General Data Protection Regulation (GDPR)

Last updated on July 2024

What is it?

The primary goal of the GDPR (General Data Protection Regulation) is to create a unified and coherent data protection framework across the European Union. This regulation aims to enhance data protection and privacy rights for individuals within the EU and to harmonize data privacy laws across member states, ensuring consistent protection of personal data and reshaping how organizations handle data privacy.

GDPR establishes several key data protection principles that organizations must follow when processing personal data. These principles ensure that personal data is handled appropriately and with respect for individuals’ privacy. The main data protection principles under GDPR are:

  • Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  • Storage Limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
  • Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Accountability: The data controller is responsible for and must be able to demonstrate compliance with these principles.

Why is it important?

  • GDPR significantly enhances the protection of personal data and privacy rights for individuals in the EU. It provides individuals with greater control over their personal information and at the same time ensures that data protection is an integral part of the business operations.
  • By creating a single, unified data protection framework across all EU member states, GDPR simplifies compliance for businesses operating in multiple EU countries.  Although GDPR is an EU regulation, its reach extends globally. 

Data Processing Addendum

We offer a Data Processing Addendum (DPA) for our customers who collect data from folks in the EU. There will be no action needed on the part of our current Visitly customers. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers. 

To guarantee no terms are imposed on us beyond what is reflected in our DPA and Terms of Service, we cannot agree to sign customers’ DPAs. As a small team, we are unable to make individual changes to our DPA as we do not have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back-and-forth discussion that would be cost-prohibitive for our team.

If you have any questions or concerns please let us know.


We’ve updated our cookie policy to provide you with complete transparency into what is being set when you visit our site and how it’s being used. On our cookie policy page, you can also read about steps you can take to control how your browser handles cookies.

Clear and concise terms of service and privacy policy

At Visitly we practice transparency internally and we believe that transparency extends to our customers. Our Terms of Service and Privacy Policy openly describe what personal data is collected and processed, why, and how we use it, who we share it with, and how long we store it. We have always made an effort to keep the language in our Terms of Service and Privacy Policy as clear as possible and we have updated these notices to describe how we are respecting and protecting your personal data. We hope you find it concise, transparent, intelligible, and easily accessible.

Individual Data Subject’s Rights – Data Access, Portability and Deletion

We are committed to helping our customers meet the data subject rights requirements of GDPR. Visitly processes or stores all personal data in fully vetted, DPA compliant vendors. We do store all conversation and personal data for up to 6 years unless your account is deleted. In this case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, but we will not hold it for longer than 60 days.

We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve, and remove personal data. We got you! We’ve been set up as self service from the start and have always given you access to your data and your customers data. You can search for and delete any end users conversation through our help desk UI. If you need to export your end users data in a computer readable format you are able to do so through our Mailbox API. Our customer support team is here for you to answer any questions you might have about working with the API.

Risk Assessment (data protection impact assessments)

Having a managed data protection impact assessment (DPIA) process is a requirement for GDPR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The Visitly engineering team has always undergone security and privacy due diligence when making tooling and implementation decisions, so this requirement is an easy one for us. Any time we introduce a change to the way we handle personal data, we spend time discussing the potential impact on customers of Visitly and possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate the data privacy and security risk to anyone who interacts with the Visitly platform. We will continue to execute this risk assessment process as we expand the Visitly offerings.

Breach Management

We already have a breach management and communication plan in place to comply with the GDPR concerning the escalation process and requirements for data subject notification.

We are here for you

At Visitly we strongly believe that your data privacy is very important and we already have solid security and privacy practices in place that go beyond the requirements of GDPR. If you have any questions, please don’t hesitate to reach out.