GDPR Support in Recapture

Recapture is fully GDPR Compliant, as of May 25, 2018.  Below are the features that Recapture uses to be GDPR compliant in EU countries.  Our GDPR basics are covered in our GDPR Policy here.

GDPR Settings in Recapture

Recapture offers two main settings inside of our service that provide the consent request popup and the "forget me" link to include in emails which will automatically request that the customer's data is deleted if clicked.

First, you can find and click the settings under Account Settings to the upper right of your dashboard:

Which opens the account settings screen.

Now scroll to the bottom and you'll see this:

Clicking the green edit icon on the upper right of this panel will enable the data to be edited, which allows you to change the two key features:

• Contact Consent (permission to email them)
• Forget Me links (immediate request to be forgotten)

The Contact Consent section allows you to edit the text for the popup that Recapture will generate for your store if you activate this feature.  This allows you to get explicit permission, per the GDPR, for you to reach out to your customers via email.

When it's running on a site and the customer's IP is found to reside in the EU (where  it looks like this:

And it appears in the lower right part of the screen, like so:

The text is entirely editable based on this setting screen in Recapture.  Be sure to save your changes when you're done and refresh your cache (if needed) to see the latest changes.

The Forget Me text is inserted into emails, like so:

And when clicked, leads to this dialog:

So the fields shown above are all editable in Recapture's GDPR settings as well.

What do I need to do as a Recapture customer for GDPR?

There are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Recapture:

1. Make sure your Terms of Service or Privacy Policy properly communicate to your users how you are using Recapture (and any other similar services) on your website or app. The GDPR can heavily penalize you if you’ve not done this clearly. We recommend you ensure your policies are up to date and clear to your readers.
2. If you are in the European Union you may want to sign a Data Processing Agreement with Recapture. We offer data processing addendums (DPAs) for our customers that operate in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our clients. We have a standard DPA that you may sign and keep on file. To generate a signed DPA for your organization please use this form. You can see a sample of the addendum here.

We do not offer or support custom DPAs at this time.

Do I need to worry about GDPR if I'm not in the EU?

A common concern you might have is: Do I need to worry about GDPR if my business is not in the EU?  

The short answer is probably YES. Let's talk about the longer version. A common misconception is that GDPR applies ONLY to businesses in the EU. This is not true. It depends on who your customers are, not your business' location:

1. I live INSIDE of the EU and have a business with (some) EU customers - YES, you're affected. What affects you are the customers, NOT your location!
2. I live INSIDE of the EU and do not have EU customers at all - NO, you're not affected. As long as you have NO customers that reside in the EU, you're not affected. But in our experience, that's very, very rare. Most likely, you probably have customers from the EU and #1 or #3 applies.
3. I live OUTSIDE of the EU and have a business with (some) EU customers - YES, you're affected. What affects you are the customers, NOT your location!
4. I live OUTSIDE of the EU and do not have EU customers at all - NO, you're not affected. As long as you have NO customers that reside in the EU, you're not affected. But in our experience, that's very, very rare. Most likely, you probably have customers from the EU and #1 or #3 applies.

The bottom line is this--if you serve ANY customers from ANY country in the EU, you are affected by GDPR, regardless of whether you're an EU-based business, or located in the EU in any way. GDPR is very far-reaching in that regard.