We're a data company at our core, so this obviously impacts ProfitWell and our users (even the free ones), including those who are based in the United States who have EU customers/users themselves.
What follows is a commentary/FAQon what we've done to be GDPR compliant, as well as information on where you can get more information. If you're fully initiated and just looking for a DPA (Data Protection Addendum), you can sign our comprehensive one here or email GDPR@profitwell.com.
For the rest of you, let's jump in.
There have been countless articles written on what GDPR is, but overall GDPR is a big update in data regulations in the EU that adds some new requirements regarding how companies should protect individuals' data that they process. GDPR also increases the penalties for non-compliance by imposing greater fines for breaches.
There are 99 articles in the regulation setting out the rights of individuals and obligations placed on organizations covered by the regulation. I'd encourage you to consult your own lawyer (we've spoken to plenty to get this right), but essentially GDPR raises the stakes on the use, ownership, and protection of personal data.
Personal data can be anything that allows an individual to be directly or indirectly identified (name, address, IP address, etc) and can also encompass pseudonymized data if you can back into identifying someone. GDPR wraps this concept up to giving people the "right to be forgotten."
GDPR also requires much more transparency for businesses to make it clear on how you're using personal data. All of these obligations are required for any company with any connection to EU citizens, which means that US companies need to comply, as well (unless they've made the decision of not allowing EU citizens to use their products).
While regulation always costs money and time, especially when the regulation is a bit ambiguous (as some articles of GDPR are), the spirit of this regulation feels proper. You should always know where your data stand with a company and have the right to have your data deleted or "forgotten".
Cool - so how does this impact ProfitWell
Well for one, since we're a controller and processor of identifiable information (names and email addresses), we need to make some product updates and some contractual updates.
We also put together a Data Protection Addendum for our customers that operate in the EU, which offer contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our clients. You can sign our comprehensive DPA here on your own, but if you have any questions, email GDPR@profitwell.com.
Now for the fun part - product. Given what we do at ProfitWell (subscription analytics, finances, etc.), maintaining our top product priority of 100% accuracy and complying with a "right to be forgotten" may appear to be mutually exclusive.
For instance, when you're looking at your revenue for tax purposes, you can't not report your revenue, even if a user requested to be deleted. You also still need to maintain GAAP for revenue recognition.
So what's an analytics product like ours to do?
Well, we spoke to lawyers, privacy professional, tax lawyers, security professionals, more lawyers, accountants and, did we mention lawyers? We found that the center of GDPR centers around the identification of a user and tying that particular user to a product or app. We also found that GDPR can't usurp tax or finance laws, so the answer fortunately started to show itself as we dug in.
From a product perspective, we've now given the ability to anonymize a user through the Customer section, which allows you to maintain their data in your numbers for consistency and legal/regulatory purposes, but evaporates their identification from our databases. We've also added the ability to completely delete a user and their history from our databases (including all of their financial history).
There's plenty of other pieces we've done on the backend for compliance, but this is the crux of what's needed to go above and beyond the GDPR call, but also make sure it's easy to not break other laws around financial and tax reporting.
Great. Tell me a bit more about Privacy though
To be crystal clear - ProfitWell does not and will not ever sell your data to third parties. Your data is your data. Further, your data is rarely accessed with the only reasons we'd ever look at your data is if there's a QA or security issue, or if you give us permission for the purposes of analysis and helping you with identifying problems/opportunities in your business.
On the GDPR front, there are some provisions on international data transfer mechanisms. To comply with these we certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that had been approved for cross border transfer of personal data under the Directive.
Where's your DPA?
Talked about this above, but we put together a Data Protection Addendum for our customers that operate in the EU, which offer contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our clients. You can sign our comprehensive DPA here on your own, but if you have any questions, email GDPR@profitwell.com.
Don't your data centers need to be in the EU now?
Nope. GDPR does not require that our data centers be in the EU. GDPR allows a company to transfer data outside of the EU as long as practices are put in place ro make sure that personal data is properly protected. We've certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to satisfy this requirement and also offer up our DPA.
That being said, we're more than happy to oblige storing your data in the EU if you have higher bar data requirements. We've been operating in the EU helping companies and government entities for quite some time now, so we're flexible.
What if I have a Data Subject Right (DSR) request to delete or update data?
If it's for one of your customers/users within ProfitWell, then you can update their information right in the Customer tab (as discussed above). Any other requests to correct, access, or delete information, will be handled by emailing firstname.lastname@example.org. We'll respond to this requests within 14 days (likely much sooner as our average time to respond is 15 minutes), which is well within the 30 days required by GDPR.
Who do I contact with questions, comments, concerns, or suggestions?
If you need anything, email GDPR@profitwell.com, which goes to our security, privacy, and EU team.