. All of this data is available for export and can also be deleted. 

Within ConvertFlow, you can quickly search for a contact by heading to your website’s “Contacts” page and searching by their email address.

You can export a contact's data to a CSV by clicking the “Export” button. You can also edit their contact information by clicking the “Edit” tab in their profile, as well as delete their contact record by clicking the “Delete” button and confirming.

For more information on your responsibilities as a “data controller”, please visit the official GDPR site – https://gdpr-info.eu/art-24-gdpr/

If you have any questions about serving Data Subject requests, please send us an email at privacy@convertflow.com.

Breach Notification

At ConvertFlow we take the protection of customer and contact data seriously. In the event of a data breach occurring, involving personal information (and ones that do not), we will contact you by email.

Questions

If you have any questions or inquiries related to data privacy and GDPR, please contact us at privacy@convertflow.com.