GDPR Compliance

SenderWiz is committed to full compliance with the General Data Protection Regulation (GDPR), which protects the personal data and privacy rights of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland.

We have implemented comprehensive technical and organizational measures to ensure that personal data is processed lawfully, transparently, and securely. This page outlines how we handle personal data in accordance with GDPR requirements and how we help our users maintain their own compliance.

Under the GDPR, SenderWiz operates in two distinct capacities depending on the type of data being processed:

We process personal data only when we have a valid lawful basis under GDPR Article 6. The specific lawful basis depends on the type of data and processing activity:

• Contractual Necessity (Art. 6(1)(b)): Processing necessary to provide our email marketing services, manage your account, process payments, and deliver the features you have subscribed to
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including platform improvement, fraud prevention, security monitoring, and aggregate analytics — balanced against your rights and interests
• Consent (Art. 6(1)(a)): Processing based on your explicit consent, including marketing communications from SenderWiz, non-essential cookies, and optional data sharing. You can withdraw consent at any time without affecting prior processing
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, tax regulations, anti-money laundering requirements, and lawful government requests

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data. We extend these rights to all users regardless of location:

• Right of Access (Art. 15): Request a complete copy of all personal data we hold about you, including the purposes of processing, categories of data, and recipients. We will provide this within 30 days in a structured, machine-readable format
• Right to Rectification (Art. 16): Request correction of any inaccurate or incomplete personal data. You can update most account information directly from your dashboard
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") when it is no longer necessary for the purpose it was collected, or when you withdraw consent. Some data may be retained where required by law
• Right to Restriction (Art. 18): Request that we limit the processing of your data in certain circumstances, such as while we verify the accuracy of contested data or evaluate an objection
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller without hindrance
• Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests
• Right Related to Automated Decision-Making (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you

To exercise any of these rights, visit our contact page. We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will notify you.

We maintain comprehensive Data Processing Agreements (DPAs) with all sub-processors who handle personal data on our behalf. Our DPAs include:

• Clear definition of processing scope, purpose, and duration
• Obligations regarding data security, confidentiality, and access controls
• Requirements for sub-processor notification and approval
• Data breach notification procedures and timelines
• Audit rights and compliance verification provisions
• Data deletion and return obligations upon termination

Enterprise customers can request a copy of our DPA by visiting our contact page. We also provide a list of our current sub-processors upon request.

When personal data from the EEA, UK, or Switzerland is transferred to countries that do not provide an adequate level of data protection, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use the latest SCCs adopted by the European Commission (June 2021) for all international transfers
• Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the legal framework of recipient countries
• Supplementary Measures: We implement additional technical safeguards including encryption, pseudonymization, and access controls
• Adequacy Decisions: Where applicable, we rely on European Commission adequacy decisions for transfers to approved countries

We take data breaches extremely seriously and have documented procedures to detect, respond to, and report security incidents:

• Controller Notification: In the event of a personal data breach that affects data we process on your behalf, we will notify you (the data controller) without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Supervisory Authority: Where required, we will assist you in notifying the relevant supervisory authority with all necessary details
• Data Subject Notification: If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will assist you in notifying affected data subjects as required by GDPR Article 34
• Breach Documentation: We maintain detailed records of all security incidents, including their nature, effects, and remedial actions taken

For GDPR-related inquiries, data access requests, or to exercise any of your data protection rights, our privacy team is available to assist you.

Our platform includes a comprehensive suite of built-in tools designed to help you stay GDPR compliant in your email marketing activities: