Data Protection Statement
Last updated: September 8th, 2025
Overview
The team at CrankWheel takes our users’ trust in us extremely seriously. We know that your data is important to you, therefore we keep it safe and private.
We also recognize that we store and process data on our customers’ behalf, pertaining to their customers and prospects. We take our responsibility very seriously to keep this data safe, and to provide our customers with the required facilities to manage this data.
The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25th, 2018, and replaced an older piece of European legislation. CrankWheel’s services are compliant with the GDPR.
GDPR is intended to strengthen privacy for individuals in the EU, and to extend the applicability of EU data privacy to non-EU companies who work with data on EU residents. It applies to all organizations operating in the EU, as well as to non-EU organizations that process “personal identifiable data” of EU residents.
In the wake of GDPR, other similar legislation has been passed around the world, notably the CCPA for California residents, and the Data Protection Act 2018 for UK residents. While CrankWheel’s focus has been on GDPR compliance, the practices we adopted to become GDPR compliant also allowed us to achieve compliance with CCPA and DPA 2018.
Our solution is available for use by organizations that need to comply with HIPAA and we can sign a BAA agreement with parties that require it. Independent agents/brokers can sign a BAA agreement directly on their user options page.
As of August 26th 2025, CrankWheel and its product has also achieved SOC 2 Type II and ISO 27001:2022 certifications as verified by independent auditors.
Nothing in this document is intended to be legal advice, and should not be used as a substitute for legal assistance. Data controllers have final responsibility for understanding and complying with the GDPR and other regulations.
Definitions
Here are loose definitions of some commonly used terms in the text below. For precise definitions, please see the full text of the GDPR.
- Subject: A natural person, i.e. an individual.
- Data Controller: The entity that collects and processes data on subjects
- Data Processor: An entity that processes data on behalf of a data controller
- CrankWheel Sub-Processors (or simply sub-processors): Third party systems that are Data Processors in the sense of the GDPR, to which CrankWheel transmits personal identifiable data
- Personal Data: Data that can be used to directly or indirectly identify a data subject, e.g. a name, ID number, online identifier or location data). Also, inter alia, data relating to various aspects of the identity of that person such as physical, economic, cultural, etc.
- Sensitive Personal Data: Personal data that reveals racial or ethnic origin, political opinions, religious/philosophical beliefs, or trade-union membership. Genetic data or biometric data also fall into this category and so do health data and data on sex life and sexual orientation.
CrankWheel’s Roles and Preparedness
As is the case with many online service providers, CrankWheel acts both as a data controller and as a data processor. We act as a data controller for our registered users’ account information, and as a data processor when it comes to information gathered through Instant Demos or through our audit logging functionality (enabled only for enterprise customers under contract).
CrankWheel certifies that according to its internal audits, it is compliant with the GDPR, the CCPA and the DPA 2018. Further, in case any issues of non-compliance are pointed out to us, our policy is to tackle such issues in our product and executive teams at the absolute highest priority.
Our team made necessary product and production system changes, reviewed our sub-processors to ensure they are compliant and signed data processing agreements with them, reviewed all personal data we store and process, documented internal processes around each type of data as well as examined the justification for storing and using the data as described by the GDPR (typically, the justification is based on your consent), and a project was completed to terminate all use of data that did not comply with the GDPR.
Our team is ready to advise our customers on how to ensure they are also GDPR compliant when they use CrankWheel as a sub-processor, and customers may contact us by emailing support@crankwheel.com to request assistance.
Exercising Your Rights
As a data subject (i.e., an individual whose personal identifiable data may be being processed), you have several rights under the GDPR, including the right to access your data, the right to be forgotten (erased), the right to make corrections, and more.
To exercise any of these rights, for the time being please email support@crankwheel.com and state which right you would like to exercise, and we will respond with a confirmation and with the data being requested (if applicable) within the deadlines stipulated by the GDPR. Over time, we may create automated tools to help you exercise certain rights, such as the right to data portability, but these are not ready at the moment, and are significantly complex to create due to reliance on sub-processors to store some pieces of personal identifiable data.
In reference to your rights that modify or remove personal data stored by CrankWheel, please note that we maintain backups for a period of 11 days, and reserve the right to maintain backups up to a period of 30 days. Therefore, personal data as it existed before correction or removal will remain in the form of backups for up to this duration after your requested changes are made.
CrankWheel’s Sub-Processors
Our sub-processors are listed in our Trust Center.
What Data Controllers Using CrankWheel as a Data Processor (Sub-Processor) Should Consider
We encourage our customers to be fully compliant with the GDPR, in letter and in spirit. A first step is to review privacy and data handling policies. Those who are data controllers have primary responsibility for making sure that personal data processing is compliant with EU data protection law. Here are a few key points to consider, but as with everything in this document, please refer to your own lawyers and experts for advice:
- Rights of End-Users: The GDPR establishes enhanced rights for end-users that you need to accommodate. As a sub-processor, CrankWheel can help you accommodate those rights. See the section “Exercising Your Rights” above, as the procedures for data controllers accommodating their end-users’ rights are identical to those for end-users whose data controller is CrankWheel, although with an added authentication required to identify the data controller as a customer of CrankWheel that is a data controller for the relevant end-user’s data. In a nutshell, contact us at support@crankwheel.com and we will assist you.
- Data Breach Notifications: Any data controller must have clear processes in place to comply with GDPR requirements to report data breaches within the set time frames. CrankWheel will notify affected customers without undue delay if we become aware of a data breach of our services. To receive such notifications, as well as notifications of system updates, scheduled maintenance and more, email support@crankwheel.com and ask to be added to the service announcements list.
- Assign a DPO: It is possible that you may need to assign a Data Protection Officer (“DPO”); as with everything on this page, please verify what you need to do with your own lawyers and experts.
- Geography: The GDPR applies to any customer of ours that is located in the EU or EEA, and also to any customers outside the EU/EEA that are processing personal data of EU or EEA citizens.
- Data Processing Agreement: If personal data is transferred outside the EU and EEA, data controllers must ensure that appropriate safeguard measures have been implemented. In certain edge cases, CrankWheel may, through one or more of its sub-processors, store personal data outside of the EU and EEA. In such rare instances CrankWheel has ensured that appropriate safeguard measures have been implemented, or, alternatively, offers you the option of disabling use of the services that may transfer data outside of the EU and EEA. Your acceptance of the Terms of Service of CrankWheel incorporates acceptance of our Data Processing Addendum if you are a customer in the EU or EEA or subject to the laws of either. Should you have questions about your DPA with CrankWheel, we are happy to respond, simply email us at support@crankwheel.com.
- Use explicit opt-in in Instant Demos: If you use our Instant Demos functionality to collect data from EU residents, California residents, United Kingdom residents, or any other territory where explicit consent is required, you should enable the explicit opt-in option that you will find on the Instant Demos configuration page. This will cause end-users to be shown an explicit opt-in before they submit any data via an Instant Demos form.
Data Protection Officer (DPO) Contact Details
For questions related to data protection or your rights under GDPR, you can contact our Data Protection Officer at:
Name: Jóhann Tómas “Jói” Sigurðsson Email: dpo@crankwheel.com Postal address: 131 Continental Dr Suite 305, Newark, DE, 19713 US
In Summary
We take privacy and data protection very seriously. Should you have any questions about our policies when it comes to data protection and privacy not addressed here or in our privacy policy, we will be happy to answer them as quickly as possible if you email us at support@crankwheel.com.