GDPR - Adding your privacy policy and terms of service

We understand that ConvertFlow plays an integral role in our customers’ GDPR compliance strategy. That is why we're committing to supporting our customers as they work towards being GDPR compliant. 

First, we recommend you  read our post on GDPR, where we've put together a plain-English overview of what you need to know, how GDPR affects your business, how you can prepare, and what ConvertFlow is doing to help.

Below, you'll see how ConvertFlow supports the privacy rights of ConvertFlow’s customers and their contacts, and how we're supporting our customers in being GDPR compliant. 

We hope to provide answers to most of your questions about ConvertFlow and GDPR below. However, if you have any further questions, please feel free to reach out to our team –

What is GDPR?

General Data Protection Regulation (GDPR) is designed to hold organizations (like ConvertFlow & your business) more accountable for keeping personal data secure and gives data subjects more rights and control over their data by regulating how organizations should handle and store any personal data they collect. 

This new legislation applies to all organizations that process personal data (names, email addresses, tracking, etc.) of citizens of the European Union (EU) and European Economic Area (EEA) – regardless of where in the world your business (and data) is based. 

How ConvertFlow helps you with GDPR

While your business is ultimately responsible for its own compliance, ConvertFlow has implemented changes to our product to make it easier for you to be GDPR compliant and plans to add additional functionality to help with processing your Data Subject Requests.

Data Processing Agreement (DPA)

GDPR specifies that any Controller that is subject to GDPR will need to have a signed Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.
If you’re collecting any personal data (name, email address, etc.) from someone located in the EU/EEA, you’re considered a controller. The organization/application that stores that data on your behalf (ConvertFlow, for example) is the processor. 

Customers of ConvertFlow who are considered to be Controllers under the terms of GDPR should sign a DPA with ConvertFlow. 

ConvertFlow will offer a Data Processing Agreement (DPA) for customers processing information on behalf of EU/EEA citizens. If you want to sign a DPA with ConvertFlow, please click here to request a DPA from our team.

Collecting consent

When using forms on your website and landing pages, collecting “active consent” means having the contact give consent by clicking checkboxes to agree to your processing of their personal data.

Inside ConvertFlow's builder, you can easily start gaining consent from leads and subscribers located in the EU/EEA with active-consent checkboxes in your forms. The checkbox displays next to a customizable statement (such as “Accept privacy policy and terms”).

The checkbox can’t be checked by default, so the visitor has to click the checkbox to give “consent” before submitting the form.

To be as transparent as possible, your checkbox should have a link to your privacy policy where you state how you’re processing their personally identifiable data.

In certain cases, you may also want your checkbox to link to your terms of service as well.

If your form isn’t a direct subscription to your marketing, you may need to enable another checkbox to gain consent for ongoing marketing.

In ConvertFlow, controlling the messaging and links on all your website form’s consent checkboxes is easy by using the site-wide settings.

Store a record of your contact having given consent

By using ConvertFlow’s consent checkboxes, you’ll easily be able to document and send a record of the contact’s consent to any of your custom fields in your integrated email marketing tool and/or CRM.

Just connect your email marketing tool, map ConvertFlow’s   “privacy_consent” and “marketing_consent” to your chosen custom field’s name into and it will send a “true” value into your email tool’s custom field when a contact submits any of your ConvertFlow forms.

If you’re custom coding forms on your website, you’ll need to have your developer connect your checkboxes to your email tool’s API in order to store proof of consent.

Updating consent for your existing contacts on your website

If you have existing contacts in your email service provider, or in ConvertFlow, that you want to gain consent from, here’s an easy way to do so using ConvertFlow.

You can create a simple website popup that targets existing subscribers returning to your website, which asks them to give consent of your processing their personal, stores record of your consent custom fields, and tags them as “resubscribed” in your CRM.

Controlling visitor anonymity and GDPR compliance settings

ConvertFlow's visitor tracking isn't personally identifiable until associated with a form submission or a subscriber, upon which a user of ConvertFlow should collect consent from the visitor to your processing of their personal data. 

In early 2018, we released an update to no longer store IP addresses when tracking anonymous visitors. ConvertFlow only uses the IP address for geolocation, without storing the IP address in the tracking record. 

However, there are important settings to consider in your configuration:

  • Using ConvertFlow with IP address geolocation, which is used for geolocation targeting and pre-filling form fields, can effect your GDPR compliance in certain cases where low population postal code could be considered personally identified info. Here's how to disable IP address geolocation if needed.
  • ConvertFlow can automatically identify contacts on your website when they submit any email field on your website, including custom HTML forms on your website that are not built in ConvertFlow. Also, URL parameters such "email" containing a subscribers email address will be used to automatically identify the contact. These automatic identification methods can be optionally disabled from your website's settings.
  • If you want to disable processing of personally identifiable contact data entirely, in your website settings you'll find the option to disable processing of contact P.I.I. Use this setting with caution, as it disables all server-side contact integrations. Read more →
  • Regulators have stressed that using Google Fonts may not be GDPR compliant when using Google's public APIs. ConvertFlow has the option to disable Google Font auto loading from their public APIs, so you can either self-host your Google Fonts or load them from a GDPR compliant font loader. Read more →

Data Subject Rights

A major part of GDPR is the rights granted to EU/EEA citizens in regards to their personal data. 

Under GDPR, a user or contact has the right to access their data (in a commonly-used and machine-readable format) and the right to be forgotten (have all of their personal data erased). In the case of ConvertFlow, once a visitor has provided their email address to you via a form, we can show you a timeline of which pages they visited, calls-to-action they've engaged with, as well as the UTM parameters and referral source they are associated with. All of this data is available for export and can also be deleted. 

Within ConvertFlow, you can quickly search for a contact by heading to your website’s “Contacts” page and searching by their email address.

You can export a contact's data to a CSV by clicking the “Export” button. You can also edit their contact information by clicking the “Edit” tab in their profile, as well as delete their contact record by clicking the “Delete” button and confirming.

For more information on your responsibilities as a “data controller”, please visit the official GDPR site –

If you have any questions about serving Data Subject requests, please send us an email at

Breach Notification

At ConvertFlow we take the protection of customer and contact data seriously. In the event of a data breach occurring, involving personal information (and ones that do not), we will contact you by email.

Privacy Shield

While ConvertFlow's technology infrastructure is powered by privacy shield certified cloud providers, such as Amazon Web Services and CloudFlare, ConvertFlow itself is not privacy shield certified and relies on SCC. This means for GDPR compliance, businesses in the EU will need to sign a DPA with ConvertFlow.


If you have any questions or inquiries related to data privacy and GDPR, please contact us at