GDPR & Privacy
EmailSendX is built with GDPR compliance in mind. We act as a data processor — you are the controller of your subscribers' personal data and responsible for the lawful basis on which you process it.
Overview
The General Data Protection Regulation (GDPR) applies to any organization that processes personal data of individuals in the European Union, regardless of where the organization is based.
EmailSendX as Data Processor
EmailSendX processes personal data (subscriber emails, names, metadata) on your behalf, under your instructions. We do not use your subscriber data for our own purposes.
You as Data Controller
You determine why and how subscriber data is collected and used. You are responsible for ensuring you have a lawful basis for sending marketing emails and for honoring data subject requests.
Lawful Basis for Email Marketing
Under GDPR, you must have a lawful basis to process personal data. For marketing emails, the most appropriate basis is typically consent. Less commonly, legitimate interests may apply (e.g., emailing existing customers about related products).
Consent
Subscriber explicitly agreed to receive marketing emails — ideal for newsletters and promotional campaigns.
Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent.
Legitimate Interests
You have an existing relationship with the recipient and the email is relevant to that relationship (e.g., product updates to paying customers).
Must conduct a Legitimate Interests Assessment (LIA) and consider whether the interest overrides the subscriber's privacy rights.
Consent Tracking
EmailSendX supports two opt-in methods:
Single Opt-in
Subscriber submits their email → contact is immediately added as active. Simpler for the subscriber but provides no email verification or double-consent record.
Double Opt-in (Recommended)
Subscriber submits email → confirmation email is sent → subscriber clicks the confirmation link → contact is activated. Provides verified consent with a timestamp. Enable in Workspace Settings → Signup Forms → Require double opt-in.
The consent timestamp (when the contact was confirmed) is stored on the contact record and visible in the contact profile. Export it as part of a data subject access request.
Data Export (Right of Access)
When a subscriber requests their data (GDPR Article 15 — right of access), you can export everything EmailSendX holds about them:
- Email address, first/last name
- Contact status and consent timestamp
- Metadata (custom fields)
- List and segment memberships
- Email activity history (opens, clicks, bounces)
To export a single contact's data: Contacts → (find contact) → Export Data. Downloads a JSON file with all stored fields and activity history.
To bulk export all contact data: Contacts → Export → CSV. Select which fields to include.
You can also retrieve a contact's data programmatically via the Contacts API.
Deletion Requests (Right to Erasure)
Under GDPR Article 17, subscribers have the right to request deletion of their personal data ("right to be forgotten").
To process a deletion request in EmailSendX:
- Find the contact in Contacts → search by email.
- Click the contact to open their profile.
- Click Delete Personal Data (under the action menu).
- This action: removes name, metadata, and all personal identifiers while retaining the email address as a hash for suppression purposes (to prevent them from being re-added by accident).
Why we retain a hash
Data Processing Agreement (DPA)
Under GDPR, if you are a data controller and EmailSendX is your data processor, you are required to have a Data Processing Agreement in place. Our DPA covers:
- The nature and purpose of processing
- Categories of personal data processed
- Sub-processors used (AWS, etc.)
- Security measures and breach notification obligations
- Data subject rights assistance
To request a signed DPA, email legal@emailsendx.com with your company name and email address. We typically respond within 2 business days.
Questions about compliance?
For specific compliance questions or to request a DPA, contact our legal team.