Userlist General Data Protection Regulation (GDPR) Policy

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is the legal framework governing data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Post-Brexit, the UK GDPR also remains in effect for UK data subjects.

As a Processor of your end user data, we take security and privacy very seriously, and have taken a number of steps in order to ensure that we are fulfilling our obligations pursuant to the GDPR. This page will provide you with an overview of these activities and related information. For information about the Rights you have over your personal data, please review our Privacy Policy.

Basis for Processing

We operate as a Processor of data at the request of our Customers, who are the Controllers. As such, we process only personal data that they warrant they have an appropriate legal basis to collect, retain, and transfer to us in order to fulfill the terms of our Terms of Service Agreement and any other contractual agreements we might execute with a Customer. Where we are the Controller of data, we also rely on the fact that our processing of Customer data is necessary for the performance of a contract as a lawful basis. Where processing is not necessary for the performance of a contract, we may also rely on our Customers’ consent in order to process the types of data we list in our Privacy Policy, and that consent can be withdrawn at any time

Requests for Access, Rectification, or Erasure from data subjects who are end users of one of our Customers should be directed to that Customer, the Controller, rather than us. In the event we receive a request from a data subject whose data is in our custody only in our capacity as a Processor, we cannot fulfill such a request until the data subject at issue has submitted a request to the Controller of their data. At the request of the Controller, Userlist is happy to assist with the fulfillment of any such request if the Controller is unaware of how to export, correct, or delete user data. These situations are covered in our Data Processing Agreements with the Controller of the data, pursuant to Article 28, GDPR.

Compliance Activities

Below you can find a list of steps taken for purposes of fulfilling our obligations under GDPR:

  • Completed an audit of information systems identifying the data we collect; where and why we store it; what our process is for deleting it.
  • Improved company procedures related to security and privacy.
  • Updated our Privacy Policy to reflect the core privacy principles.
  • Consolidated information about our third party vendors and obtained data processing agreements from them.
  • Appointed a Data Protection Officer.
  • Created a Data Processing Agreement (see below) for customers who collect data from EU users.

Third Party Vendors

We rely on third parties to process sensitive data in some circumstances. We have reviewed our third party vendors and have confirmed there are sufficient guarantees of appropriate technical and organisational measures in place at the relevant companies. The full list of third party vendors can be found in our list of sub-processors.

EU and UK Representative

Pursuant to Article 27, GDPR, we have appointed an EU Representative. That Representative’s contact information is:

Rickert Rechtsanwaltsgesellschaft mbH
– Userlist, Inc. –
Address: Colmantstraße 15, 53115 Bonn, Germany
Email address: art-27-rep-userlist@rickert.law

Within the UK, our Representative’s contact information is:

Rickert Services Ltd UK
– Userlist, Inc. –
Address: PO Box 1487, Peterborough, PE1 9XX, United Kingdom
Email address: art-27-rep-userlist@rickert.law

Data Protection Officer

Pursuant to Article 37, GDPR, we have appointed a data protection officer (DPO). The current DPO is:

Benedikt Deicke
Address: 6595 Roswell Road, STE G2130, Atlanta, GA 30328, USA
Email address: privacy@userlist.com

Complaints

In the event you do not believe Userlist has handled your request in an appropriate manner, you have a right to contact the appropriate Supervisory Authority in order to lodge a complaint. That complaint can be directed to the body responsible for regulating data protection in your country.

Data Processing Agreement

We offer a Data Processing Agreement to our customers who collect data from users in the EU which incorporates the most recent Standard Contractual Clauses and safeguards associated with the cross-border transfer of data to Userlist. Our DPA is automatically accepted as part of our Terms of Service Agreement, so no further action is required on your part. Should you need a signed version of your DPA, please contact us anytime at privacy@userlist.com.

Contact

Should you have any questions regarding security, privacy, or our GDPR compliance, please contact us at privacy@userlist.com anytime.

Book your discovery demo

Let's see how Userlist fits into the bigger picture of your SaaS business. You'll learn about our automation features, integrations, proven lifecycle frameworks, and how we can help you hit your SaaS growth targets.