GDPR Compliance
Our commitment to protecting EU user data
ArtaMail is fully committed to GDPR compliance. We have implemented technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently.
Our Role Under GDPR
When you use ArtaMail to send emails to your contacts, we act as a Data Processor on your behalf. You remain the Data Controller and are responsible for:
- Obtaining valid consent from your contacts
- Providing privacy notices to your contacts
- Responding to data subject requests
- Determining the purposes of data processing
Data Processing Agreement
We provide a Data Processing Agreement (DPA) to all customers that outlines our obligations as a data processor. This agreement covers the nature and purpose of processing, types of personal data, and our security measures.
Contact [email protected] to request a copy of our DPA.
GDPR-Compliant Features
Consent Management
Track and manage consent for all contacts. Respect unsubscribe requests automatically.
Data Portability
Export all your data in standard formats (JSON, CSV) at any time.
Right to Erasure
Delete contact data permanently with a single API call or dashboard action.
Data Minimization
We only collect and process data necessary to provide our service.
Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Audit Logs
Complete audit trail of all data access and modifications.
Data Storage Location
All data is stored on servers located in the European Union (AWS eu-west-1). We do not transfer personal data outside the EU/EEA without appropriate safeguards as required by GDPR.
Sub-processors
We use the following sub-processors to provide our service:
| Service | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, Email Delivery (SES) | EU (Ireland) |
| PostgreSQL | Database | EU |
| Redis | Queue Management | EU |
Data Subject Rights
We help you fulfill data subject requests from your contacts:
- Right of Access - Export contact data via API or dashboard
- Right to Rectification - Update contact data at any time
- Right to Erasure - Delete contacts permanently
- Right to Restrict Processing - Unsubscribe contacts from campaigns
- Right to Data Portability - Export in JSON/CSV format
Breach Notification
In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. We will provide all information necessary for you to fulfill your notification obligations to supervisory authorities and affected individuals.
Contact Our DPO
For any GDPR-related inquiries or to exercise your rights, contact our Data Protection Officer at [email protected].