Get your membership site ready for the GDPR

EU flag flying representing GDPR

Please note: This is for informational purposes only and does not purport to describe all of the relevant aspects or binding obligations you may have under the GDPR. It is not legal advice. Contact an attorney for specific guidance on how the GDPR may impact your business.

The General Data Protection Regulation (“GDPR”) is a new European Union data protection law that goes into effect on May 25th, 2018. Let's review what it means for your membership site.

What steps do we take to protect data? See our Data Protection page.

Does it apply to me? My business isn't in the EU.

If your business offers goods and services to individuals in the EU, the GDPR applies to you, even if your business is not based in the EU.

Data controllers and data processors

For the purpose of this discussion Memberful is considered a data processor. You, the membership site owner, are considered the data controller because you elect to engage in a business relationship with your members using Memberful. Part of that relationship is collecting necessary data (name, email, etc.) that is considered protected under the GDPR.

Keep in mind, Memberful also acts as a data controller when it comes to our direct relationship with you, the Memberful customer, and we will outline how the GDPR affects that relationship in an email to you in early May. In this post, we'll only be discussing the relationship between you and your members, where you'll be acting as a data controller.

What the GDPR requires of you as a controller

The GDPR first requires you have legal basis for collecting personal data. Once you've established legal basis and collected the data, you must give the individual certain rights:

  • Data subject access request: Individuals have the right to know whether their personal data are being processed and how personal data about them is being processed.
  • Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
  • Right to erasure: Individual may withdraw consent to the processing and the processor must completely delete the individual’s personal data without undue delay.
  • Right to data portability: Individuals may request that personal data held by one data controller be provided to themselves or another controller.

Let's now review how Memberful can help you comply with your requirements under the GDPR.

Under the GDPR, you must have legal basis for collecting personal data. The GDPR establishes six ways of establishing legal basis, one of which is explicit consent:

The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

As a Memberful customer, you will likely rely on explicit consent to establish legal basis (and we believe explicit consent is always prudent and advisable). This means having two important pages on your website:

  • Terms of Service
  • Privacy Policy

If you don't already have these two pages in place, we recommend contacting an attorney. To save time and money while working with an attorney, you could request your attorney start with an open source template. See Automattic's Privacy Policy and Editorially's Terms of Service as examples. You'll also want to make sure you contact existing members to let them know they must also agree to the new policies.

Once you've created or updated your Terms of Service and Privacy Policy to comply with the GDPR, navigate to Settings → Payment → Configure checkout in your Memberful dashboard. You'll see two inputs for links to Terms of Service and Privacy Policy.

Memberful Terms of Service and Privacy Policy settings

Add your links and then save the settings. After you do that, a checkbox will be shown whenever a member makes a purchase or signs up for an account.

Memberful Terms of Service and Privacy Policy checkbox

Now, when someone signs up to be a member, you've established legal basis for collecting their personal data.

Data subject access request

When working with your attorney to write your Privacy Policy, ensure it states what personal data is being processed. When you use Memberful, Memberful collects the following personal data:

Always

  • Full name and email address: Required when purchasing a subscription or signing up for a free account.
  • Referrer: If available, the URL of the referring website the member came from when visiting your website.

Optional

  • Address and phone number: When you check the "Require a mailing address" checkbox in Plan Settings for a plan, address and phone number are collected and stored with the member.
  • UTM codes: When you pass Memberful a UTM code in a referring URL that code will be stored with the member.

Memberful stores this personal member data in a secure database (encrypted at rest) to provide membership services to you. We do not use your member data for any other purposes.

Right to rectification

Your members have the right to request you correct incorrect personal information. With Memberful, members always have full "self-serve" access to their personal information. They may sign into their Memberful account and update their information at any time.

Right to erasure

Your members have the right to be forgotten. If an individual member requests to be erased, you must delete the member from Memberful without undue delay. To delete a member, find the member in your dashboard (search icon in the top left corner). Next, click the Edit member button. Finally, click the red Delete member button in the bottom right of the edit screen.

Memberful edit member

Memberful delete member

When you delete a Memberful member:

  • All personally identifying information about the member is deleted, or in the case of name, anonymized so it is no longer personally identifiable. For example, we change the name of the member to something like Member 12345. We do not keep logs or database backups for more than 30 days, so when a member is deleted from Memberful, they will be completely erased from our systems within 30 days.
  • Memberful integrates with third-party software services like Stripe, MailChimp, and WordPress. When you delete a member from Memberful we attempt to delete the member from third-party services. However, we cannot guarantee data deletion from third-party services we don't control (for example, when you disconnect Memberful from said service). We also cannot control how other third-party services handle deleted data. You understand it is your responsibility to ensure this data is deleted from these third-party services.

Turn on full-delete for Discourse

If you're using our Discourse integration, and you wish to be GDPR compliant, we recommend navigating to Settings → Integrate → Discourse, and turning on the Full-delete option. When this option is enabled, and you delete a member from Memberful we will delete them from Discourse; this includes all topics and replies. If you wish to handle this manually or don't fall under the GDPR, you may leave the option off.

Right to data portability

Your members have the right to request an export of their personal information. If you wish to provide a member with their personal information, we recommend finding the member in your Memberful dashboard and sending them the personal information listed in their profile. If we find this becomes burdensome, we will add a feature allowing you to automatically email this information to the member.

Summary

We've outlined here specific recommendations to help ensure your data processing with Memberful is compliant with the new GDPR regulations. If you have any questions about how Memberful processes data, please don't hesitate to get in touch!