Back to Blog

ChartMogul and the GDPR

Here’s an overview of the steps we take at ChartMogul to ensure any personal data is handled responsibly and lawfully, as well as some FAQs on how we comply with the General Data Protection Regulation (GDPR).

As you probably already know from the flood of messages in your email inbox, the General Data Protection Regulation is in effect on 25th May and is designed to protect the data of all users located in the EU.

As an analytics company, ChartMogul is already dedicated to the protection and responsible use of data as a core competency.

Our customers put ChartMogul at the center of their decision-making processes and trust us to handle their data with utmost care. We only collect personal data where absolutely necessary for the function of our business, and are committed to your right to privacy in every aspect of how we handle it.

ChartMogul does not (and will never) sell your data to a third party. You pay us to deliver a service and we’re not in the business of monetizing you or your data through other methods.

The data stored in your ChartMogul account is only ever accessed, with your permission, when we need to solve a technical issue or support your use of the product. We may also require access to investigate suspected abuse on your account.

Is ChartMogul GDPR compliant?

Yes, ChartMogul is fully compliant with GDPR. Our existing internal standards for handling personal data mean that we already met many aspects of the data privacy rules, but we’ve also gone through an extensive external auditing process to ensure that we handle our customers’ data correctly in light of the forthcoming regulation.

What steps have you taken to ensure the correct handling of personal data?

✅ Full data audit

We’ve worked with trusted third parties to complete a complete audit of how personal data is collected and used at ChartMogul. This includes adjustments to processes where personal data collection is not essential to our business function.

✅ Privacy policy updates

We’ve rolled out an updated privacy policy which includes clear, explicit explanations of how and why personal data is collected.

✅ Data Protection Agreement

We have created a legal agreement that ChartMogul customers and other third parties can request from us, which promises the correct use of any personally identifiable information that’s stored.

✅ Documenting and listing sub-processors

We’ve compiled a list of all sub-processors currently in use at ChartMogul that we share personally identifiable data with, and have a mechanism for people to keep up to date with changes to that list.

✅ Employee data privacy training

To establish a common baseline of knowledge across the company, we enrolled every permanent employee of ChartMogul in a program of data privacy and GDPR training.

I’m a ChartMogul customer. Do my users need to consent to using ChartMogul?

The GDPR states that processing of data without explicit consent is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” (Article 6, paragraph 1 (f)*). There’s a legitimate business interest for you to measure and understand your revenue.

You should also list ChartMogul in your list of subcontractors as required by the GDPR (you can see our own list here). You should also read and sign our data processing agreement and send it back to us.

*(Note that this article also states an exception to the above, in cases where the data subject is a child — this does not apply unless for some reason a child’s data was entered into ChartMogul).

Does the GDPR affect how I use ChartMogul?

No. The functionality of ChartMogul remains exactly the same.

Does ChartMogul have a data processing agreement (DPA)?

Yes! Users and third parties can sign our DPA, which guarantees the protection of personally identifiable information that we collect and process:

Download PDF

This should be read, signed and returned to our team at [email protected].

What subcontractors does ChartMogul use?

Like most modern SaaS businesses, we use a number of technologies and services to build and operate our product efficiently.

You can find a full list of the subcontractors we use here: ChartMogul Subcontractors.

You can also register to be notified of any updates to this list.

What is a “data processor” and “data controller”?

These are the two most commonly used terms in the wording of the GDPR. Much of the regulation revolves around the relationship between these two entities.

Data Controller:

Here’s the formal definition of a data controller:

“…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

In other words, if your company is the principal entity determining the purpose of collecting and working with such data, that makes it a data controller.

Data Processor:

“…a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

In the context of a SaaS business, a common example of a data processor would be a service used by your team to automate onboarding email campaigns sent to customers. The email automation platform handles (processes) the personal data of your customers, on behalf of your business (the data controller).

One of the key changes introduced with the GDPR is the introduction of direct obligations for data processors. In addition to this, data controllers should only choose processors that are GDPR-compliant.

As a data controller, businesses need to have an appropriate contract in place — usually referred to as a data processing agreement (DPA) — with any processor it shares data with.

If you use ChartMogul as a data processor for your business, you may need to sign a DPA with us.

Have further questions?

You can always reach out to our team at [email protected] who will be happy to answer any further questions on GDPR compliance or data privacy.