Data Protection Statement

Last updated: August 4th, 2018.

Overview

The team at CrankWheel takes our users’ trust in us extremely seriously. We know that your data is important to you, therefore we keep it safe and private.

We also recognize that we store and process data on our customers’ behalf, pertaining to their customers and prospects. We take our responsibility very seriously to keep this data safe, and to provide our customers with the required facilities to manage this data.

The EU’s General Data Protection Regulation (GDPR) becomes enforceable on May 25th, 2018, and replaces an older piece of European legislation. CrankWheel’s services are compliant with the GDPR.

GDPR is intended to strengthen privacy for individuals in the EU, and to extend the applicability of EU data privacy to non-EU companies who work with data on EU residents. It applies to all organizations operating in the EU, as well as to non-EU organizations that process “personal identifiable data” of EU residents.

Nothing in this document is intended to be legal advice, and should not be used as a substitute for legal assistance. Data controllers have final responsibility for understanding and complying with the GDPR.

Definitions

Here are loose definitions of some commonly used terms in the text below. For precise definitions, please see the full text of the GDPR.

  • Subject: A natural person, i.e. an individual.
  • Data Controller: The entity that collects and processes data on subjects
  • Data Processor: An entity that processes data on behalf of a data controller
  • CrankWheel Sub-Processors (or simply sub-processors): Third party systems that are Data Processors in the sense of the GDPR, to which CrankWheel transmits personal identifiable data
  • Personal Data: Data that can be used to directly or indirectly identify a subject, e.g. a name, ID number, online identifier or location data). Also, data relating to various aspects of the identity of that person such as physical, economic, cultural, etc.
  • Sensitive Personal Data: Personal data that reveals racial or ethnic origin, political opinions, religious/philosophical beliefs, or trade-union membership. Genetic data or biometric data also fall into this category. Note that CrankWheel does not process any sensitive personal data.

CrankWheel’s Roles and Preparedness

As is the case with many online service providers, CrankWheel acts both as a data controller and as a data processor. We act as a data controller for our registered users’ account information, and as a data processor when it comes to information gathered through Instant Demos or through our audit logging functionality (enabled only for enterprise customers under contract).

CrankWheel certifies that according to its internal audits, it is compliant with the GDPR. Further, in case any issues of non-compliance are pointed out to us, our policy is to tackle such issues in our product and executive teams at the absolute highest priority.

Our team has made necessary product and production system changes, reviewed our sub-processors to ensure they are compliant or will be compliant before the deadline (and removed a several sub-processors that we do not trust will be compliant), reviewed all personal data we store and process, documented internal processes around each type of data as well as examined the justification for storing and using the data as described by the GDPR (typically, the justification is based on your consent), and a project was completed to terminate all use of data that did not comply with the GDPR.

Our team is ready to advise our customers on how to ensure they are also GDPR compliant when they use CrankWheel as a sub-processor, and customers may contact us by emailing [email protected] to request assistance.

Exercising Your Rights

As a data subject (i.e., an individual whose personal identifiable data may be being processed), you have several rights under the GDPR, including the right to access your data, the right to be forgotten (erased), the right to make corrections, and more.

To exercise any of these rights, for the time being please email [email protected] and state which right you would like to exercise, and we will respond with a confirmation and with the data being requested (if applicable) within the deadlines stipulated by the GDPR. Over time, we may create automated tools to help you exercise certain rights, such as the right to data portability, but these are not ready at the moment, and are significantly complex to create due to reliance on sub-processors to store some pieces of personal identifiable data.

In reference to your rights that modify or remove personal data stored by CrankWheel, please note that we maintain backups for a period of 11 days, and reserve the right to maintain backups up to a period of 30 days. Therefore, personal data as it existed before correction or removal will remain in the form of backups for up to this duration after your requested changes are made.

Status of CrankWheel’s Sub-Processors

We are tracking the status of all of our sub-processors that may potentially deal with subject personal identifiable data of data subjects, to ensure any sub-processor we use is compliant by the May 25th, 2018 deadline, and that we have Data Processing Agreements (DPAs) in place with sub-processors as required. Below is the status on our sub-processors categorized by whether they are used in our product or on our marketing website, or outside of both:

