GDPR compliance

This article provides an overview of our GDPR commitment and explains our efforts to live up to the values and requirements of the GDPR.

Robert avatar
Written by Robert
Updated over a week ago

The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation became effective and enforceable on the 25th May 2018.

We are glad to report that we achieved compliance with the GDPR prior to the effective date of the regulation, and we are committed to stay GDPR compliant.

What has SessionLab done about GDPR?

Below you can find a list of the main activities we worked on to achieve compliance before the GDPR regulations came into effect:

  • Implemented regular internal data handling audit process

  • Reviewed and improved internal policies related to handling user data

  • Moved data centers to European territory - all user created content is stored within the territory of the European Union

  • Implemented a unified email preferences center for all communication we send to customers

  • Improved our data erasure policies to fulfill data deletion requests

  • Reviewed all our vendors, obtained Data Protection Agreements and implemented an annual review process to ensure we work with GDPR compliant parties

  • Implemented functionality to record consent provided by users

  • Updated Terms of Service, Privacy Policy and Cookie Policy.

  • Created our Data Processing Agreement.

Do you provide a Data Processing Agreement?

Yes. Our personal data processing relies on the EU Commission Standard Contractual Clauses (SCC) and is outlined in our DPA, which document is based on the Annex of the Document of the Commission Implementing Decision (EU) 2021/915 of June 4, 2021.

To get a ready ready-to-sign version of our DPA, please contact our customer support.

Data collection and processing

There are primarily two type of data we collect and process:

  • Your own profile information (such as name, email address, profile picture, IP address, browser and device information)

  • The content you create in the application (such as the sessions, library blocks you create and the files you upload)

We collect and process your data - as the user of our website and web application - with the following legal bases:

  • First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).

  • Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.

  • Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).

What are these legitimate interests we talk about?

  • Improving the app to help you reach new levels of productivity.

  • Making sure that your data and SessionLab’s systems are safe and secure.

  • Responsible marketing of our product and its features.

Whenever the three legal bases listed above do not justify us collecting and processing your personal data, we ask your consent as appropriate. For example, we may send you additional content digest emails or newsletters with your consent. If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time.

Whenever we share your personal data with our service providers (for sending emails, storing data, analytics and reporting), we make sure that we only work with audited and compliant Data Processors as third-party services.

SessionLab is committed to respect all your rights under the GDPR. If you have any questions or feedback, please write to or study the detailed description of how we collect and use the information we collect about you in our Privacy Policy.

Your responsibility for notifying your customers

By design, SessionLab is not intended to be used to host personal data in the Content (sessions) you create, as there is no designated feature that serves as an input area for information that may be considered as personal data.

In case you still decide to upload or input data in your sessions that qualify as personal data, you are responsible for providing notice to your customers concerning the purpose for which you collect their personal data and that this personal data is processed in our service as part of your content.

Did this answer your question?