Privacy Regulations (GDPR)

The data privacy regulatory landscape is undergoing a lot of change. You probably have heard about the EU General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. There are also other regulations in effect or in the works around the world. We’ve written up this reference document to put helpful information regarding our products and privacy regulations in one place. Please also view our full Privacy Policy. If you have any questions, comments, or concerns about our Privacy Policy, your data, or your rights with respect to your information, please email us at privacy@userflow.com.

EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Userflow is compliant.

Does GDPR affect me?

If you’re based in the EU or do business in the EU, yeah! GDPR has a long reach. If you have any EU personal data in your Userflow account, such as names, email addresses, ID numbers, or… anything personally identifiable, then GDPR applies. You are a Controller of personal data under GDPR, so you need to enter into GDPR-compliant data processing agreements with any online services and third party vendors you rely on, including Userflow. These agreements are commonly called a Data Processing Addendum, or DPA.

Data Processing Addendum

Processing EU personal data must be governed by a GDPR-compliant contract. We provide a standard Data Processing Addendum (DPA) to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed. We have incorporated the DPA into our Terms of Service. You can find the DPA linked in the Security and Privacy section clause 5 in the Terms and here. This addendum is in effect when the General Data Protection Regulation applies to your use of Userflow Services to process Customer Data as defined in the DPA. The DPA includes the European Commission’s Standard Contractual Clauses to extend GDPR privacy principles, rights, and obligations.

To execute the DPA.

• Download the Data Processing Addendum
• Complete and sign the DPA as described under “HOW TO EXECUTE THIS DPA”
• Send the DPA to us
• We’ll sign the DPA and return it to you

EU-US DPF, The UK extension to the EU-US DPF and Swiss-US DPF

Since its establishment, Userflow has also voluntarily participated in the Privacy Shield Framework. The Schrems II ruling from the Court of Justice of the European Union invalidated the EU-US Privacy Shield program as a mechanism for data transfer from the EU to the US. On September 8, 2020, Switzerland’s Federal Data Protection and Information Commissioner also invalidated the Swiss-US Privacy Shield program.

In 2023 both were replaced by the EU-US Data Privacy Framework (EU-US DPF), the UK extension to the EU-US DPF, and Swiss-US Data Privacy Framework (Swiss-US DPF) and Userflow is certified under this.

Subprocessors

Userflow uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, and require the same of them. List of Userflow subprocessors.

California Consumer Privacy Act (CCPA)

In the CCPA, there is an important distinction between what are referred to as “service providers”, “businesses”, and “third parties”. You can see how the regulation defines these words by visiting the California Attorney General’s website: https://www.oag.ca.gov/privacy/ccpa.

Under the CCPA, Userflow is a “service provider.” That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we charge a recurring subscription fee to our customers. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.

The CCPA also grants residents of California with additional rights related to their information. We grant those rights to all of our customers and detail them in our Privacy policy. Our Privacy policy also explains the information we collect in order to provide our services and clearly lists the only times we access or share your data.

Relevant US laws

The US does not have a national consumer privacy law akin to GDPR. We’d love to see one put in place and until then, shout out to California for leading with the California Consumer Privacy Act.

There are national US security laws that are relevant to GDPR. Chief amongst them are: the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12-333. FISA establishes ways for US law enforcement and intelligence agencies to gather information within the US about non-US entities suspected of espionage or terrorism. Executive Order 12-333 sets out how US intelligence agencies can gather information, including outside the borders of the US.

Virtually every American software service is subject to FISA. That includes all the American big tech companies you can think of as well as any European service that uses cloud infrastructure from Amazon Web Services, Microsoft Azure, or Google Cloud Computing. It also includes small tech American companies like us, Userflow Inc.. However to date, Userflow has never been served a FISA order or National Security Letter.

Even so, these laws are relevant for why extra mechanisms need to be in place to allow the legal transfer of personal data from the EU to the US. Userflow has two such mechanisms: a data processing addendum; and voluntary participation in the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework.

This policy have been adapted from the Basecamp open-source policies / CC BY 4.0.