Last updated: May 23rd, 2018.
The team at CrankWheel takes our users’ trust in us extremely seriously. We know that your data is important to you, therefore we keep it safe and private.
We also recognize that we store and process data on our customers’ behalf, pertaining to their customers and prospects. We take our responsibility very seriously to keep this data safe, and to provide our customers with the required facilities to manage this data.
The EU’s General Data Protection Regulation (GDPR) becomes enforceable on May 25th, 2018, and replaces an older piece of European legislation. CrankWheel’s services are compliant with the GDPR.
GDPR is intended to strengthen privacy for individuals in the EU, and to extend the applicability of EU data privacy to non-EU companies who work with data on EU residents. It applies to all organizations operating in the EU, as well as to non-EU organizations that process “personal identifiable data” of EU residents.
Nothing in this document is intended to be legal advice, and should not be used as a substitute for legal assistance. Data controllers have final responsibility for understanding and complying with the GDPR.
Here are loose definitions of some commonly used terms in the text below. For precise definitions, please see the full text of the GDPR.
As is the case with many online service providers, CrankWheel acts both as a data controller and as a data processor. We act as a data controller for our registered users’ account information, and as a data processor when it comes to information gathered through Instant Demos or through our audit logging functionality (enabled only for enterprise customers under contract).
CrankWheel certifies that according to its internal audits, it is compliant with the GDPR. Further, in case any issues of non-compliance are pointed out to us, our policy is to tackle such issues in our product and executive teams at the absolute highest priority.
Our team has made necessary product and production system changes, reviewed our sub-processors to ensure they are compliant or will be compliant before the deadline (and removed a several sub-processors that we do not trust will be compliant), reviewed all personal data we store and process, documented internal processes around each type of data as well as examined the justification for storing and using the data as described by the GDPR (typically, the justification is based on your consent), and a project was completed to terminate all use of data that did not comply with the GDPR.
Our team is ready to advise our customers on how to ensure they are also GDPR compliant when they use CrankWheel as a sub-processor, and customers may contact us by emailing [email protected] to request assistance.
As a data subject (i.e., an individual whose personal identifiable data may be being processed), you have several rights under the GDPR, including the right to access your data, the right to be forgotten (erased), the right to make corrections, and more.
To exercise any of these rights, for the time being please email [email protected] and state which right you would like to exercise, and we will respond with a confirmation and with the data being requested (if applicable) within the deadlines stipulated by the GDPR. Over time, we may create automated tools to help you exercise certain rights, such as the right to data portability, but these are not ready at the moment, and are significantly complex to create due to reliance on sub-processors to store some pieces of personal identifiable data.
In reference to your rights that modify or remove personal data stored by CrankWheel, please note that we maintain backups for a period of 11 days, and reserve the right to maintain backups up to a period of 30 days. Therefore, personal data as it existed before correction or removal will remain in the form of backups for up to this duration after your requested changes are made.
We are tracking the status of all of our sub-processors that may potentially deal with subject personal identifiable data of data subjects, to ensure any sub-processor we use is compliant by the May 25th, 2018 deadline, and that we have Data Processing Agreements (DPAs) in place with sub-processors as required. Below is the status on our sub-processors categorized by whether they are used in our product or on our marketing website, or outside of both:
We encourage our customers to prepare for the GDPR. A first step is to review privacy and data handling policies. Those who are data controllers have primary responsibility for making sure that personal data processing is compliant with EU data protection law. Here are a few key points to consider, but as with everything in this document, please refer to your own lawyers and experts for advice:
Rights of End-Users: The GDPR establishes enhanced rights for end-users that you need to accommodate. As a sub-processor, CrankWheel can help you accommodate those rights. See the section “Exercising Your Rights” above, as the procedures for data controllers accommodating their end-users’ rights are identical to those for end-users whose data controller is CrankWheel, although with an added authentication required to identify the data controller as a customer of CrankWheel that is a data controller for the relevant end-user’s data. In a nutshell, contact us at [email protected] and we will assist you.
Data Breach Notifications: Any data controller must have clear processes in place to comply with GDPR requirements to report data breaches within the set time frames. CrankWheel will notify affected customers without undue delay if we become aware of a data breach of our services. To receive such notifications, as well as notifications of system updates, scheduled maintenance and more, email [email protected] and ask to be added to the service announcements list.
Assign a DPO: It is possible that you may need to assign a Data Protection Officer (“DPO”); as with everything on this page, please verify what you need to do with your own lawyers and experts.
Geography: The GDPR will apply to any customer of ours that is located in the EU or EEA, and also to any customers outside the EU/EEA that are processing personal data of EU or EEA citizens.
Data Processing Agreement: If personal data is transferred outside the EU and EEA, data controllers may need a DPA with their sub-processors to ensure adequate protections for the transferred data. In certain edge cases, CrankWheel may, through one or more of its sub-processors, store personal data outside of the EU and EEA, although never without a DPA or equivalent terms with that subprocessor, as documented above. Should you require a DPA with CrankWheel, we are happy to accommodate, simply email us at [email protected].