Back to Home

GDPR Compliance

Last updated: February 18, 2026

GDPR overview

StackBloom complies with the General Data Protection Regulation (GDPR). This page describes how we meet GDPR requirements and what data rights you have as an EEA resident.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

1. Right to Access

You can request a copy of all personal data we hold about you. We'll provide this in a commonly used electronic format within 30 days.

2. Right to Rectification

You can request correction of inaccurate or incomplete personal data. You can also update most information directly through your account settings.

3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We'll comply unless we have a legal obligation to retain certain information.

4. Right to Restrict Processing

You can request that we limit how we use your personal data in certain circumstances, such as while we verify the accuracy of data you've disputed.

5. Right to Data Portability

You can request your personal data in a structured, machine-readable format to transfer to another service provider.

6. Right to Object

You can object to processing of your personal data for direct marketing purposes or when processing is based on legitimate interests.

7. Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

8. Right to Withdraw Consent

Where we process your data based on consent, you can withdraw that consent at any time. This won't affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

  • Email our Data Protection Officer at: dpo@stackbloom.io
  • Submit a request through our contact form
  • Access your account settings for self-service options

We'll respond to your request within 30 days. If we need more time, we'll let you know why and when you can expect a response.

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract Performance: To provide our services to you (Art. 6(1)(b) GDPR)
  • Consent: For marketing communications and optional features (Art. 6(1)(a) GDPR)
  • Legitimate Interests: For service improvement and fraud prevention (Art. 6(1)(f) GDPR)
  • Legal Obligation: To comply with applicable laws (Art. 6(1)(c) GDPR)
  • Vital Interests: For HealthBloom medical data when necessary for healthcare (Art. 9(2)(c) GDPR)

Product-Specific Processing

Different StackBloom products process data for specific purposes:

Forms, PDF Suite, Proposals: Contract performance (to store and deliver your content)

E-Sign: Contract performance and legal obligation (to maintain audit trails)

HealthBloom: Explicit consent for health data processing + legal obligation (HIPAA compliance)

Monitor, Live Chat: Contract performance (to provide real-time services)

Automations: Consent (to access third-party integrations on your behalf)

Scheduling: Contract performance + consent (for Google Calendar integration)

Data Protection Measures

We implement appropriate technical and organizational measures to protect your data:

  • End-to-end encryption for data transmission
  • Encryption at rest for sensitive data
  • Regular security audits and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection
  • Incident response and breach notification procedures

International Data Transfers

We may transfer your data outside the EEA. When we do, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for certain countries
  • Privacy Shield certification (where applicable)
  • Binding corporate rules for group companies

Data Retention

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy. Retention periods vary based on:

  • Legal and regulatory requirements
  • Business operational needs
  • Security and fraud prevention
  • Dispute resolution

Specific Retention Periods

Active Account Data: Retained while your account is active

Deleted Account Data: Removed within 30 days, except where legally required

Financial Records: 7 years (tax and accounting requirements)

E-Sign Audit Logs: 10 years (legal requirements for digital signatures)

HealthBloom Medical Data: 7 years minimum or as required by healthcare regulations

Analytics Data: Anonymized after 26 months

Security Logs: 90 days for fraud prevention

After the retention period, we securely delete or anonymize your personal data using industry-standard data destruction methods.

Data Breach Notification

In the event of a data breach that may result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Inform affected individuals without undue delay
  • Provide details about the breach and our response
  • Advise on protective measures you can take

Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately so we can delete it.

Supervisory Authority

If you're not satisfied with how we handle your data rights, you have the right to lodge a complaint with your local data protection authority. For EEA residents, you can find your supervisory authority at:

European Data Protection Board - Members

Contact Our DPO

For GDPR-related questions or to exercise your rights, contact our Data Protection Officer:

  • Email: dpo@stackbloom.io
  • Subject Line: "GDPR Request - [Your Request Type]"
  • Include: Your name, email, and specific request details

Submit a data request

Use the links below to request access to or deletion of your data: