Flagmint
GDPR Compliant

GDPR Compliance

Flagmint is built from the ground up with EU privacy law at its core. Here's how we protect your data and support your own GDPR obligations.

OUR COMMITMENTS

EU Data Residency

All customer data is stored exclusively on servers located within the European Union — Amsterdam (primary), Frankfurt (backup). No transfers outside the EEA.

Encryption at Rest & In Transit

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed via dedicated HSMs and isolated annually.

Data Subject Rights

We provide tools for access, rectification, erasure, portability, and objection. Requests are actioned within 30 days. A self-service portal is available for account owners.

Lawful Bases Documented

Every processing activity is documented in our Records of Processing Activities (ROPA), with a clear legal basis under GDPR Article 6 and Article 9 where applicable.

Privacy by Design

Data minimisation, purpose limitation, and storage limits are built into every feature. We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.

72-hour Breach Notification

In the event of a personal data breach, we notify affected customers and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

Sub-Processor Management

We maintain a current sub-processor register and notify customers with 30 days' notice. All processors are bound by GDPR-compliant data processing agreements.

DPO Appointment

We have appointed a Data Protection Officer (DPO) who is contactable at support@flagmint.com. The DPO advises on compliance, oversees DPIAs, and liaises with supervisory authorities.

YOUR DATA SUBJECT RIGHTS

Right of Access (Art. 15)

Request a copy of your personal data and how we use it.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your data in certain circumstances.

Right to Restriction (Art. 18)

Limit how we process your data in certain situations.

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

To exercise any of these rights, contact our DPO at support@flagmint.com. We respond within 30 days.

CONTROLLER VS. PROCESSOR

Flagmint as Data Controller

For data related to our own customers and website visitors

(contact details, billing information, support communications), Flagmint acts as the data controller and processes this data per our Privacy Policy.

Flagmint as Data Processor

For personal data that customers upload or process through

the Flagmint platform (e.g. end-user IDs in feature flags), Flagmint acts as the data processor. Our DPA defines these obligations in full.

Need a Data Processing Agreement?

Our DPA is available for all paid plan customers. Sign and download it instantly from your account settings, or contact us for enterprise custom agreements.

Ready to start experimenting?

Run your first A/B test today. No credit card required.