Last updated: 4 March 2019
Please read this policy carefully to understand our views and practices regarding your personal data and how we will treat it.
For the purpose of data protection legislation including the General Data Protection Regulation (‘GDPR’), the data controller of your personal data is Three Hearts Digital Ltd of Keltan House, 115 Mare Street, London, E8 4RU (registered at Companies House with company number 09897211 and trading as EmailOctopus).
When we refer in this policy to ‘you’, we are referring to a customer of our services, or a person visiting our website. We are not referring to a person receiving an email sent by a customer using our service, or a person on a mailing list maintained by one of our customers. We refer to those people in this policy as ‘Contacts’. We do not have any relationship with Contacts, and process information relating to them solely for the purposes of providing our service to our customers.
When we refer to a ‘marketing list’ in this policy, we are referring to details of Contacts (including their email addresses) processed by us on your behalf to provide you with our EmailOctopus service.
If you are a Contact and wish to cease receiving emails from one of our customers, please unsubscribe directly using the unsubscribe link in the customer’s email, or contact the customer directly.
We may collect and process the following data about you:
We use information held about you for the following purposes:
Our website uses retargeted advertising provided by Facebook and Google. As a result of this retargeting, you may see ads for our services on other sites such as Facebook. This happens in one of two ways:
One way is that our retargeting provider will read a cookie that is already in your browser, or they will place an anonymous cookie or ‘pixel’ in your browser when you visit our site. This can only happen if your browser is set to let it happen – you can control your settings in your browser to stop this.
The other method of retargeting is to use your email address to match EmailOctopus ads to you when you browse other sites. This involves us sharing your email address with Facebook and Google. This form of retargeting is generally used to update you on new functionality added to the EmailOctopus platform.
Conversely, we also use Facebook to ensure that we don’t present some EmailOctopus ads to our existing customers. Again, this involves our sharing your email address with Facebook.
Your marketing lists are stored in Ireland, within the European Economic Area ("EEA"), on the secure servers of Amazon Web Services (“AWS”). Unless you are using our ‘EmailOctopus Connect’ service, they will also be available to our email service providers (”ESPs”). ESPs will only have access to your lists when you are sending an email. Once the email is sent, the ESPs no longer have access to your marketing list. Our ESPs are Mailgun, SendGrid, Sparkpost and Elastic Email. We don't, under any circumstances, sell or share your marketing lists with anyone else. If someone on your marketing list complains or contacts us, only then will we respond to that person. Only you, our authorised employees, and our ESPs have access to view your marketing lists.
We may also monitor those events for the purposes of administering our service (including checking for any abuse of our service) and research on patterns and trends in the use of our service. We will never use any Contact data for the purposes of that administration or generating that research. It will always be conducted on an aggregated and anonymised dataset, which does not identify any individual Contact.
You may export (download) your marketing lists from EmailOctopus at any time. We'll only ever use and disclose the information in your marketing lists for the reasons listed in this section or in the section entitled ’How we use your personal information’ above.
We will never use or disclose the information in your marketing lists to send our own informational and promotional content. If we detect abusive or illegal behaviour related to your marketing list, we may share your marketing list or portions of it with affected internet service providers (“ISPs”) or anti-spam organisations. We may also be required to disclose it to law enforcement or regulatory bodies. We will only do so if legally required.
We may conduct analysis on your use of the service and the results generated by your emails sent by means of the service. This analysis is conducted solely on an aggregated and anonymised basis.
All information you provide to us is stored on our secure servers. Any payment transactions will be carried out by Stripe over encrypted connections using SSL technology (see the ’Payment Information’ section above). Where we have given you (or where you have chosen) a password or API key which enables you to access certain parts of our site, or you have invited team members to access parts of our site, you are responsible for keeping this password or API key confidential.
We take security very seriously, and ‘privacy by design’ is baked into our engineering and product development principles but, as with any online service, despite our use of leading security tools and techniques, the personal data we hold about you can never be 100% immune from unauthorised access.
We may disclose your personal information to any company under the same ownership as us.
We may disclose your personal information to selected third parties, including:
You can additionally integrate your EmailOctopus account with third party apps, websites or other services with whom you have your own account independent of EmailOctopus. If you do decide to connect your account with that third party to EmailOctopus, the third party you integrate will as a result receive your marketing lists, information about your use of our services, and access to any other personal data you make available to them. All third parties you integrate in this way are your own data processors – they are not sub-contractors or sub-processors of Email Octopus. Information collected by these third parties is subject to their own terms and privacy policies. An example of such a third party is Zapier.
The periods for which we keep your information depend on why your information was collected and what we use it for. We will not keep your personal information for longer than necessary for our business purposes or for legal requirements.
Some account information will be held for 6 years from your last sign in or use of the service. Logs of your use of the services will be deleted within 13 months of your last sign in or use of the service.
We will keep your contact information, emails and lists for 13 months after your last sign in or use of the service, in case you decide to use our services again. We may contact you about our services during this time (unless you have asked us not to contact you for marketing purposes).
We are required to state the legal basis on which we undertake processing of your personal information. We will only use your information where:
Any consent you provide may be withdrawn at any time by emailing us.
You have the right to request access to personal data that we may process about you.
You have the right to require us to correct any inaccuracies in your data, free of charge. If you wish to exercise this right, you should:
You can access, correct, update or request deletion of your personal information at any time, either through your online account or by contacting us.
Deletion of data will be carried out on the understanding that removal of some information (e.g. email address) during an active membership term may negatively affect your ability to use the EmailOctopus service.
We cannot delete any invoices, as these are kept for tax purposes.
You can request that we restrict processing of your personal information, object to processing of your information or request portability of your personal information. For these requests please contact us. We will comply with your request where your rights have been exercised in accordance with applicable laws.
If we have collected and processed your personal information with your consent, then you can withdraw that consent at any time. To be clear, we may still continue to process your data if we have a different legal basis for doing so (for example, if we are required by law to do so, or we need to do so for the purposes of fulfilling our obligations to you under our terms and conditions of service).
You also have the right to ask us to stop processing your personal data for direct marketing purposes. You can do this through your EmailOctopus dashboard or via email. If you wish to exercise this right via email, you should:
If you have any questions or comments regarding our use of your data, please contact us by email. If you make a complaint to us and think we have not dealt with it to your satisfaction, you may send your complaint to the Information Commissioner for investigation. For more information on the Information Commissioner, and how to make a complaint, please visit their website.
We welcome your feedback and questions. If you wish to contact us, please send an email to firstname.lastname@example.org