GDPR Compliance
Flagmint is built from the ground up with EU privacy law at its core. Here's how we protect your data and support your own GDPR obligations.
OUR COMMITMENTS
EU Data Residency
All customer data is stored exclusively on servers located within the European Union — Amsterdam (primary), Frankfurt (backup). No transfers outside the EEA.
Encryption at Rest & In Transit
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed via dedicated HSMs and isolated annually.
Data Subject Rights
We provide tools for access, rectification, erasure, portability, and objection. Requests are actioned within 30 days. A self-service portal is available for account owners.
Lawful Bases Documented
Every processing activity is documented in our Records of Processing Activities (ROPA), with a clear legal basis under GDPR Article 6 and Article 9 where applicable.
Privacy by Design
Data minimisation, purpose limitation, and storage limits are built into every feature. We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
72-hour Breach Notification
In the event of a personal data breach, we notify affected customers and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
Sub-Processor Management
We maintain a current sub-processor register and notify customers with 30 days' notice. All processors are bound by GDPR-compliant data processing agreements.
DPO Appointment
We have appointed a Data Protection Officer (DPO) who is contactable at support@flagmint.com. The DPO advises on compliance, oversees DPIAs, and liaises with supervisory authorities.
YOUR DATA SUBJECT RIGHTS
Right of Access (Art. 15)
Request a copy of your personal data and how we use it.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your data in certain circumstances.
Right to Restriction (Art. 18)
Limit how we process your data in certain situations.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests.
To exercise any of these rights, contact our DPO at support@flagmint.com. We respond within 30 days.
CONTROLLER VS. PROCESSOR
Flagmint as Data Controller
For data related to our own customers and website visitors
(contact details, billing information, support communications), Flagmint acts as the data controller and processes this data per our Privacy Policy.
Flagmint as Data Processor
For personal data that customers upload or process through
the Flagmint platform (e.g. end-user IDs in feature flags), Flagmint acts as the data processor. Our DPA defines these obligations in full.
Need a Data Processing Agreement?
Our DPA is available for all paid plan customers. Sign and download it instantly from your account settings, or contact us for enterprise custom agreements.
Ready to start experimenting?
Run your first A/B test today. No credit card required.