What about GDPR?

General Data Protection Regulation

Rob Glover avatar
Written by Rob Glover
Updated over a week ago

The EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and places certain responsibilities on organisations like Biggerflip with respect to how they manage personal data.

Biggerflip Ltd already understands the importance of data security. Protecting our client's data is a critical business requirement to avoid adversely impacting our customers and to avoid reputational damage to our brand.

Our goals are to keep our client's data:

  • confidential - restricting its availability to only those specified;

  • available - ensuring it's accessible; and

  • accurate and consistent - avoiding corruption and loss.

This is achieved through our security policy that defines the scope of the systems and data to be managed, and the controls and procedures to be used by staff.

This document describes what we’re doing to comply with GDPR. It should be read alongside the Ideaflip Data Security document and our Privacy Policy.


Biggerflip is a small organisation comprising the founding partners and a small group of development and operational staff. The founding partners understand the importance of information security to their business and provide technical and commercial leadership in this area. The founding partner with technical responsibility for data protection is:

Dr Andrew Wood, Biggerflip Ltd
Kemp House, City Road, London, England, EC1V 2NX andy@ideaflip.com
+44 7505 275 366
who is the primary contact for data protection issues.

Categories of Personal Data

To provide the Ideaflip service, Biggerflip handles three types of customer data:

  1. user data - information required to run the service, keep it secure and to provide support. This includes content that the user uploads to or creates through the use of Ideaflip

  2. subscriber data - payment information and associated record-keeping for financial and tax purposes

  3. marketing data - information that we use for contacting and building a relationship with existing and potential customers

User Data

The personal data that we collect to run our service is:

  • email address

  • Google ID (if using the sign in with Google)

  • screen name

  • avatar URL (either from Google or Gravatar)

  • user content (e.g. text, images and files entered onto boards)

This data is used to provide identity and authentication to properly secure Ideaflip and to provide the Ideaflip service.

This data, and particularly the user content, is covered by our Privacy Policy and is only shared to other authenticated users of the service under the control of board owners according to the rules of our Data Security Model.

We also use this information to answer questions about Ideaflip and provide user support and troubleshooting.

The basis that we collect this data is user consent.

Subscriber Data

The personal data that we collect to manage subscriptions to our service is:

  • name

  • email address

  • company details (optional)

  • address

  • credit card details

  • An IP address (country)

This data is used to manage payments for the various subscription plans to use Ideaflip and maintained for company reporting and tax purposes.

The basis that we collect this data is user consent and legal obligation.


The personal data that we use to develop our marketing is:

  • screen name

  • email address

  • An IP address (country)

  • referral URL

This data is used to provide occasionally targeted mailshots about Ideaflip features and developments only. In aggregate, this information is also used to identify possible improvements to the Ideaflip service.

The basis that we collect this data is user consent.

Data Controller and Processors

In common with most web services, Biggerflip relies on a number of third-party companies to provide the Ideaflip service.

Processor: Amazon
Category: User, Subscriber, Marketing
Description: AWS server hosting* https://aws.amazon.com/compliance/gdpr-center/

Processor: Gravatar
Category: User
Description: Avatar images https://automattic.com/privacy/

Processor: Intercom
Category: User, Marketing
Description: CRM and messaging
https://docs.intercom.com/pricing-privacy-and-terms/data-protec tion/how-intercom-complies-with-gdpr

Processor: Google
Category: User, Marketing
Description: Authentication and analytics https://privacy.google.com/businesses/compliance/

Processor: Braintree
Category: Subscriber
Description: Payment gateway
https://articles.braintreepayments.com/risk-and-security/complia nce/gdpr-readiness

Processor: Stripe
Category: Subscriber
Description: Payment gateway

Processor: PayPal
Category: Subscriber
Description: Payment gateway
https://www.paypal.com/uk/webapps/mpp/ua/provt-full?locale.x= en_GB

* the ideaflip.com servers are based in the US East (N. Virginia) region. Please see the Data Hosting section of the Ideaflip Data Security document to see how we safeguard the data transfer.

Current State

Ideaflip is GDPR compliant for User and Subscriber data.

Additionally, GDPR places extra emphasis on portability, retention and erasure of data and we have identified that while these are currently provided via our helpdesk we could provide better support for these. Therefore we’re developing a programme of work to build automated functionality to give the user self-service control in these areas.

Did this answer your question?