We take data security very seriously, and we’re committed to providing a service that is safe and accessible to all of our customers.
The General Data Protection Regulation (GDPR) is a new European privacy law that went into effect on May 25, 2018. The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. These data protection laws require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data at any time), and ensure appropriate security protections are put in place to protect the personal data they process.
Who does the GDPR apply to?
The GDPR applies to all businesses and individuals based in the EU and to those outside the EU that process the personal data of EU individuals. Personal data, as definied by the GDPR, is any information relating to an identified or identifiable natural person. This includes data that is obviously personal (such as a name or email address) as well as data that can be used to identify an individual indirectly (such as an IP address).
Basin and GDPR
Since our initial launch, we’ve received many questions asking about our plans for GDPR compliance. What follows here are all the important points regarding Basin and the GDPR.
Transparent information about data processing
Article 4 of the GDPR defines data controllers and data processors as:
Controller - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor - a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
Basin as a Data Controller
If you create an account in Basin, we will ask you for a valid email address. You are not required, nor do you have the option, to give us any additional personal information, such as name, phone number, or a photograph (avatar). Your email address is used as the primary key for our service, and is the only personal information we collect from you.
Why we collect this and how we use it
- We need your email address to create your account, and provide the services you request.
- We use your email address to identify you on Basin.
- We will use your email address to communicate with you about product updates. You can change your email and unsubscribe from those messages at any time.
NOTE: We do NOT store any credit card information. For that we use an external service:Stripe.
You as a Data Controller
You determine which data is collect from your end users. It is your responsibility as a Basin account owner to limit the collection of Personally Identifiable Information and adhere to ourTerms of Service, which follow GDPR requirements. As a Basin account owner, we provide you with a toolkit to adherence to GDPR requirements simple and straightforward.
- Within your individual account settings, you are provided with all the tools needed to manage your own personal data, in addition to the ability to request that Basin change or delete all or some of your own personal data.
- Within your individual form settings, you are provided with all the tools needed to manage the personal data of those who submit to your form, including permanently deleting it from our service.
- Individuals who submit to your forms are sent a submission receipt that contains a link to our GDPR request page which allows them to request a change in how their personal data is used or to permanently delete it from our service.
- If you intend to use Basin to collect racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Review GDPR Article 9 to ensure it is not prohibited.
Basin as a Data Processor
All data stored in Basin's service is defined by our users. It is the responsibility of our users as data contollers to ensure that the personal information they collect through Basin powered forms is GDPR compliant.
Lawful basis for data processing
All data collected by Basin is in the legitimate interesest of our users, both the account owners and the submissions which they receive. For account owners, we require the minimal amount of Personally Identifiable Information to perform billing, ensure legitimate users, and prevent abuse. When an end user submits data to an account owner's form, that is all we collect. When a user’s submission is sent to Basin, it functions as expected. The account owner is notified of the submission and the data is passed along.
Right of access and Right to be forgotten
Basin does not ask for more personal data from our users than we need to provide our service. We provide you the ability to access and delete both the data you have given us and the data your form submitters have given to you at any time.
Closing your Basin account automatically deletes any and all associated data, including submission data for your forms. When you delete individual submissions from your forms, they are permanently removed from our storage systems and cannot be restored.
As part of our limited data retention policy, submissions are automatically deleted after 48 months. Spam and trashed submissions are deleted every few hours.
Notice of security breaches
Basin takes all measures reasonably necessary to protect Personal Information from unauthorized access, alteration, or destruction, maintain data accuracy, and help ensure the appropriate use of Personal Information at all times. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. We are committed to announcing any security breaches within 72 hours after we notice this kind of issue.
We use the following services that have already confirmed their commitment to GDPR compliance:
- Amazon Web Services- S3 for cloud storage (Canada)
- Postmark- Transactional Email (US)
- Stripe- Payment processing (US)
- Digital Ocean- Hosting infrastructure for Basin's website, workers, and data.
- Cloudflare- DNS management (US)
- Cloud 66- DevOps (US)
Data Removal Request
To exercise your rights and make a request to change or permanently delete your data from our serive, please use the link below and follow the instructions.