Our commitment to GDPR
DPO CRM Ltd. is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, and the Data Protection Act 2018. We were built GDPR-compliant from day one.
Your rights under GDPR
If you are a resident of the UK or EU (or otherwise subject to GDPR), you have the following rights regarding your personal data:
Right to be informed
You have the right to know what personal data we collect, how we use it, and who we share it with. See our Privacy Policy for full details.
Right of access
You can request a copy of all personal data we hold about you. We will respond within 30 days, free of charge.
Right to rectification
If any data we hold about you is inaccurate or incomplete, you have the right to have it corrected.
Right to erasure ("right to be forgotten")
You can request that we delete your personal data, subject to certain legal exceptions (e.g., tax record retention).
Right to restrict processing
You can ask us to limit how we use your data in certain circumstances.
Right to data portability
You can request your data in a structured, commonly-used, machine-readable format (CSV or JSON), and have it transmitted to another controller.
Right to object
You can object to processing of your data for direct marketing or based on legitimate interests.
Rights related to automated decision-making
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently use automated decision-making.
How to exercise your rights
To exercise any of your GDPR rights, contact our Data Protection Officer:
Email: privacy@dpo.finance
Post: Data Protection Officer, DPO CRM Ltd., 20 Farringdon Street, London EC4A 4AB
We respond to all GDPR requests within 30 days.
Legal basis for processing
We process personal data under the following GDPR lawful bases:
- Contract — to provide our services to you
- Legitimate interests — to operate, secure, and improve our services
- Legal obligation — to comply with applicable laws (e.g., tax, accounting)
- Consent — for marketing communications and optional features
Data Processing Agreement (DPA)
For customers using DPO CRM to process personal data of their own customers (as a Data Controller), we offer a Data Processing Agreement that meets GDPR requirements. Our standard DPA is available upon request and is automatically incorporated into Enterprise contracts.
To request a DPA, email privacy@dpo.finance.
International data transfers
Customer data is primarily stored in EU (Frankfurt) and UK (London) data centres. Where data is transferred outside these regions, we use:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreements where applicable
- Adequacy decisions where available
Sub-processors
We use a limited number of carefully vetted sub-processors. A current list is maintained and available upon request. We require all sub-processors to provide GDPR-compliant data protection guarantees.
Data breach notification
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Notify affected individuals without undue delay
- Document the breach and our response
Supervisory authorities
If you have a complaint about how we handle your data, you have the right to lodge it with a supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: Your local Data Protection Authority
However, we encourage you to contact us first — we are committed to resolving any concerns directly.
Updates to this notice
We review our GDPR compliance practices regularly and may update this page accordingly. Material changes will be communicated to customers by email.