Apr 9, 2018

CloudConvert and the GDPR

The General Data Protection Regulation (GDPR) is the new legal framework of data protection across the EU. Starting 25th May 2018 it will be enforceable. This post clarifies how CloudConvert complies with the GDPR and what our customers can do to be compliant.

In the terms of the GDPR, CloudConvert takes two different roles: CloudConvert is classed as data controller, if it provides services to end customers and directly collects or processes personal data. CloudConvert is classed as processor, if it processes data on behalf of a data controller (typically a customer of CloudConvert).

CloudConvert as data controller

This is typically the case when CloudConvert collects your name, email address and address for managing accounts and for billing. Also, it applies when you use the CloudConvert service as end customer and upload files, which contain personal data. CloudConvert has already updated its privacy policy to explain in more detail which data we collect and share. In the coming weeks, there will be some more updates of our privacy policy.

In short, we do collect:

  • Your IP address and times of access
  • Name, email address and photo if you create an account
  • Billing address and payment information if you buy a package or if you subscribe

We do share:

  • Your billing address and payment information with our payment provider Stripe
  • Your IP address, time of access, browser agent, and referrer with Google Analytics

CloudConvert commits to:

  • Not to mine or collect any data from your uploaded files
  • No sharing or copying of your uploaded files
  • Irreversible deletion of your uploaded files within 24 hours (or immediately, if you manually use the delete button)

For details, please read our updated privacy policy.

CloudConvert as processor

If you are an organisation and use CloudConvert to process your customers files, we are typically acting as processor. This is the case if you collect personal data and send them to us for conversion, for example via our API.

As a processor, CloudConvert commits to:

  • Processing provided personal data solely in accordance with your instructions. CloudConvert will never process or share your data for any other purposes.
  • Keeping your data inside the EU.
  • Applying strict security standards to provide a high level of security.
  • Implementing technical and organizational measures in accordance to Art. 32 GDPR.
  • Reporting any data breach to you without “undue delay”.
  • Solely using subcontractors that comply with the GDPR and have signed appropriate contractual agreements.
  • Helping you meet your own regulatory obligations, by providing you with adequate documentation of our services.

In accordance to Art. 28 GDPR it is possible to sign a data processing agreement with us. This binds us legally to the proper processing of data in accordance to the GDPR. Therefore, contact us.