Privacy

Email marketing & the GDPR legislation

Introduction

The General Data Protection Regulation (GDPR) defines how you must handle personal data. In email marketing, this revolves around transparency, consent, and security. Xendy supports you in this, but you are responsible for how you collect and use data.

Roles under the GDPR

You (controller)

  • You determine why and how personal data is processed.
  • You must have consent and be transparent.
  • Data must remain accurate and up to date.

Xendy (processor)

  • Processes data on your behalf, such as storing contacts, sending emails, and storing related statistics.
  • Ensures security and compliance through clear procedures.

What does Xendy manage?

Xendy takes various measures to process personal data securely and help you comply with the GDPR. Below are the key components that Xendy provides by default.

Data Processing Agreement (DPA)

  • Available via your account: in Xendy you can easily view and sign the DPA.
  • Content: the agreement describes which data Xendy processes on your behalf, how it is secured, and what rights you and your contacts have.
  • Purpose: this legally confirms that the processing of personal data is GDPR-compliant.

Security

  • Encryption: all data is encrypted both during transfer (e.g. when sending emails) and when stored in our systems.
  • Access controls: only authorized employees have access to sensitive data, always restricted to what is necessary.
  • Daily backups: this ensures data can be quickly restored in case of incidents or loss.
  • ISO 27001-aligned: Xendy follows international standards for information security.

Data retention

  • Active accounts: data is retained as long as you actively use Xendy.
  • Termination: when you cancel your account, all data is deleted within 90 days, unless a legal obligation requires longer retention.

Sub-processors

  • Trusted partners: Xendy only works with sub-processors that comply with the GDPR, such as hosting or infrastructure providers.
  • Transparency: an up-to-date list of sub-processors is available so you always know who may have access to data.

Incident response

  • Detection: potential data breaches or suspicious activities are actively monitored.
  • Notification: if a data breach occurs, you will be informed within 24 hours.
  • Instructions: you will receive guidelines on how to correctly inform authorities and/or affected individuals.
  • Resolution: Xendy immediately takes measures to resolve the issue and prevent recurrence.

What can you do yourself?

In addition to the measures taken by Xendy, you play an important role as the controller of personal data. You determine how and why you collect and process data. Below are the key points you must manage yourself.

Consent

Always request explicit consent before sending someone an email. Use clear and specific language so a contact knows exactly what they are signing up for, such as a newsletter or promotions. Assuming consent after the fact or using vague wording is not sufficient.

  • Integration: if you use a webshop or other integration, such as via webhooks, ensure you exclude anyone who has not actively opted in. You can do this under ‘Inactive contacts’ in the left menu. Xendy imports all customers from your webshop by default.

Data rights

Your contacts have the right to access, correct, or delete their data. Ensure you can provide an overview of stored data upon request. Update incorrect data or fully delete it if someone asks. You must also respect if a contact requests temporary restriction of data processing.

  • Edit contact: you can manage each individual contact by clicking on it. A sidebar opens with all known data for that contact. Click ‘Edit’ to modify fields.
  • Delete contact: go to ‘All contacts’ in the left menu and search for the contact you want to delete. Once found, click the ‘3 dots’ on the right. Choose ‘Delete’. Confirm this action and the contact will be removed from your Xendy account. Note: if you use a webshop integration, don’t forget to also remove the contact and its orders in the webshop. If you only delete the contact in Xendy, it will be re-imported during the next sync.

Secure handling

Limit access to personal data within your organization. Only team members who truly need this data for their work should have access. This reduces unnecessary risks.

  • Manage users: go to ‘Settings’ and then ‘Users’ in the left menu to manage all users. You can invite new users, adjust permissions for existing users, or remove users.

Unsubscribes

Every email you send contains a functional unsubscribe link. Once a contact unsubscribes, Xendy processes this automatically and the contact is immediately marked as inactive. It is not permitted to email someone after they have unsubscribed.

  • Resubscribe contact: sometimes a contact may have unsubscribed by mistake. Go to ‘All contacts’ in the left menu and search for the contact. Once found, click the ‘3 dots’ and choose ‘Resubscribe’. The contact’s status will now change to ‘Active’ and they will start receiving emails again from Xendy.

Frequently Asked Questions

Managing your contacts starts in the left menu under ‘All contacts’. This is the central place where you will find all your organization’s contacts in Xendy. You can view, edit, and delete them here.

The Data Processing Agreement (DPA) is the document that explains how we process data on your behalf. It is available in your Xendy account by clicking on ‘Settings‘ and then on your company name.

No, emailing contacts without explicit consent is not permitted. This applies to both your own customers and purchased email addresses or leads. Your account will be immediately suspended if we become aware of this. We always report such cases to the Authority for Consumers & Markets (ACM).