The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect from May 25, 2018.

At Zinrelo, we’ve worked hard to prepare for GDPR, to ensure that we fulfill its obligations and maintain our transparency about customer messaging and how we use data. 

In GDPR terminology, Zinrelo Clients who launch a loyalty program for their end customers are data controllers. They control what data is collected from the end-customer. Zinrelo is a data processor that processes data when explicitly instructed by the data controller. Zinrelo does store EU Customer data on servers in the United States.

We have worked with our teams and lawyers to figure out how to convert GDPR legal provisions into tangible actions. We’ve been asking lots of questions, and our customers have been asking us questions.

Here’s an overview of GDPR, and how we have prepared for it at Zinrelo:

What’s GDPR?

The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It will be a single set of rules which govern the processing and monitoring of EU data.

Does GDPR affect me? 

Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not. 

How has Zinrelo prepared for GDPR?

Our teams have worked to define our GDPR roadmap. There has been a massive overhaul of processes to make sure we’re meeting our legal obligations, and doing the best thing for our Clients while still letting us move fast, scale and build great products. 

Here are the main things we’ve been doing to ensure we’re setting up ourselves and our customers up to meet GDPR obligations:

We have built new features: 

Our teams have built the necessary features that will enable our Clients to easily meet their GDPR obligations.

Zinrelo can help you meet your data portability requirements for GDPR, you can easily export all of your data or granular subsets linked to an individual and permanently all data linked to an individual user. 

We have updated our Privacy Policy: 

We take the privacy of our users very seriously. We’ve recently made updates to our Privacy Policy to increase transparency and comply with the European Union’s General Data Protection Regulation (GDPR). We encourage you to read our policies in full, but here are some highlights of what’s changed:

  • Added information to our Privacy Policy about the types of data that we collect, the ways in which we use it, and the measures we take to keep your data safe;

  • Added new choices for users to manage their privacy; and

  • Provided more details about data collection and your choices

We have added a Data Processing Agreement (DPA): 

Strong data protection commitments are a key part of GDPR’s requirements. To clearly outline our obligations to our Clients as a data processor, we have added a Data Processing Agreement to our Terms of Service. This DPA shares our privacy commitments and sets out the terms for Zinrelo and our Clients to meet GDPR requirements. 

We’ve certified for International Data Transfers: 

The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data. 

To comply with EU data protection laws around international data transfer, we have self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield framework. 

We’ve appointed a Data Protection Officer 

We’ve a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch by emailing

We’re coordinating with our vendors (sub-processors)

We’re have reviewed our vendors and arranged  GDPR-ready data processing agreements with them. 

We’re taking new security measures

Security is a priority for us. We have regular external audits and pentests and bug bounties. We have implemented a robust Information Security Policy to protect our Clients’ data. While we do not have official ISO certification, our Information Security Policy is modeled on the guidelines of ISO 27001 and ISO 27002 requirements. A copy of our Information Security Policy document is available upon request. 

Should I add any verbiage to my website?

Our team has included some language that you could include in your privacy policy and your terms of service. This article describes these suggestions. Of course, it is difficult to create a one-size-fits-all verbiage. The needs of different Clients tend to vary. Therefore, we recommend that you always review the suggested verbiage with your lawyers.

We are working hard to help our Clients and prospective Clients be GDPR compliant. Feel free to reach out to us at if you have any questions about GDPR – we would be happy to chat about it.

Did this answer your question?