GDPR

Everything you need to know about FunnelBud and GDPR

Disclaimer: This does not constitude legal advice, it is simply our own and our lawyers' intepretation of what GDPR means for FunnelBud clients.

Questions related to your agreement or cooperation with FunnelBud

Where does the FunnelBud Marketing and CRM software store data?

We store data in Amazon servers in the US. The US is considered a "third country" since the Privacy Shield no longer applies, and according to GDPR regulations, in order to store the data of EU citizens in a third country, so called "SCCs" (Standard Contractual Clauses) need to be signed, which agree to follow the equivalent standards as are set in the GDPR regulation.

The GDPR law does not state that you are prohibited from storing data in third countries, only that in order to do so, you need to sign and adhere to the SCCs, which we do with our clients.

Note: FunnelBud also provides another powerful Marketing Automation-platform hosted in the EU (no data ever leaves the EU). Please read more about FunnelBud Go if that is of interest.

What should I do if I want to have a full EU-hosted marketing automation software?

Many of our clients have migrated to the fully EU-hosted, powerful marketing automation software FunnelBud Flex, and are satisfied with the results. FunnelBud handles 100% of the migration and sets everything up for you in a painless way. The system has capabilities matching your current software, and some additional ones. It is based on the popular Open Source software Mautic, used by over 200,000 organizations worldwide, including large banks and financial institutes due to its strong functionality, security, extendability, and data security/ownership.

Please book a meeting to learn more about it.

Are we allowed to work with you if you or your sub processors store data outside of the EU?

Yes. This is allowed if our agreement with you allows us to do this as long as any subprocessors we may use follow GDPR standards. This is the case if we have have EU’s so called “Standard Contractual Clauses” (SCCs) in our agreements with our subprocessors.

SharpSpring stores its data in the US, and therefore complies with GDPR requirements by signing Standard Contractual Clauses with its EU-based clients. Please read more on FunnelBud’s GDPR help article.

(Note for FunnelBud Go clients: FunnelBud Go doesn't store any data outside EU.)

Are SCCs sufficient to be able to store data in the US?

Per the Schrems II judgement, while the Privacy Shield is no longer valid, SCCs still are and they are not affected by the decision.

By signing and adhering SCCs, the protection data subjects enjoy are on par with the requirements of the GDPR, and thus you can use these as a basis for transferring and storing data in the U.S.

Read our full analysis here: Are SCCs enough for you to transfer data to US with FunnelBud?

(Note for FunnelBud Go clients: FunnelBud Go doesn't store any data outside EU.)

Are US-based support personnel supporting FunnelBud allowed to access EU data?

Yes, if we and our sub processors follow GDPR rules for how data should be processed.

Is it enough that we sign an agreement with you or do we need to sign also with your sub processors?

Since you are buying the software from us, it is enough that you sign with us as long as our agreement covers under which circumstances we can sign agreements with our sub-processors.

Where can I see your DPA?

Online version, which is referred to from our license agreement with you: https://www.funnelbud.com/en/gdpr/.

If you want to sign a DPA with us, please download one of these, sign it, and send it to support@funnelbud.com:

When a contact is deleted in FunnelBud, is it according to GDPR regulations?

Yes, once a contact is deleted from FunnelBud no personally identifiable information remains.

Questions related to GDPR best practices

What text should I place on my website to describe our GDPR and cookie policy?

You can use this text on your website.

(As an example, ours is here - note that you should customize so you have your own relevant version, we recommend the link above. Here's ours: https://www.funnelbud.com/en/gdpr/.)

What do I need to do with my forms?

According to our interpretation (see In what circumstances can we collect data for marketing purposes?), a simple form notice is enough to fulfill GDPR requirements.

Our understanding is that you don't need explicit opt-in tickboxes (see the reasoning in the above link). But you can if you want to (see next section for screenshots on that).

Below are example form notice texts you can put under each of your forms (ask FuB for help to do that).

LONG VERSION (English): “By clicking on the link you agree to receive emails from us with tips, advice, event invitations and promotions that can help you get more value from your [SOLUTION] solutions. You can withdraw your consent at any time by clicking the unsubscribe link at the bottom of every email. Read more about our GDPR policy here.”

LONG VERSION (Swedish): “Genom att klicka på länken samtycker du till att ta emot mailutskick från oss; med tips, råd, inbjudningar till evenemang och erbjudanden som kan hjälpa dig få mer värde från era lösningar. Du kan när som helst ta tillbaka ditt samtycke genom att klicka på den länk som finns i ditt mailutskick. Läs mer om vår GDPR-policy här.”

SHORT VERSION (English): “By filling out the form, I agree to receive emails with tips, invitations, and promotions that can help me get more value from my [SOLUTION] solutions. Read more about our GDPR policy here.”

SHORT VERSION (Swedish): “Ja, genom att fylla i formuläret samtycker jag till att ta emot mailutskick med tips, inbjudningar och erbjudanden som kan hjälpa mig att få mer värde ur era lösningar. Läs vår GDPR-policy här.”

How to add explicit opt-in tickboxes to your forms

As explained above, we don't think you need this from a legal standpoint, but you can. Here is an example and how it is built in FunnelBud:

Template screenshot: https://goo.gl/SYB9Aa

How it is built in FunnelBud: https://goo.gl/wZ9ZDr

In which circumstances can we collect data for marketing and sales purposes?

To simplify, as a FunnelBud user, this is basically it:

1) if the subject has given consent

2) if the subject is someone who’s data you need to fulfill your contract with them

3) that the collection of the data is in our “legitimate interests”.

For the last point - what counts as a “legitimate interest” - this is a bit complicated, but in essence: If the subject can reasonably expect that their data will be collected for the purpose of direct marketing.

To read what the law actually says about what constitudes a legal basis for collecting data, read the details here: In which circumstances can we collect data for marketing purposes?

Can we automatically assume opt-in for customers who pay for our services?

When someone subscribes to something like a Breakfast seminar, is it automatically OK to send post seminar offers? Did they technically opt in to that?

What about leads already opted in, do we need consent? Do we need to send them an opt-in email?

No, we can store data for “legitimate interests” - see “In what circumstances can we collect data for marketing purposes?” above.

More information

General about GDPR

FunnelBud's interpretation of GDPR for clients

Schrems II research

Can you store CRM and Marketing Automation data in the US?

Internal: GDPR Drive