General Data Protection Regulation or GDPR comes in effect on May 25th, 2018. This new regulation will replace previous regulation from 1995, with the new measures which reflect the new digital age.

Every company processing Personal Data for EU citizens is required to comply with this new regulation.

In this document we will outline how Gtmhub complies with GDPR.

Gtmhub as Data Processor

The people you store in Gtmhub as Users, Employees or Managers are your data subjects, and you are considered the data controller for this personal data.

Using the Gtmhub app to manage your Employees means that you have engaged Gtmhub as a data processor to carry out certain processing activities on your behalf.
According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article). This is where our Security Policy and Privacy Policy come in. These two documents also serve as your data processing contract, setting out the instructions that you are giving to Gtmhub with regard to processing the personal data you control and establishing the rights and responsibilities of both parties. Gtmhub will only process this data based on your instructions as a data controller.

All EU customers have a contractual relationship with our EU entity, based in Bulgaria.

Data transfers
One topic that often comes up with customers is data transfers outside of the EEA. The GDPR establishes specific requirements for transfer of personal data to third countries.
As our EU customers have a legal relationship with our EU entity, the data is stored and remains within the EEA. If Gtmhub subsequently engages sub-processors outside the EEA, it is our job to ensure that we transfer the data lawfully.
We will keep an up-to-date list of sub-processors on this page to be fully transparent about these transfers. The list also explains the type of activities performed by sub-processors. To ensure that the data is adequately protected before it leaves the EEA we perform thorough review and risk assessment for each third-party service provider. Each service provider is also required to sign the EU Commission’s Standard Contractual Clauses.

Hopefully this helps you to better navigate the EU’s data protection requirements. If you have any questions with regard to the above, you’re welcome to reach out to us at [email protected] and we’ll do our best to explain things further.

Gtmhub as Data Controller

Additionally, Gtmhub acts as the data controller for the personal data we collect about you, the user of our web app, mobile apps, and website.

First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).

Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.

Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).

What are these ‘legitimate interests’ we talk about?

  • Improving the app to help you reach new levels of productivity.

  • Making sure that your data and Gtmhub’s systems are safe and secure.

  • Responsible marketing of our product and its features.

As the controller for your personal data, Gtmhub is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out to our Data Protection experts by email at [email protected].

How is Gtmhub implementing GDPR

We understand the privacy needs of Gtmhub users as well as their customers and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Gtmhub.

Privacy By Design

In the IT world we can translate this GDPR requirement to collecting as little personal data as possible and ensuring data deletion when it is no longer needed. Gtmhub platform is build in-house by following industry best practices in the field of software engineering. We have minimized the collection of personal data to the absolute minimum that is needed in order to operate the platform while continuing to provide rich functionality and great user experience.

To ensure no personal data has left on our production systems, after customer account is terminated, we have set up automatic rules which purge all data in 90 days. And for those who want to speed up the process we have prepared the following guideline -

Internal processes, security and data transfers

A large part of GDPR compliance is making sure that there are procedures in place that ensure that data processes are mapped and auditable. Any access to the Client Data that we process on your behalf is strictly limited. Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.

We have established a process for onboarding third-party service providers and adopting tools that makes sure that these third-parties meet the high expectations that Gtmhub and its customers have when it comes to privacy and security. Our data centers are located in Amsterdam, Netherlands (EU) to improve performance and provide additional assurance that your data enjoys the level of protection envisioned by the GDPR.

Readiness to comply with subject access requests

Data subjects’ ownership of their personal data is at the heart of the GDPR. We have created a readiness to respond to data subject requests to delete, modify, or transfer their data. This means that our Customer Support Specialists along with the Engineers that assist them in their work are well-prepared to help you in any matters involving your personal data, in addition to providing the awesome customer support experience that you are accustomed to.


Our Security Policy and Privacy Policy are constantly being revised to increase transparency and to make sure the documents meet GDPR requirements. As these are the basis for our relationship for you, it is very important for us to comprehensively and openly explain our commitments and your rights in these documents. Additionally, we’re constantly mapping all our data processing activities to be able to comply with the GDPR accountability requirements.


All of the above is supported by extensive training efforts within the company so that the GDPR compliant processes we’ve put in place are followed. Sessions on data privacy and security are an integral part of our onboarding process and each department receives training that is tailored to their work involving personal data.

Did this answer your question?