The EU's General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and the UK General Data Protection Regulation (UK GDPR) went into effect on January 1, 2021.
These regulations impact Kit's Customers and Subscribers, so we've audited all of our processes to make sure we are compliant.
What is the EU’s GDPR and the UK GDPR?
The EU’s GDPR and the UK GDPR are regulations that streamline data privacy across the EU/EEA and UK, and put in place new privacy protections for individuals in the EU/EEA and UK.
How does Kit lawfully transfer personal data from the EU/EEA, UK, and Switzerland to the United States and elsewhere?
Kit may use the following to transfer personal data from the EU/EEA, UK, and Switzerland to the United States and elsewhere:
The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK extension to the EU-U.S DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF); or
The Standard Contractual Clauses (SCCs) approved by the European Commission or the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner.
Both the SCCs and IDTA are included in Kit's Data Processing Agreement (DPA). For customers processing personal data on behalf of EU/EEA, UK, Swiss, and other individuals, you can access and sign our DPA here. Kit's certification to the EU-U.S. DPF, the UK extension to the EU-U.S DPF, and the Swiss-U.S. DPF can be viewed here.
We will keep you updated on all related legal developments.
Will I be affected by the EU’s GDPR and the UK GDPR?
Likely, yes. If you currently reside in the EU/EEA or UK, or have Subscribers that reside in the EU/EEA or UK, you need to be GDPR-compliant.
We've taken care of what we need to on our end, and we would absolutely recommend you familiarize yourself with the regulations to make sure you are taking all necessary steps as well!
What we have done to get compliant:
We are fully compliant in all areas including:
We rely on the SCCs and IDTA, included in Kit's DPA, to lawfully transfer personal data from the EU/EEA, UK, and Switzerland to the US and elsewhere
We comply with all data subject rights of individuals in the EU/EEA, UK, and Switzerland including the right to be forgotten and access requests
We have updated our Privacy Policy
You may close your Kit account at anytime, and request that we remove all of your information and data associated, and we will delete it in its entirety
You may opt-out of our marketing emails and product updates at any time by clicking "Unsubscribe" or by sending an email to [email protected]
You may access and update your Kit account settings at any time, or send us an email at any time requesting we update that information
You own your list--you can export your subscribers at any time, as long as you are compliant with our Terms of Service Agreement and Acceptable Use Policy
And we also have measures in place to protect your Subscribers'
privacy:
You may delete Subscribers at any time at their request, or we may honor their request to be removed from your list or any list if they contact us directly
You may access and update your Subscribers' data at anytime
We provide an unsubscribe link automatically at the bottom of each email sent from Kit, allowing them to opt out at any time. Additionally we'd encourage you to use custom unsubscribe links to allow Subscribers to update their preferences
New Kit features to help customers comply with GDPR
Find your EU/EEA, UK, and Swiss Subscribers, establish explicit consent, and comply with the GDPR
Find my EU/EEA, UK, and Swiss Subscribers — You can now select your Subscribers by country, and region!
Data Processing Agreement — Our DPA offers contractual terms that comply with the EU's GDPR, the UK GDPR, and reflect our data privacy and security commitments to our customers. Each customer processing personal data on behalf of individuals in the EU/EEA, UK, and Switzerland is able to sign this agreement here.
Method to request data deletion — Under the EU’s GDPR and the
UK GDPR, each of your Subscribers in the EU/EEA, UK, and Switzerland has the right to erasure (or the right to be forgotten), meaning they can contact you and we will delete all of their personal data from our systems. We now provide a method for you to initiate this deletion process in our Privacy Policy.
Custom form checkboxes if the visitor is within the EU/EEA, UK, and Switzerland — This feature can be enabled on the account level and adds an unchecked checkbox to each opt-in Form (or a page after the Form is submitted) for Subscribers to verify that they are consenting to receive marketing emails. If it remains unchecked, the Subscriber would receive the opt-in incentive (e.g. a free guide), but does not receive any tags in the platform indicating consent to email them.
To see what features we provide, click here.
Our recommendations for you:
First, consult with a lawyer for specific recommendations for your business. Please take the following as suggestions, and understand they should not be considered legal advice.
On any Forms or Landing Pages you use, whether our Kit Forms or another app, you should make your intentions specific and very clear. Will you send them regular newsletters, occasional offers, or share this list with anyone else? If someone purchases your product on another platform, will they be added to Kit? Your Subscribers should be aware of how their sensitive information (email and any other data you collect) will be handled.
It should be very easy for your Subscribers to give you permission to send them email. Some suggestions would be: state it clearly on your Form, use a double opt-in process
on your Forms, or remind them where they subscribed in the footer of your emails.
Perform regular backups of your list. Keeping up to date information, especially showing proof of consent from your Subscribers can be helpful if required.