logo
Home Pricing Blog Contact Register Request a Demo

GDPR

General Data Protection Regulation (GDPR) & UK DPA Compliance

Last Updated: October 22, 2025

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that governs how personal data must be collected, stored, and processed. CRMx complies with GDPR and the UK Data Protection Act 2018 (UK DPA) to ensure protection of personal information. This statement explains our compliance obligations, our responsibilities as a service provider, and your responsibilities as a customer or user.

2. Definition of Personal Data

Personal Data means any information that relates to an identified or identifiable person. Examples include name, email address, phone number, company details, IP address, device identifiers, and user interaction data such as heatmaps, clicks, scrolls, and session recordings.

3. Legal Basis for Processing

CRMx processes personal data under the following legal bases:

  • Contract – to provide the services you subscribe to.
  • Legitimate Interests – service improvement, fraud prevention, and security.
  • Consent – where required, e.g., cookies or marketing opt-ins.
  • Legal Obligation – compliance with tax, audit, or regulatory requirements.

4. Roles and Responsibilities

CRMx (Processor): We process data on behalf of our customers, implement strong security measures, and support data subject rights requests.

Customer (Controller): You are responsible for collecting data lawfully, obtaining consent where required, configuring CRMx properly, and responding to your users’ GDPR requests.

End User: Responsible for safeguarding their login credentials and exercising their GDPR rights.

5. Data Subject Rights

Under GDPR and UK DPA, individuals have the right to:

  • Access their data
  • Request correction of inaccurate data
  • Request deletion of data (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

Requests can be made via privacy@crmx.uk.

6. Data Retention

  • Account/profile data: kept while account is active + up to 24 months.
  • Analytics data (heatmaps, recordings, email engagement): retained for 12 months, then deleted or anonymised.
  • Payment records: retained for 7 years (tax compliance).
  • Logs: retained for up to 90 days.
  • All data is deleted on account cancellation, subject to legal retention requirements.

7. Security Measures

  • Encryption in transit (HTTPS/TLS) and at rest
  • Role-based access controls
  • Regular system monitoring and patching
  • Session and cookie management
  • No hidden tracking or backdoors

8. Data Breach Policy

If a data breach occurs, CRMx will notify affected customers without undue delay. Customers, as Controllers, remain responsible for notifying their own end-users and regulators as required by law. CRMx cannot be held liable for breaches caused by customer misconfiguration, weak passwords, or insecure third-party systems.

9. International Data Transfers

Where data is transferred outside the UK/EU, CRMx uses appropriate safeguards such as EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or adequacy decisions where applicable.

10. Disclaimer

While CRMx takes commercially reasonable measures to protect personal data, no system is 100% secure. Customers remain responsible for lawful collection of data, proper system configuration, and protecting credentials. CRMx disclaims liability for damages resulting from customer negligence, third-party breaches, or risks inherent to internet communications.