ActiveConversion is fully compliant with the General Data Protection Regulation (GDPR). This document outlines our compliance measures and your rights under GDPR.
Data Protection by Design
Privacy and data protection built into every aspect of our service from the ground up
Certified Compliance
Regular audits and assessments ensure ongoing GDPR compliance
Our Role and Responsibilities
As a Data Processor
When you use ActiveConversion to send emails, we act as a Data Processor. You remain the Data Controller for your customers' data. We process data only according to your instructions and our Data Processing Agreement (DPA).
As a Data Controller
For your account information and our direct relationship with you, we act as a Data Controller and ensure full GDPR compliance in how we handle your data.
Legal Basis for Processing
We process personal data based on:
Contract Performance: To provide our email services as agreed
Legitimate Interests: For service improvement and fraud prevention
Legal Obligations: To comply with applicable laws and regulations
Consent: Where explicitly provided for specific purposes
Your Rights Under GDPR
Individual Rights
1.
Right to Access: Request a copy of your personal data we process
2.
Right to Rectification: Request correction of inaccurate or incomplete data
3.
Right to Erasure: Request deletion of your data ("right to be forgotten")
4.
Right to Restriction: Request limited processing of your data
5.
Right to Data Portability: Receive your data in a structured, machine-readable format
6.
Right to Object: Object to processing based on legitimate interests
7.
Rights Related to Automated Decision-Making: Not be subject to solely automated decisions
Technical and Organizational Measures
Technical Measures
• End-to-end encryption
• Access logging and monitoring
• Regular security updates
• Vulnerability scanning
• Secure development practices
Organizational Measures
• Employee training programs
• Confidentiality agreements
• Access control policies
• Incident response procedures
• Regular compliance audits
Data Processing Agreement (DPA)
All customers are covered by our standard Data Processing Agreement, which includes:
Clear definitions of data processing scope and purposes
Our obligations as a data processor
Security measures and breach notification procedures
Sub-processor management and approval
Data retention and deletion policies
Audit rights and compliance verification
Standard Contractual Clauses for international transfers
International Data Transfers
Important: We ensure all international data transfers comply with GDPR requirements through appropriate safeguards.
Standard Contractual Clauses (SCCs) for transfers outside the EEA
Adequacy decisions where applicable
Additional security measures for high-risk transfers
Regular assessment of transfer impact
Data Breach Response
In the unlikely event of a data breach, we follow strict procedures:
Immediate containment and investigation
Assessment of risk to individuals' rights and freedoms
Notification to supervisory authorities within 72 hours if required
Direct notification to affected individuals when necessary
Documentation of the breach and remediation measures
Implementation of measures to prevent recurrence
Privacy by Design Principles
Data Minimization: We only collect and process data necessary for the specified purpose
Purpose Limitation: Data is only used for the stated purposes at collection
Transparency: Clear information about data processing in our privacy policy
Sub-Processors
We carefully select sub-processors who meet our security and privacy standards. Current sub-processors include:
Cloud infrastructure providers for hosting
Content delivery networks for performance
Analytics services for service improvement
Payment processors for billing
All sub-processors are bound by data processing agreements and must maintain GDPR compliance.
Exercising Your Rights
To exercise any of your GDPR rights, please contact our Data Protection Officer:
Data Protection Officer ActiveConversion LLC 30 N Gould St, Suite 100 Sheridan, WY 82801 United States
We will respond to your request within 30 days. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
Supervisory Authority
You have the right to lodge a complaint with your local supervisory authority if you believe we have not adequately addressed your concerns. Contact details for EU supervisory authorities can be found on the European Data Protection Board website.