1. Our Commitment to Data Protection
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that sets standards for how organizations collect, store, and process personal data. While SalesTub is based in India, we recognize the importance of GDPR and have implemented practices aligned with its principles.
Whether you're a data controller using SalesTub to manage customer relationships, or a data subject whose information is stored in our system, we're committed to protecting your rights and privacy.
Privacy by Design
We build privacy into our products from the ground up, not as an afterthought. Our architecture implements data minimization, purpose limitation, and security by default.
2. Data Subject Rights
GDPR grants individuals specific rights over their personal data. SalesTub provides tools and processes to help you fulfill these rights:
Right to be Informed
Clear information about how personal data is collected and used through privacy policies and in-app notices.
Right of Access
Data subjects can request a copy of their personal data. We provide data export tools and respond within 30 days.
Right to Rectification
Data subjects can request correction of inaccurate data. Users can edit data directly or contact support.
Right to Erasure
Also known as 'right to be forgotten'. We provide data deletion tools and process erasure requests promptly.
Right to Restrict Processing
Data subjects can request limited processing of their data. We can flag records for restricted processing.
Right to Data Portability
Data subjects can receive their data in portable formats. We support export to CSV and JSON formats.
Additional Rights
- Right to Object: Data subjects can object to processing based on legitimate interests
- Rights Related to Automated Decision-Making: Right not to be subject to decisions based solely on automated processing
3. Lawful Bases for Processing
Under GDPR, organizations must have a valid legal basis to process personal data. Here's how we approach data processing:
Consent
User has given clear consent for processing their personal data
Example: Marketing emails with explicit opt-in
Contract
Processing necessary to fulfill a contractual obligation
Example: Storing contact details to deliver services
Legitimate Interest
Processing necessary for legitimate business purposes
Example: Account security and fraud prevention
Legal Obligation
Processing required to comply with the law
Example: Retaining financial records for tax purposes
4. GDPR Compliance Features
SalesTub includes built-in features to help you maintain GDPR compliance:
4.1 Consent Management
- Track consent status for each contact
- Record when and how consent was obtained
- Easy opt-out mechanisms
- Consent audit trails
4.2 Data Export & Deletion
- One-click data export in CSV/JSON formats
- Bulk data deletion tools
- Automated retention policies
- Deletion verification and logging
5. Your Responsibilities as a Data Controller
When you use SalesTub to store and process personal data, you act as the data controller. This means you are responsible for:
5.1 Obtaining Valid Consent
Before adding personal data to SalesTub, ensure you have obtained appropriate consent or have another valid legal basis. Document how and when consent was obtained.
5.2 Providing Privacy Notices
Inform individuals about how their data will be processed, including that you use SalesTub as your CRM platform. Your privacy policy should be transparent about third-party processors.
5.3 Responding to Data Subject Requests
You must respond to data subject requests within the required timeframes (typically 30 days). SalesTub provides tools to help you fulfill these requests efficiently.
5.4 Data Minimization
Only collect and store data that is necessary for your stated purposes. Regularly review stored data and remove what is no longer needed.
5.5 Maintaining Accuracy
Keep personal data accurate and up to date. Implement processes to verify and correct data regularly.
5.6 Breach Notification
If you become aware of a data breach, you may need to notify supervisory authorities within 72 hours and affected individuals without undue delay. Report any suspected breaches to us immediately.
6. Data Processing Agreement
As a SalesTub customer, you may need a Data Processing Agreement (DPA) to document our relationship as processor and controller.
Our DPA Covers:
- Subject matter and scope of processing
- Our obligations as a data processor
- Security measures and sub-processors
- Data subject rights assistance
- Breach notification procedures
Available for all paid plans
7. Sub-processors
We use carefully selected sub-processors to provide our services. All sub-processors are bound by data protection agreements and comply with GDPR requirements.
Infrastructure Providers
- Google Cloud Platform (GCP) — Cloud hosting and computing (EU/US regions available)
- Supabase — Database hosting (EU region available)
- Upstash — Redis caching (GDPR compliant)
Communication Services
- SendGrid — Transactional email delivery
- Intercom — Customer support chat
Payment Processing
- Stripe — Payment processing (PCI DSS Level 1)
- Razorpay — Payment processing for India
We notify customers of any changes to sub-processors. For a complete and current list, please contact privacy@salestub.com.
8. International Data Transfers
When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for international transfers
- Adequacy Decisions: Where applicable, we transfer to countries with EU adequacy decisions
- Data Localization: EU region hosting available for Enterprise customers
8.1 Data Storage Locations
By default, data may be stored in our primary data centers in India and the US. Enterprise customers can request EU-only data residency.
9. Contact Us
Our privacy team is here to help with any GDPR-related questions or data subject requests.
- Privacy Team: privacy@salestub.com
- Data Protection Officer: dpo@salestub.com
- DPA Requests: Request a DPA
Response Times
- Data subject requests: Within 30 days
- DPA requests: Within 5 business days
- General inquiries: Within 2 business days