Data Protection Statement
Last updated: October 18th, 2024
Overview
The team at CrankWheel takes our users’ trust in us extremely seriously. We know that your data is important to you, therefore we keep it safe and private.
We also recognize that we store and process data on our customers’ behalf, pertaining to their customers and prospects. We take our responsibility very seriously to keep this data safe, and to provide our customers with the required facilities to manage this data.
The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25th, 2018, and replaced an older piece of European legislation. CrankWheel’s services are compliant with the GDPR.
GDPR is intended to strengthen privacy for individuals in the EU, and to extend the applicability of EU data privacy to non-EU companies who work with data on EU residents. It applies to all organizations operating in the EU, as well as to non-EU organizations that process “personal identifiable data” of EU residents.
In the wake of GDPR, other similar legislation has been passed around the world, notably the CCPA for California residents, and the Data Protection Act 2018 for UK residents. While CrankWheel’s focus has been on GDPR compliance, the practices we adopted to become GDPR compliant also allowed us to achieve compliance with CCPA and DPA 2018.
Our solution is available for use by organizations that need to comply with HIPAA and we can sign a BAA agreement with parties that require it. Independent agents/brokers can sign a BAA agreement directly on their user options page.
Finally, it is worth mentioning that as of October 17th 2024, we are in the middle of a process to achieve audited SOC 2 Type 2 compliance, audited ISO 27001 compliance, and to update our GDPR/CCPA/DPA2018 and HIPAA compatibility and create a security portal that any customer can access and review, detailing our security practices and how we remain compliant. This project is expected to take several months but in the meantime, enterprise customers that require it may request an SOC 2 Bridge Letter by emailing our sales team.
Nothing in this document is intended to be legal advice, and should not be used as a substitute for legal assistance. Data controllers have final responsibility for understanding and complying with the GDPR and other regulations.
Definitions
Here are loose definitions of some commonly used terms in the text below. For precise definitions, please see the full text of the GDPR.
- Subject: A natural person, i.e. an individual.
- Data Controller: The entity that collects and processes data on subjects
- Data Processor: An entity that processes data on behalf of a data controller
- CrankWheel Sub-Processors (or simply sub-processors): Third party systems that are Data Processors in the sense of the GDPR, to which CrankWheel transmits personal identifiable data
- Personal Data: Data that can be used to directly or indirectly identify a data subject, e.g. a name, ID number, online identifier or location data). Also, inter alia, data relating to various aspects of the identity of that person such as physical, economic, cultural, etc.
- Sensitive Personal Data: Personal data that reveals racial or ethnic origin, political opinions, religious/philosophical beliefs, or trade-union membership. Genetic data or biometric data also fall into this category and so do health data and data on sex life and sexual orientation.
CrankWheel’s Roles and Preparedness
As is the case with many online service providers, CrankWheel acts both as a data controller and as a data processor. We act as a data controller for our registered users’ account information, and as a data processor when it comes to information gathered through Instant Demos or through our audit logging functionality (enabled only for enterprise customers under contract).
CrankWheel certifies that according to its internal audits, it is compliant with the GDPR, the CCPA and the DPA 2018. Further, in case any issues of non-compliance are pointed out to us, our policy is to tackle such issues in our product and executive teams at the absolute highest priority.
Our team made necessary product and production system changes, reviewed our sub-processors to ensure they are compliant and signed data processing agreements with them, reviewed all personal data we store and process, documented internal processes around each type of data as well as examined the justification for storing and using the data as described by the GDPR (typically, the justification is based on your consent), and a project was completed to terminate all use of data that did not comply with the GDPR.
Our team is ready to advise our customers on how to ensure they are also GDPR compliant when they use CrankWheel as a sub-processor, and customers may contact us by emailing support@crankwheel.com to request assistance.
Exercising Your Rights
As a data subject (i.e., an individual whose personal identifiable data may be being processed), you have several rights under the GDPR, including the right to access your data, the right to be forgotten (erased), the right to make corrections, and more.
To exercise any of these rights, for the time being please email support@crankwheel.com and state which right you would like to exercise, and we will respond with a confirmation and with the data being requested (if applicable) within the deadlines stipulated by the GDPR. Over time, we may create automated tools to help you exercise certain rights, such as the right to data portability, but these are not ready at the moment, and are significantly complex to create due to reliance on sub-processors to store some pieces of personal identifiable data.
In reference to your rights that modify or remove personal data stored by CrankWheel, please note that we maintain backups for a period of 11 days, and reserve the right to maintain backups up to a period of 30 days. Therefore, personal data as it existed before correction or removal will remain in the form of backups for up to this duration after your requested changes are made.
CrankWheel’s Sub-Processors
We track all of our sub-processors that may potentially deal with personally identifiable data of data subjects, to ensure any sub-processor we use is compliant, and that we have Data Processing Agreements (DPAs) in place with sub-processors as required. Below is the status on our sub-processors categorized by whether they are used in our product or on our marketing website, or outside of both.
If you would like to be notified of updates to our list of subprocessors, please email support@crankwheel.com and ask to have your email address added to our service announcements mailing list.
Product Sub-Processors
- Amazon Web Services: We use these folks for hosting our communication servers around the world, our databases are run at a couple of their facilities in Ireland, and we store certain large data such as photos, logos and video recordings using their S3 service. They are compliant and we have a signed DPA with them.
