Home » General Data Protection Regulation and Postmatic

General Data Protection Regulation and Postmatic

As a Postmatic customer you may be wondering how using our products affects the GDPR compliance of your site. The quick answer is that Postmatic was built from the ground up to respect privacy and user data, so we’re already way ahead of most email-related services.

What’s GDPR?

The EU General Data Protection Regulation (“GDPR”) is a comprehensive data protection law that came into effect on May 25, 2018. It replaced existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It’s a single set of rules which governs the processing and monitoring of EU data.

Does it affect me?

Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not. This is especially true if you use either Postmatic or Replyable.

Data processing agreement and privacy policy

Our privacy policy outlines the data we process and store on your behalf. In a nutshell, we log the minimum amount of data for the minimum amount of time to provide you with a quality level of service. This includes:

 Postmatic (Free)Postmatic (Paid)Replyable (Free)Replyable (Paid)Elevated Comments
Comment Subscriptions
Names of commenters who double opt-in to conversation subscriptions
Email addresses of commenters who double opt-in to conversation subscriptions
Anonymized comment content
Post Subscriptions
Post Content
Names of subscribers who double opt-in to conversation subscriptions
Email addresses of subscribers who double opt-in to conversation subscriptions
Site Owner Information
Customer Name
Site URL
Customer Email Address

If you use the free version of either Postmatic or Replyable

The free versions of both of our plugins do not send any of your user data through our servers, therefore you do not need to sign a DPA (data processing agreement) with us. You are still storing user data in your local WordPress installation though, so you should take necessary steps to ensure GDPR compliance for your own site. There are quite a few guides available to help with that – one of the best is at CodeinWP.

How we treat consent

Postmatic and Replyable both make it impossible to subscribe to posts or comments without a double opt-in. Therefore there are no Postmatic subscribers in your system who have not manually verified their subscription. You’re all clear there.

Proof of consent

To keep proof of users consent is mandatory with the new GDPR rules. In both Postmatic and Replyable, when a user consents to a subscription using the double opt-in a record of such is stored in their user_meta profile. You can export all of this information from the Users screen in your local WordPress installation.

Data export and portability

GDPR also requires to offer your users the ability to ask for a copy of their files for portability reasons. The downloaded data export file should be in a machine-readable format (not human readable). Postmatic by default collects only names and email addresses, which are exported during a standard user export (see above).

Data modification and integration right

Since Postmatic subscribers are able to access their own profile editing via the Profile screen in WordPress (which you can make available to them via a plugin like Theme My Login) there are no further actions for you to take here.

Data removal

Users who wish to have their data removed from your site do not currently have an avenue in WordPress to do as much. We recommend creating a form on your site with which a user can request to have their profile deleted by you.

If you use the paid version of Postmatic or Replyable

Since subscription agreements and comment content flows through our servers Postmatic is considered a Data Processor under the GDPR.

Strong data protection commitments are a key part of GDPR’s requirements. Our data processing agreement shares our privacy commitments and sets out the terms for Postmatic and our customers to meet GDPR requirements. This is available for customers to sign upon request.

How we treat consent

Postmatic and Replyable both make it impossible to subscribe to posts or comments without a double opt-in. Therefore there are no Postmatic subscribers in your system who have not manually verified their subscription. You’re all clear there.

Proof of consent

To keep proof of users consent is mandatory with the new GDPR rules. In both Postmatic and Replyable, when a user consents to a subscription using the double opt-in a record of such is stored in their user_meta profile. You can export all of this information from the Users screen in your local WordPress installation.

Data export and portability

GDPR also requires to offer your users the ability to ask for a copy of their files for portability reasons. The downloaded data export file should be in a machine-readable format (not human readable). Postmatic by default collects only names and email addresses, which are exported during a standard user export (see above).

Data modification and integration right

Since Postmatic subscribers are able to access their own profile editing via the Profile screen in WordPress (which you can make available to them via a plugin like Theme My Login) there are no further actions for you to take here.

Data removal

Users who wish to have their data removed from your site do not currently have an avenue in WordPress to do as much. We recommend creating a form on your site with which a user can request to have their profile deleted by you.

End-users wishing to have their data removed from our servers can request such using the form below, or wait for the data to be naturally flushed within 30 days of their last interaction.

Partner and External Providers

Email sent by your paid Postmatic or Replyable service is delivered through our partner, Mailgun. Mailgun adheres to the same level of privacy and 30-day log rotation to which we hold ourselves, governed by a DPA.

Request the removal of your data from Postmatic servers

If you are a Postmatic customer or end-user and would like to have your data fully removed from our servers please fill out the form below.