Product Sub-Processors

  • Amazon Web Services: We use these folks for hosting our communication servers around the world, and our databases are run at a couple of their facilities in Ireland. They are compliant and we have a signed DPA with them.
  • Auth0: They provide authentication services for us - when you log into CrankWheel you’re interacting with them indirectly. They are compliant, and they are Privacy Shield certified. Their updated terms of use, which apply to our usage, include the equivalent of a DPA.
  • Loggly: This is a provider for storing and analyzing diagnostic logs. They are committed to being compliant, and are Privacy Shield certified, with a privacy policy compatible with GDPR. Further, we have taken steps to ensure that we depersonalize the analytic data stored with them.
  • Twilio: This service is what we use to send text messages (SMS). They are compliant and they are Privacy Shield certified, and we have signed a DPA with them.
  • Clearbit: We use an API provided by Clearbit to enrich lead information as part of our Instant Demos functionality, on lead data being captured on your behalf (CrankWheel here being in the role of a data processor for you, the data controller). As we do not transfer subject data to Clearbit (using the subject’s email address only as a lookup key), we do not consider them a data (sub-)processor in the sense of the GDPR. If you wish to avoid any ambiguity in the use of Clearbit, an administrator on your company’s CrankWheel account can disable lead enrichment, which will cause Clearbit not to be used at all during your use of CrankWheel. Clearbit participates in the EU-US and Swiss-US Privacy Shield frameworks.

Marketing Website Sub-processors

  • Google Analytics: Provides usage analytics for our website. They are compliant and we have a signed DPA with them.
  • Hotjar: Provides usage analytics for our website. They are compliant and we have a signed DPA with them.
  • Braintree: If you are a paying customer with us, you may have credit card payments processed by these guys. They are GDPR compliant and have updated their terms for merchants, which apply to us, to incorporate the equivalent of a DPA.
  • Chargify: If you are a paying customer with us, your subscription data is likely stored by these folks. They are committed to being GDPR ready and we have signed a DPA with them.
  • Growsumo: These guys run our affiliate program. They are GDPR compliant and we have signed a DPA with them.
  • Zapier: This is an automation platform that works behind the scenes. They are committed to being compliant and we have signed a DPA with them.
  • CrankWheel: Yes, CrankWheel itself is a sub-processor for our marketing website, as we use our own Instant Demos functionality. We are GDPR compliant.
  • Facebook, Twitter, and various other ad network tracking pixels and scripts: We have removed usage of various tracking pixels, conversion tracking code, etc., while we work to understand the implications on GDPR compliance.

Other Sub-processors

  • G Suite: More usually known as Gmail and Google Drive, this is the productivity and communication suite from Google that is at the heart of many businesses. As previously stated, the folks at Google are committed to complying with the GDPR by the deadline, in all their products, and we have finalized a DPA with them.
  • Zendesk: This is the hub of our customer support organization. They are compliant and we have signed a DPA with them.
  • MailChimp: If you’ve opted in to one of our mailing lists, your email address (and maybe your name and title - depending on where and how you opted in) is stored by MailChimp. They are compliant and we have signed a DPA with them.

How Data Controllers Using CrankWheel as a Data Processor (Sub-Processor) Should Prepare

We encourage our customers to prepare for the GDPR. A first step is to review privacy and data handling policies. Those who are data controllers have primary responsibility for making sure that personal data processing is compliant with EU data protection law. Here are a few key points to consider, but as with everything in this document, please refer to your own lawyers and experts for advice:

  • Rights of End-Users: The GDPR establishes enhanced rights for end-users that you need to accommodate. As a sub-processor, CrankWheel can help you accommodate those rights. See the section “Exercising Your Rights” above, as the procedures for data controllers accommodating their end-users’ rights are identical to those for end-users whose data controller is CrankWheel, although with an added authentication required to identify the data controller as a customer of CrankWheel that is a data controller for the relevant end-user’s data. In a nutshell, contact us at [email protected] and we will assist you.

  • Data Breach Notifications: Any data controller must have clear processes in place to comply with GDPR requirements to report data breaches within the set time frames. CrankWheel will notify affected customers without undue delay if we become aware of a data breach of our services. To receive such notifications, as well as notifications of system updates, scheduled maintenance and more, email [email protected] and ask to be added to the service announcements list.

  • Assign a DPO: It is possible that you may need to assign a Data Protection Officer (“DPO”); as with everything on this page, please verify what you need to do with your own lawyers and experts.

  • Geography: The GDPR will apply to any customer of ours that is located in the EU or EEA, and also to any customers outside the EU/EEA that are processing personal data of EU or EEA citizens.

  • Data Processing Agreement: If personal data is transferred outside the EU and EEA, data controllers may need a DPA with their sub-processors to ensure adequate protections for the transferred data. In certain edge cases, CrankWheel may, through one or more of its sub-processors, store personal data outside of the EU and EEA, although never without a DPA or equivalent terms with that subprocessor, as documented above. Should you require a DPA with CrankWheel, we are happy to accommodate, simply email us at [email protected].

In Summary

We take privacy and data protection very seriously. Should you have any questions about our policies when it comes to data protection and privacy not addressed here or in our privacy policy, we will be happy to answer them as quickly as possible if you email us at [email protected].