Legal
GDPR Compliance
Last updated: January 2025
Our Commitment to GDPR
Closed is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR). This page outlines how we meet our obligations under GDPR and how we help our customers meet theirs.
The GDPR applies to organisations that process personal data of individuals in the European Economic Area (EEA), regardless of where the organisation is located.
Our Role Under GDPR
As a Data Controller
Closed acts as a data controller for the personal data of our customers (account holders). This includes information you provide when creating an account, billing information, and how you use our Service.
As a Data Processor
Closed acts as a data processor when handling personal data that you include in proposals (such as your clients' names and contact information). In this capacity, we process data on your behalf according to your instructions.
Your Rights Under GDPR
If you are located in the EEA, you have the following rights regarding your personal data:
Right of Access (Article 15)
You can request a copy of the personal data we hold about you, along with information about how we process it.
Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data. You can also update most information directly in your account settings.
Right to Erasure (Article 17)
You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected.
Right to Restriction (Article 18)
You can request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of contested data.
Right to Data Portability (Article 20)
You can request a copy of your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller.
Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection team:
Email: [email protected]
Subject line: GDPR Data Subject Request
We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, but we will notify you if this is necessary.
We may need to verify your identity before processing your request. We will not charge a fee for most requests, but may charge a reasonable fee for manifestly unfounded or excessive requests.
Legal Basis for Processing
Under GDPR, we must have a lawful basis for processing personal data. We rely on the following bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing our Service to you | Contract performance |
| Processing payments | Contract performance |
| Sending service-related communications | Contract performance |
| Improving our Service | Legitimate interests |
| Security and fraud prevention | Legitimate interests |
| Analytics and usage tracking | Legitimate interests / Consent |
| Marketing communications | Consent |
| Compliance with legal obligations | Legal obligation |
International Data Transfers
Some of our service providers are located outside the EEA. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:
- Adequacy decisions: Transfers to countries the European Commission has deemed to provide adequate protection
- Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide appropriate safeguards
- Binding Corporate Rules: For transfers within corporate groups that have approved binding rules
You can request information about the safeguards we use for specific transfers by contacting us.
Data Processing Agreement
For customers who need a Data Processing Agreement (DPA) to meet their GDPR compliance obligations, we offer a standard DPA that covers:
- Nature and purpose of processing
- Types of personal data processed
- Categories of data subjects
- Our obligations as a processor
- Sub-processor arrangements
- Data security measures
- Assistance with data subject rights
- Data breach notification procedures
- Audit rights
To request a DPA, please contact us at [email protected].
Sub-Processors
We use the following sub-processors to help deliver our Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | EU (Ireland) |
| Stripe | Payment processing | USA (SCCs) |
| Intercom | Customer support | USA (SCCs) |
| SendGrid | Email delivery | USA (SCCs) |
| Google Analytics | Website analytics | USA (SCCs) |
We will notify you of any changes to our sub-processors. You can subscribe to sub-processor updates by emailing [email protected].
Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Regular security assessments and penetration testing
- Access controls and authentication requirements
- Employee security training and background checks
- Incident response procedures
- Regular backups and disaster recovery planning
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Our notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address and mitigate the breach.
Your Responsibilities
As a Closed customer, you may also have GDPR obligations when you include personal data of your clients in proposals. You are responsible for:
- Having a lawful basis to process your clients' data
- Providing appropriate privacy notices to your clients
- Responding to data subject requests from your clients
- Ensuring data accuracy and minimisation
- Reporting any data breaches you become aware of
Supervisory Authority
If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Contact Our Data Protection Team
For any questions about GDPR compliance or to exercise your rights:
Email: [email protected]
Address: Data Protection Officer, Closed Ltd, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom