All Collections
GDPR - Adding a privacy policy and signing a DPA
GDPR - Adding a privacy policy and signing a DPA

Understanding ConvertFlow's role in GDPR compliance and steps to take

Jonathan Denney avatar
Written by Jonathan Denney
Updated over a week ago

We understand that ConvertFlow plays an integral role in our customers’ GDPR compliance strategy. That is why we're committing to supporting our customers as they work towards being GDPR compliant.

First, we recommend reading our post on GDPR, where we've put together a plain English overview of the need-to-know subjects, how GDPR affects a business, how to prepare, and what ConvertFlow is doing to help.

How ConvertFlow supports the privacy rights of ConvertFlow’s customers and their contacts, and how we support our customers in being GDPR compliant is highlighted below.

What is GDPR?

General Data Protection Regulation (GDPR) is designed to hold organizations (like ConvertFlow & your business) more accountable for keeping personal data secure and gives data subjects more rights and control over their data by regulating how organizations should handle and store any personal data they collect.

This new legislation applies to all organizations that process personal data (names, email addresses, tracking, etc.) of citizens of the European Union (EU) and European Economic Area (EEA) – regardless of where in the world your business (and data) is based.

How ConvertFlow helps with GDPR

While a business is ultimately responsible for its compliance, ConvertFlow has implemented changes to our product to make it easier to be GDPR compliant and we plan to add additional functionality to help with processing your Data Subject Requests.

Data Processing Agreement (DPA)

Under GDPR, any Controller subject to its rules must have a signed Data Processing Agreement with any third party that acts as a Processor.

When collecting personal data (such as a name or email address) from someone located in the EU/EEA, the entity collecting the data is considered the Controller. The organization or application that stores this data on behalf of the business, like ConvertFlow, is the Processor.

Customers of ConvertFlow who are Controllers under GDPR should sign a DPA with ConvertFlow to ensure compliance.

ConvertFlow offers a Data Processing Agreement for customers processing information on behalf of EU/EEA citizens. To sign a DPA with ConvertFlow, please click here to request one from our team →

Collecting consent

When using ConvertFlow forms on a website and landing pages, collecting “active consent” involves having contacts give consent by clicking checkboxes to agree to the processing of their personal data.

Inside ConvertFlow's builder, it is simple to start gaining consent from leads and subscribers located in the EU/EEA using active-consent checkboxes in the forms. The checkbox is displayed next to a customizable statement, such as “Accept privacy policy and terms.”

The checkbox cannot be checked by default, so visitors must click the checkbox to give “consent” before submitting the form.

To ensure transparency, the checkbox should include a link to the privacy policy, where the processing of personally identifiable data is explained. In certain cases, the checkbox may also link to the terms of service.

If the form is not a direct subscription to marketing communications, another checkbox may be needed to gain consent for ongoing marketing.

In ConvertFlow, the messaging and links on all consent checkboxes in website forms can be easily controlled using the site-wide settings.

Store a record of a contact that consented

By using ConvertFlow’s consent checkboxes, it is easy to document and send a record of the contact’s consent to any custom fields in integrated email marketing tools and/or CRMs.

Simply connect the email marketing tool, map ConvertFlow’s “privacy_consent” and “marketing_consent” to the chosen custom field names, and a “true” value will be sent to the email tool’s custom field when a contact submits any ConvertFlow form.

For those custom coding forms on their website, it will be necessary to have a developer connect the checkboxes to the email tool’s API to store proof of consent.

By following these steps, managing and documenting consent from leads and subscribers can be seamlessly integrated into existing email marketing and CRM systems.

Updating consent for existing contacts on a website

If existing contacts in an email service provider or in ConvertFlow need to provide consent, ConvertFlow offers a simple solution.

Create a website popup targeting existing subscribers returning to the website. This popup will request their consent for processing personal data, store records of their consent in custom fields, and tag them as “resubscribed” in the CRM.

Controlling visitor anonymity and GDPR compliance settings

ConvertFlow's visitor tracking is not personally identifiable until it is associated with a form submission or a subscriber. At that point, consent should be collected from the visitor for processing their personal data.

In early 2018, an update was released to no longer store IP addresses when tracking anonymous visitors. ConvertFlow uses IP addresses solely for geolocation purposes without storing them in the tracking record.

However, there are important settings to consider in the configuration:

  • Using ConvertFlow with IP address geolocation, which is used for geolocation targeting and pre-filling form fields, can affect GDPR compliance. In certain cases, low population postal codes could be considered personally identifiable information. Here’s how to disable IP address geolocation if needed →

  • ConvertFlow can automatically identify contacts on your website when any email field is submitted, including custom HTML forms not built in ConvertFlow. URL parameters such as "email" containing a subscriber's email address will also automatically identify the contact. These automatic identification methods can be optionally disabled from the website settings →

  • To disable the processing of personally identifiable contact data entirely, an option is available in the website settings to disable processing of contact P.I.I. Use this setting with caution, as it disables all server-side contact integrations →

  • Regulators have indicated that using Google Fonts may not be GDPR compliant when using Google's public APIs. ConvertFlow provides the option to disable Google Font auto-loading from their public APIs, allowing you to self-host your Google Fonts or load them from a GDPR-compliant font loader. Read more →

Data Subject Rights

A major part of GDPR is the rights granted to EU/EEA citizens regarding their personal data.

Under GDPR, a user or contact has the right to access their data (in a commonly used and machine-readable format) and the right to be forgotten (have all their personal data erased).

In ConvertFlow, once a visitor provides their email address via a form, a timeline is available showing which pages they visited, calls-to-action they engaged with, as well as the UTM parameters and referral source associated with them. All this data can be exported or deleted.

Within ConvertFlow, a contact can be quickly found by navigating to the website’s “Contacts” page and searching by email address:

To export a contact's data to a CSV, click the “Export” button. To delete a contact record, select “Delete” in the contact options and confirm the action:

For more information on the responsibilities of a “data controller”, please visit the official GDPR site →

Breach Notification

The protection of customer and contact data is taken seriously at ConvertFlow. In the event of a data breach involving personal information (or otherwise), notification will be sent via email.

Privacy Shield

ConvertFlow's technology infrastructure is powered by privacy shield-certified cloud providers such as Amazon Web Services and CloudFlare. However, ConvertFlow itself is not privacy shield certified and relies on Standard Contractual Clauses (SCCs). For GDPR compliance, businesses in the EU will need to sign a Data Processing Agreement (DPA) with ConvertFlow →


If any questions or inquiries related to data privacy and GDPR arise, please contact the ConvertFlow team at

Did this answer your question?