- Amplitude: Anonymous usage analytics. They are compliant and their ToS incorporates a DPA.
- Loggly: This is a provider for storing and analyzing diagnostic logs. They are committed to being compliant, and keep a privacy policy compatible with GDPR. Further, we have taken steps to ensure that we depersonalize the analytic data stored with them.
- Twilio: This service is what we use to send text messages (SMS). They are compliant, and we have signed a DPA with them. It is possible to disable use of Twilio on a per-account basis.
- Gist: This is an on-website chat service that we use to allow CrankWheel users to chat directly with customer support in the app if needed. They are GDPR compliant and we have signed a DPA with them. It is possible to disable use of Gist on a per-account basis.
Note that the Twilio and Gist sub-processors can be disabled on an account-by-account basis, and we encourage our European customers to determine whether they wish to use these sub-processors. Twilio receives viewers’ mobile phone number when you send a text message via CrankWheel. Gist receives your employees’ email addresses as well as any information shared via customer support chat.
Marketing Website Sub-processors
- Google Analytics: Provides usage analytics for our website. They are compliant and we have a signed DPA with them.
- Hotjar: Provides usage analytics for our website. They are compliant and we have a signed DPA with them.
- Braintree: If you are a paying customer with us, you may have credit card payments processed by these guys. They are GDPR compliant and have updated their terms for merchants, which apply to us, to incorporate the equivalent of a DPA.
- Chargify: If you are a paying customer with us, your subscription data is likely stored by these folks. They are GDPR compliant and we have signed a DPA with them.
- Growsumo: These guys run our affiliate program. They are GDPR compliant and we have signed a DPA with them.
- Zapier: This is an automation platform that works behind the scenes. They are GDPR compliant and we have signed a DPA with them.
- Gist: Mentioned above, their chat functionality is also used on our marketing site.
- CrankWheel: Yes, CrankWheel itself is a sub-processor for our marketing website, as we use our own Instant Demos functionality. We are GDPR compliant.
- Facebook, Twitter, and various other ad network tracking pixels and scripts: We removed usage of various marketing tracking pixels, conversion tracking code, etc., as part of preparing for GDPR compliance.
Other Sub-processors
- Google Workspace (formerly G Suite): More usually known as Gmail and Google Drive, this is the productivity and communication suite from Google that is at the heart of many businesses. It is compliant, in all their products, and we have finalized a DPA with them.
- Zendesk: This is the hub of our customer support organization. They are compliant and we have signed a DPA with them.
- MailChimp: If you’ve opted in to one of our mailing lists, your email address (and maybe your name and title - depending on where and how you opted in) is stored by MailChimp. They are compliant and we have signed a DPA with them.
What Data Controllers Using CrankWheel as a Data Processor (Sub-Processor) Should Consider
We encourage our customers to be fully compliant with the GDPR, in letter and in spirit. A first step is to review privacy and data handling policies. Those who are data controllers have primary responsibility for making sure that personal data processing is compliant with EU data protection law. Here are a few key points to consider, but as with everything in this document, please refer to your own lawyers and experts for advice:
- Rights of End-Users: The GDPR establishes enhanced rights for end-users that you need to accommodate. As a sub-processor, CrankWheel can help you accommodate those rights. See the section “Exercising Your Rights” above, as the procedures for data controllers accommodating their end-users’ rights are identical to those for end-users whose data controller is CrankWheel, although with an added authentication required to identify the data controller as a customer of CrankWheel that is a data controller for the relevant end-user’s data. In a nutshell, contact us at support@crankwheel.com and we will assist you.
- Data Breach Notifications: Any data controller must have clear processes in place to comply with GDPR requirements to report data breaches within the set time frames. CrankWheel will notify affected customers without undue delay if we become aware of a data breach of our services. To receive such notifications, as well as notifications of system updates, scheduled maintenance and more, email support@crankwheel.com and ask to be added to the service announcements list.
- Assign a DPO: It is possible that you may need to assign a Data Protection Officer (“DPO”); as with everything on this page, please verify what you need to do with your own lawyers and experts.
- Geography: The GDPR applies to any customer of ours that is located in the EU or EEA, and also to any customers outside the EU/EEA that are processing personal data of EU or EEA citizens.
- Data Processing Agreement: If personal data is transferred outside the EU and EEA, data controllers must ensure that appropriate safeguard measures have been implemented. In certain edge cases, CrankWheel may, through one or more of its sub-processors, store personal data outside of the EU and EEA. In such rare instances CrankWheel has ensured that appropriate safeguard measures have been implemented, or, alternatively, offers you the option of disabling use of the services that may transfer data outside of the EU and EEA. Should you require a DPA with CrankWheel, we are happy to accommodate, simply email us at support@crankwheel.com.
- Use explicit opt-in in Instant Demos: If you use our Instant Demos functionality to collect data from EU residents, California residents, United Kingdom residents, or any other territory where explicit consent is required, you should enable the explicit opt-in option that you will find on the Instant Demos configuration page. This will cause end-users to be shown an explicit opt-in before they submit any data via an Instant Demos form.
In Summary
We take privacy and data protection very seriously. Should you have any questions about our policies when it comes to data protection and privacy not addressed here or in our privacy policy, we will be happy to answer them as quickly as possible if you email us at support@crankwheel.com.