Data Protection Statement
Last updated: October 6th, 2020.
The team at CrankWheel takes our users’ trust in us extremely seriously. We know that your data is important to you, therefore we keep it safe and private.
We also recognize that we store and process data on our customers’ behalf, pertaining to their customers and prospects. We take our responsibility very seriously to keep this data safe, and to provide our customers with the required facilities to manage this data.
The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25th, 2018, and replaced an older piece of European legislation. CrankWheel’s services are compliant with the GDPR.
GDPR is intended to strengthen privacy for individuals in the EU, and to extend the applicability of EU data privacy to non-EU companies who work with data on EU residents. It applies to all organizations operating in the EU, as well as to non-EU organizations that process “personal identifiable data” of EU residents.
In the wake of GDPR, other similar legislation has been passed around the world, notably the CCPA for California residents, and the Data Protection Act 2018 for UK residents. While CrankWheel’s focus has been on GDPR compliance, the practices we adopted to become GDPR compliant also allowed us to achieve compliance with CCPA and DPA 2018.
Nothing in this document is intended to be legal advice, and should not be used as a substitute for legal assistance. Data controllers have final responsibility for understanding and complying with the GDPR.
Here are loose definitions of some commonly used terms in the text below. For precise definitions, please see the full text of the GDPR.
- Subject: A natural person, i.e. an individual.
- Data Controller: The entity that collects and processes data on subjects
- Data Processor: An entity that processes data on behalf of a data controller
- CrankWheel Sub-Processors (or simply sub-processors): Third party systems that are Data Processors in the sense of the GDPR, to which CrankWheel transmits personal identifiable data
- Personal Data: Data that can be used to directly or indirectly identify a subject, e.g. a name, ID number, online identifier or location data). Also, data relating to various aspects of the identity of that person such as physical, economic, cultural, etc.
- Sensitive Personal Data: Personal data that reveals racial or ethnic origin, political opinions, religious/philosophical beliefs, or trade-union membership. Genetic data or biometric data also fall into this category. Note that CrankWheel does not process any sensitive personal data.
CrankWheel’s Roles and Preparedness
As is the case with many online service providers, CrankWheel acts both as a data controller and as a data processor. We act as a data controller for our registered users’ account information, and as a data processor when it comes to information gathered through Instant Demos or through our audit logging functionality (enabled only for enterprise customers under contract).
CrankWheel certifies that according to its internal audits, it is compliant with the GDPR, the CCPA and the DPA 2018. Further, in case any issues of non-compliance are pointed out to us, our policy is to tackle such issues in our product and executive teams at the absolute highest priority.
Our team made necessary product and production system changes, reviewed our sub-processors to ensure they are compliant and signed data processing agreements with them, reviewed all personal data we store and process, documented internal processes around each type of data as well as examined the justification for storing and using the data as described by the GDPR (typically, the justification is based on your consent), and a project was completed to terminate all use of data that did not comply with the GDPR.
Our team is ready to advise our customers on how to ensure they are also GDPR compliant when they use CrankWheel as a sub-processor, and customers may contact us by emailing [email protected] to request assistance.
Exercising Your Rights
As a data subject (i.e., an individual whose personal identifiable data may be being processed), you have several rights under the GDPR, including the right to access your data, the right to be forgotten (erased), the right to make corrections, and more.
To exercise any of these rights, for the time being please email [email protected] and state which right you would like to exercise, and we will respond with a confirmation and with the data being requested (if applicable) within the deadlines stipulated by the GDPR. Over time, we may create automated tools to help you exercise certain rights, such as the right to data portability, but these are not ready at the moment, and are significantly complex to create due to reliance on sub-processors to store some pieces of personal identifiable data.
In reference to your rights that modify or remove personal data stored by CrankWheel, please note that we maintain backups for a period of 11 days, and reserve the right to maintain backups up to a period of 30 days. Therefore, personal data as it existed before correction or removal will remain in the form of backups for up to this duration after your requested changes are made.
We track all of our sub-processors that may potentially deal with personally identifiable data of data subjects, to ensure any sub-processor we use is compliant, and that we have Data Processing Agreements (DPAs) in place with sub-processors as required. Below is the status on our sub-processors categorized by whether they are used in our product or on our marketing website, or outside of both:
- Amazon Web Services: We use these folks for hosting our communication servers around the world, and our databases are run at a couple of their facilities in Ireland. They are compliant and we have a signed DPA with them.
- Amplitude: Anonymous usage analytics. They are compliant and their ToS incorporates a DPA.
- Twilio: This service is what we use to send text messages (SMS). They are compliant and they are Privacy Shield certified, and we have signed a DPA with them. It is possible to disable use of Twilio on a per-account basis.
