Recently, a StatusGator user on our 14-day free trial contacted us to inquire if StatusGator was GDPR compliant. The General Data Protection Regulation, or GDPR, is the European Union’s regulation that grants rights and requirements over personal data. Although we’ve been following the GDPR and its rollout for some time now, we haven’t taken active steps to comply with its requirements. We are based in the United States and don’t actively target European customers. Our limited understanding is that we aren’t required to comply and therefore never put much thought into it. Until this recent customer inquiry.
This customer email got us thinking: We certainly don’t want to leave money on the table by ignoring all of Europe. As a small but growing company, every customer counts. Or price point is quite low, starting at $30 per month but our customer lifetime value approaches $1,000. If even a few European customers choose not to convert because of our lack of compliance, it could be worth the technical and legal challenges to comply.
Furthermore, we do genuinely believe in the rights granted by the GDPR, even if we are disgruntled by the administrative hassles they involve. So as a matter of principle, we are endeavoring to make a StatusGator GDPR complaint.
Over a series of several articles, we will detail the steps we took to gain compliance with the GDPR. We will touch on some of the technical, administrative, and legal processes we follow. However, we won’t dive deep into the legal definitions and interpretations. Many others such as White and Case have covered these topics. Our goal is to relay our experience complying to help other indie hackers like us.
Right to Data Erasure
The GDPR grants EU residents the right to demand their personal data be removed upon request. This one is easy for us because we already do it. Whenever a user has requested an account closure, we always just remove their account and all associated data. We use Ahoy for tracking along with our Heroku Postgres database. This means the only place we need to remove them is our production database. This does have the unintended consequence of skewing any queries we run in Metabase against our data, as deleted users will be removed from metrics retroactively. But that’s a price we are willing to pay for privacy.
Since the GDPR gives us 30 days to comply with erasure requests, our 30-day backup retention means we don’t need to comb old backups to remove deleted accounts.
Right to Data Portability
Another right granted to data subjects by the GDPR is the right to extract one’s data so it can be ported to another provider. This capability helps encourage competition, in theory, reducing the age-old problem of vendor lock-in.
Fortunately, the requirements of data processors like ourselves are not terribly onerous. There is no requirement that the data be self-accessible, just that it be furnished within 30 days upon request. Our approach to compliance here was to add a JSON export feature to our admin dashboard. Since we use Rails and ActiveAdmin, the details of this are petty simple from a technical perspective:
A method in our User model is utilized as_json to collect the required fields and associated models. In our case, those are the Payment model along with Subscription and ComponentSubscription model with connecting users to the status pages along with notifications about specific status page components.
Next, a simple GET method added to our ActiveAdmin controller uses the send_data method built into Rails to return the JSON data from a button in the admin UI.
Already one user requested their data (and erasure afterward) and this simple implementation worked perfectly.
Our next steps are transforming our privacy policy. Stay tuned for further updates on our GDPR compliance. If you’re a StatusGator customer in the EU please reach out to us. Let us know if GDPR compliance is important to you.
To read the other parts of our series on GDPR compliance:
StatusGator is our service that monitors status pages and sends you notifications when the services you care about go down. You can receive notifications in Slack or by email, SMS, or even webhook. Customers love our Slack slash command which allows querying the status of any service on demand right from where your team hangs out.
Try a 14-day free trial of StatusGator and let us know what you think.
