GDPR 2019-02-28T19:49:23+00:00

Data Privacy and Security


The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018, and the new regulations will have wide-ranging impacts on organisations that collect and process data in the EU. Specifically, the GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer and/or use.

Data is incredibly important to CogniClick and it’s important we comply with, and make it easy for you to meet the demands of, GDPR.


For the purposes of this regulation our clients at CogniClick are The Data Controllers.

Cogniclick is The Data Processor. We process data on behalf of the Data Controller.

This applies to the information we process about our clients’ (Data Controllers) contacts as a data processor.

Our services are intended for use by our clients. As a result, for much of the Personal Information we collect and process about contacts through our services, we act as a processor on behalf of our clients. Cogniclick is not responsible for the privacy or security practices of our clients , which may differ from those set forth in this privacy policy.

1. Consent

GDPR sets a high standard for Consent.

Within the Cogniclick application tools we set up lead forms with opt-ins and include check boxes that are not pre-clicked.

Consent within the tools is clear and distinguishable and in a intelligible and easy accessible form, using clear and plain language. It is as easy to withdraw consent as to give it.

The lead form consent will be attached to the contact within the data file and will always be readily available.

2. Access

The GDPR includes the right for contacts to receive confirmation and information as to whether a company is processing personal data concerning them.

Cogniclick can provide a digital copy of all personal data on contacts gained through a CogniClick tool and export the data digitally.

3. Right to Portability

Data portability is the right for a contact to receive the personal data which they have previously provided to the company in a digital format.

Cogniclick will provide you with all information we have gained on your behalf through our tools. You can export this data digitally.

4. Right to be forgotten

The right to be forgotten is also known as data erasure and entitles the contact to have the company holding their data erase their personal data and cease further dissemination.

You can quickly and easily erase personal data on the Cogniclick platform.

5. Reporting breaches

We are prepared to inform our clients, partners, authorities, vendors and suppliers about any security breach with 72 hours.

6. Protective measures

Appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it.


1. Data processing

The Cogniclick application is hosted on Digital Ocean servers within Docker containers. Our servers are virtual machines provided by Digital Ocean LLC. Their datacenter security document is available here:

2. Sub-processors

We use Mailgun to send notification emails when a CogniClick tool is completed. This feature is optional and not the default. Emails are only sent to a subscriber list specified in the platform backend. The mailer content is configurable and can contain any of the fields captured in the survey, where supplied by a user. Mailgun retain the content of the email in their logs. If the data is of a particularly sensitive nature we would advise not using this feature.

3. Data back-up

We take a backup of our database daily and save it to a protected Amazon S3 bucket. We retain a maximum of 7 backups and overwrite the oldest.

4. Privacy risk solutions

The platform is based on the mature web framework, Ruby on Rails, in the latest stable version (5.2.2), and we use well-tested open source authentication and authorisation libraries (Devise and Pundit) to protect administrative areas. Passwords are salted and stored in encrypted form only. Our test suite performs access control checks that ensure appropriate user permissions to non-public URLs. Our technical team monitor security forums for emerging vulnerabilities, and patch in a timely manner.

5. Return or deletion of the data

Whenever we collect or process personal data, our suggested retention period is 12 months from your event start date. At the end of this 12 month period, your data will be deleted.

6. Security Standards

We are registered with the Information Commissioner’s office. Reference: A8440881

7. Complaints

If you wish to raise a complaint on how we have handled personal data, you can contact us at and we will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to

8. Data Processing Addendum

In the course of providing the services under our standard T&C’s agreement, the parties agree that by using Digital Ocean NYC3 data centre, CogniClick may transfer Personal Data processed under the Contract outside the European Economic Area (“EEA”) or Switzerland as necessary to provide the Services.


This privacy statement was created in May 2018

Revised in February 2019