As you probably already know from the flood of messages in your email inbox, the General Data Protection Regulation (GDPR) is in effect on 25th May and is designed to protect the data of all users located in the EU.
As an analytics company, ChartMogul is already dedicated to the protection and responsible use of data as a core competency.
Our customers put ChartMogul at the center of their decision-making processes and trust us to handle their data with utmost care. We only collect personal data where absolutely necessary for the function of our business, and are committed to your right to privacy in every aspect of how we handle it.
ChartMogul does not (and will never) sell your data to a third party. You pay us to deliver a service and we’re not in the business of monetizing you or your data through other methods.
The data stored in your ChartMogul account is only ever accessed, with your permission, when we need to solve a technical issue or support your use of the product. We may also require access to investigate suspected abuse on your account.
Is ChartMogul GDPR compliant?
Yes, ChartMogul is fully compliant with GDPR. Our existing internal standards for handling personal data mean that we already met many aspects of the data privacy rules, but we’ve also gone through an extensive external auditing process to ensure that we handle our customers’ data correctly in light of the forthcoming regulation.
What steps have you taken to ensure the correct handling of personal data?
✅ Full data audit
We’ve worked with trusted third parties to complete a complete audit of how personal data is collected and used at ChartMogul. This includes adjustments to processes where personal data collection is not essential to our business function.
✅ Privacy policy updates
We’ve rolled out an updated privacy policy which includes clear, explicit explanations of how and why personal data is collected.
✅ Data Protection Agreement
We have created a legal agreement that ChartMogul customers and other third parties can request from us, which promises the correct use of any personally identifiable information that’s stored.
✅ Documenting and listing sub-processors
We’ve compiled a list of all sub-processors currently in use at ChartMogul that we share personally identifiable data with, and have a mechanism for people to keep up to date with changes to that list.
✅ Employee data privacy training
To establish a common baseline of knowledge across the company, we enrolled every permanent employee of ChartMogul in a program of data privacy and GDPR training.
I’m a ChartMogul customer. Do my users need to consent to using ChartMogul?
The GDPR states that processing of data without explicit consent is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” (Article 6, paragraph 1 (f)*). There’s a legitimate business interest for you to measure and understand your revenue.
You should also read our data processing agreement, which is incorporated into our Terms of Service, and if you require a signed copy, execute that here.
*(Note that this article also states an exception to the above, in cases where the data subject is a child — this does not apply unless for some reason a child’s data was entered into ChartMogul).
Does the GDPR affect how I use ChartMogul?
No. The functionality of ChartMogul remains exactly the same.
Does ChartMogul have a data processing agreement (DPA)?
Yes! Users and third parties can sign our DPA, which guarantees the protection of personally identifiable information that we collect and process.
This should be read, signed and submitted to our team. Questions can be directed to support@chartmogul.com.
What subcontractors does ChartMogul use?
Like most modern SaaS businesses, we use a number of technologies and services to build and operate our product efficiently.
You can find a full list of the subcontractors we use here: ChartMogul Subcontractors.
You can also register to be notified of any updates to this list.
What is a “data processor” and “data controller”?
These are the two most commonly used terms in the wording of the GDPR. Much of the regulation revolves around the relationship between these two entities.
Data Controller:
Here’s the formal definition of a data controller:
“…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”
In other words, if your company is the principal entity determining the purpose of collecting and working with such data, that makes it a data controller.
Data Processor:
“…a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
In the context of a SaaS business, a common example of a data processor would be a service used by your team to automate onboarding email campaigns sent to customers. The email automation platform handles (processes) the personal data of your customers, on behalf of your business (the data controller).
One of the key changes introduced with the GDPR is the introduction of direct obligations for data processors. In addition to this, data controllers should only choose processors that are GDPR-compliant.
As a data controller, businesses need to have an appropriate contract in place — usually referred to as a data processing agreement (DPA) — with any processor it shares data with.
If you use ChartMogul as a data processor for your business, you may need to sign a DPA with us.
Have further questions?
You can always reach out to our team at support@chartmogul.com who will be happy to answer any further questions on GDPR compliance or data privacy.