- Gist: This is an on-website chat service that we use to allow CrankWheel users to chat directly with customer support in the app if needed. They are GDPR compliant and we have signed a DPA with them. It is possible to disable use of Gist on a per-account basis.
- Clearbit: We use an API provided by Clearbit to enrich lead information as part of our Instant Demos functionality, on lead data being captured on your behalf (CrankWheel here being in the role of a data processor for you, the data controller). As we do not transfer subject data to Clearbit (using the subject’s email address only as a lookup key), we do not consider them a data (sub-)processor in the sense of the GDPR. If you wish to avoid any ambiguity in the use of Clearbit, an administrator on your company’s CrankWheel account can disable lead enrichment, which will cause Clearbit not to be used at all during your use of CrankWheel. Clearbit participates in the EU-US and Swiss-US Privacy Shield frameworks.
Marketing Website Sub-processors
- Google Analytics: Provides usage analytics for our website. They are compliant and we have a signed DPA with them.
- Hotjar: Provides usage analytics for our website. They are compliant and we have a signed DPA with them.
- Braintree: If you are a paying customer with us, you may have credit card payments processed by these guys. They are GDPR compliant and have updated their terms for merchants, which apply to us, to incorporate the equivalent of a DPA.
- Chargify: If you are a paying customer with us, your subscription data is likely stored by these folks. They are GDPR compliant and we have signed a DPA with them.
- Growsumo: These guys run our affiliate program. They are GDPR compliant and we have signed a DPA with them.
- Zapier: This is an automation platform that works behind the scenes. They are GDPR compliant and we have signed a DPA with them.
- Gist: Mentioned above, their chat functionality is also used on our marketing site.
- CrankWheel: Yes, CrankWheel itself is a sub-processor for our marketing website, as we use our own Instant Demos functionality. We are GDPR compliant.
- Facebook, Twitter, and various other ad network tracking pixels and scripts: We removed usage of various marketing tracking pixels, conversion tracking code, etc., as part of preparing for GDPR compliance.
- G Suite: More usually known as Gmail and Google Drive, this is the productivity and communication suite from Google that is at the heart of many businesses. G Suite is compliant to complying with the GDPR by the deadline, in all their products, and we have finalized a DPA with them.
- Zendesk: This is the hub of our customer support organization. They are compliant and we have signed a DPA with them.
- MailChimp: If you’ve opted in to one of our mailing lists, your email address (and maybe your name and title - depending on where and how you opted in) is stored by MailChimp. They are compliant and we have signed a DPA with them.
What Data Controllers Using CrankWheel as a Data Processor (Sub-Processor) Should Consider
We encourage our customers to be fully compliant with the GDPR, in letter and in spirit. A first step is to review privacy and data handling policies. Those who are data controllers have primary responsibility for making sure that personal data processing is compliant with EU data protection law. Here are a few key points to consider, but as with everything in this document, please refer to your own lawyers and experts for advice:
Rights of End-Users: The GDPR establishes enhanced rights for end-users that you need to accommodate. As a sub-processor, CrankWheel can help you accommodate those rights. See the section “Exercising Your Rights” above, as the procedures for data controllers accommodating their end-users’ rights are identical to those for end-users whose data controller is CrankWheel, although with an added authentication required to identify the data controller as a customer of CrankWheel that is a data controller for the relevant end-user’s data. In a nutshell, contact us at [email protected] and we will assist you.
Data Breach Notifications: Any data controller must have clear processes in place to comply with GDPR requirements to report data breaches within the set time frames. CrankWheel will notify affected customers without undue delay if we become aware of a data breach of our services. To receive such notifications, as well as notifications of system updates, scheduled maintenance and more, email [email protected] and ask to be added to the service announcements list.
Assign a DPO: It is possible that you may need to assign a Data Protection Officer (“DPO”); as with everything on this page, please verify what you need to do with your own lawyers and experts.
Geography: The GDPR applies to any customer of ours that is located in the EU or EEA, and also to any customers outside the EU/EEA that are processing personal data of EU or EEA citizens.
Data Processing Agreement: If personal data is transferred outside the EU and EEA, data controllers may need a DPA with their sub-processors to ensure adequate protections for the transferred data. In certain edge cases, CrankWheel may, through one or more of its sub-processors, store personal data outside of the EU and EEA, although never without a DPA or equivalent terms with that subprocessor, as documented above. Should you require a DPA with CrankWheel, we are happy to accommodate, simply email us at [email protected].
Use explicit opt-in in Instant Demos: If you use our Instant Demos functionality to collect data from EU residents, California residents, United Kingdom residents, or any other territory where explicit consent is required, you should enable the explicit opt-in option that you will find on the Instant Demos configuration page.