Compliance with GDPR

The EU recently approved the  General Data Protection Regulation (GDPR) and will begin strictly enforcing on May 25, 2018. This regulation will impact ConvertKit Customers and Subscribers, so we are currently auditing all of our processes to make sure we will be compliant on or before the deadline. 

What is the GDPR?

From the  official website

"[The GDPR] was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy." 

In short, it will streamline data privacy across the EU, and put in place new privacy protections for EU citizens. The way that we are getting compliant as a US company is by becoming a Certified Privacy Shield Member. 

What is Privacy Shield?

Privacy Shield is an agreement between the EU, Swiss and US government to allow US companies to comply with EU and Swiss data regulations. 

Privacy Shield was created specifically for US companies, and may have a different set of regulations or requirements than a company operating in the EU. 

We are working toward our Privacy Shield certification and once we have it, we will have what is considered "adequate privacy protection for the transfer of personal data outside of the EU and Switzerland"

Will I be affected?

Likely, yes. If you currently reside in the EU, or have subscribers that reside in the EU, you need to be GDPR-compliant. We are taking care of what we need to on our end, and we would absolutely recommend you familiarize yourself with the regulation to make sure you are taking all necessary steps as well!

What we are doing to get compliant:

We are currently auditing and updating all of our data processes to ensure compliance. We will be updating our privacy policy and document our data handling processes publicly, and we will become certified under Privacy Shield. 

We are already compliant in many areas: 

  • You may close your ConvertKit account at anytime, and request that we remove all of your information and data associated, and we will delete it in it's entirety
  • You may opt-out of our marketing emails and product updates at any time by clicking "unsubscribe" or by sending an email to
  • You may access and update your ConvertKit account settings at any time, or send us an email at any time requesting we update that information
  • You own your list--you can export your subscribers at any time, as long as you are compliant with our terms of service

And we also have measures in place to protect your subscribers' privacy:

  • You may delete subscribers at any time at their request, or we may honor their request to be removed from your list or any list if we are contacted by them directly
  • You may access and update your Subscribers' data at anytime
  • We provide an unsubscribe link automatically at the bottom of each email sent from ConvertKit, allowing them to opt out at anytime. Additionally we'd encourage you to use custom unsubscribe links to allow Subscribers to update their preferences

New ConvertKit features to help customers comply with GDPR

We're building four new tools you can use to find your EU subscribers, establish explicit consent, and comply with the GDPR.

  1. Find my EU subscribers — Right now ConvertKit stores location data for each subscriber, but it is for within x miles of a specific city. This can make it time consuming to select all of your subscribers inside the EU. We are building a new feature so you can select your subscribers by country and region.
  2. Data Processing Agreement — Our Data Processing Agreement (DPA) offers contractual terms that meet GDPR requirements and reflect our data privacy and security commitments to our customers. Each customer processing personal data on behalf of EU/EEA individuals will be able to sign this contract with ConvertKit and keep it on file for their records.
  3. Method to request data deletion —  Under GDPR, each of your subscribers in the EU has the right to erasure (or the right to be forgotten), meaning they can contact you and we will delete all of their personal data from our systems. We will be providing a method for you to initiate this deletion process in our Privacy Shield-compliant Privacy Policy which we'll be releasing soon.
  4. Custom form checkboxes if the visitor is within the EU — This feature will be enabled on the account level and add an unchecked checkbox to each opt-in form (or a page after the form is submitted) for subscribers to verify that they are consenting to receive marketing emails. If it remains unchecked the subscriber would receive the opt-in incentive (e.g. a free guide), but would not be subscribed to any lists.

Each of these features will be in place before the May 2018 deadline—though we understand that you want the tools to become compliant as quickly as possible, so we’re working hard to build them out for you!

Our recommendations for you:

First, consult with a lawyer for specific recommendations for your business. Please take the following as suggestions, and understand they should not be considered legal advice. 

On any Forms or Landing Pages you use, whether our ConvertKit Forms or another app, you should make your intentions specific and very clear. Will you send them regular newsletters, occasional offers, or share this list with anyone else? If someone purchases your product on another platform, will they be added to ConvertKit? Your subscribers should be aware of how their sensitive information (email and any other data you collect) will be handled.

It should be very easy for your subscribers to give you permission to send them email. Some suggestions would be: state it clearly on your form, use a  double opt-in process on your Forms, or remind them where they subscribed in the footer of your emails. 

Perform regular backups of your list. Keeping up to date information, especially showing proof of consent from your subscribers can be helpful if required. 

Frequently Asked Questions: 

Does GDPR mean that I need to use double opt-in on all of my forms? 

Based on our understanding of the GDPR, we do not believe you will be required to use double opt-in on all forms. Double opt-in can be the only way some countries and courts  accept consent, however, so it may be a good idea to enable it wherever possible to best protect yourself and your business. Plus, double opt-in is great for your engagement and deliverability! 

If you are not sure how to proceed, please contact an attorney for specific recommendations for your business. 

Do I need to have my entire list re-confirm their subscription? 

No, you do not. Provided you have proper consent of your list currently, you do not need to ask them to re-confirm their subscription. We would also strongly recommend running  regular re-engagement campaigns to ensure your list is still active and interested in hearing from you! 

How can I get updated on your compliance? 

As soon as we are fully compliant, we will be sure to share that with all customers. For now, the best place to stay up to date is this article--bookmark it and check back for any updates on our progress! 

We are happy to protect the privacy of our customers and our customers' subscribers, and look forward to being compliant with such consumer-focused legislation. 

If you have any questions, please reach out to 

Still need help? Contact Us Contact Us