Memberful Data Protection.
Measures we take to protect your data.
We take data protection seriously. This document outlines some of the measures we take to protect your data when you use Memberful.
When you close your account, it's really gone.
We permanently delete all your account data when you close your Memberful account. We also delete your data from third-party services we use like Stripe (for processing payments) and Intercom (for support).
Backups are destroyed after 30 days.
All our server logs and database backups are permanently deleted after 30 days. So when you delete your Memberful account, you know all your data is removed from our systems within 30 days.
We only send data to necessary services.
Memberful relies on some third-party services, like Intercom (for providing support), Stripe (for processing payments), Google Analytics and Adwords (for analyzing web traffic and tracking conversions), and Heroku / Amazon Web Services (for hosting our application and data). These third-party services help us run Memberful reliably, securely, and efficiently. We do not ever sell your data to unaffiliated third-parties for marketing purposes.
We ask before we look.
We don’t view customer dashboards or connected accounts unless they grant explicit permission to do so as part of a support ticket.
We take security seriously.
All communications between Memberful and your browser are encrypted, our production database is encrypted-at-rest, and we encrypt our backend services as much as is practical. We host in a secure environment and retain geo-redundant backups for 30 days. See Memberful Security for more.
We’ve made changes for the GDPR.
We've made changes to help Memberful customers comply with the GDPR and we've improved our own internal data protection and security.
For Memberful customers:
- How long we store information: We store this personally identifiable information for as long as your Memberful account is open.
- Right to update your information: You may visit your Account page in your Memberful dashboard to update your information at any time.
- Right to be forgotten: You may close your Memberful customer account at any time. When a customer account is deleted from Memberful, all personally identifiable information in the customer account - including that of any members - is completely erased from our systems (including backups) within 30 days.
- Security: Our application and production database runs on AWS (Amazon Web Services) in hardened and physically secured data centers located in the United States. Our production database is encrypted at rest. We will inform you of any significant security breach within 72 hours.
For our customer’s members:
- How long we store information: We store this personally identifiable information for as long as your customer account and your member’s account is open.
- Right to update your information: Your members may visit their account to update their information at any time.
- Right to be forgotten: When you delete a member account all personally identifiable information in that member account is completely erased from our systems (including backups) within 30 days.
- Third-party integrations: Memberful also integrates with some third-party software services like Stripe and Mailchimp. We attempt to delete the member from third-party services when they are deleted from Memberful. However, we cannot guarantee data deletion from third-party services we don't control. You understand it is your responsibility to ensure this data is deleted from these third-party services in a GDPR compliant way.
Data Privacy Framework and Principles
Memberful adheres to the EU-U.S. Data Privacy Framework Principles and the Swiss-U.S. Data Privacy Framework Principles and complies with the associated EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, sharing, and retention of personal data transferred from the European Union (including EFTA States), the United Kingdom, and Switzerland to the United States. As applicable, we do not, however, rely solely on the EU-US Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-US Data Privacy Framework as our lawful basis to transfer personal data from the European Union, EFTA States, or the United Kingdom. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov.
With respect to the personal data received or transferred pursuant to the Data Privacy Frameworks, Memberful is subject to the regulatory enforcement powers of the US Federal Trade Commission. Under certain circumstances, Data Privacy Framework participants may be liable for the transfer of personal data from the EU, EFTA States, or the United Kingdom to third parties outside the EU, EFTA States, and the United Kingdom. If you have a dispute with us about our Data Privacy Framework compliance, we ask that you first submit any such complaints directly to us at [email protected]. If you aren’t satisfied with our response, you may contact JAMS – the US-based independent alternative dispute resolution provider responsible for reviewing and resolving complaints about our Data Privacy Framework compliance free of charge to you – via https://www.jamsadr.com/eu-us-data-privacy-framework. In the event your concern still isn’t addressed by JAMS, you may be entitled to a binding arbitration under the Data Privacy Framework and its principles. More Information about this arbitration process can be found here.