Dapple is built to help your organisation comply with the EU General Data Protection Regulation (GDPR). Under GDPR, your organisation is the 'controller' of creator data; Dapple is the 'processor', handling that data on your behalf. This article explains the GDPR features and protections built into Dapple. It is not legal advice — for legal opinion, consult your data protection officer.
Your users' rights under GDPR
Dapple supports GDPR compliance by respecting these rights:
Right | How Dapple supports it |
Breach notification | Dapple commits to notifying affected parties within 72 hours of discovering a data breach. |
Right to access | Users can request information on whether and how their data is being used. Dapple lets you search by name or email to locate a user's data, and creators can self-serve through their Creator Account. |
Right to be forgotten | Users can request deletion of their data. Dapple supports deletion of creator profiles and submissions on request. |
Data portability | Users can request their data in a structured, machine-readable format. Dapple lets you export user data to CSV at any time. |
Consent | Add custom terms and conditions with a consent checkbox to any submission form. Users can withdraw consent as easily as they gave it. |
Security and privacy by design
Dapple maintains user data securely and privately:
We don't share user data with third parties beyond essential subprocessors (listed below).
We're transparent about what we collect and why.
We only process data necessary for the platform to function.
Communications between Dapple and your browser are encrypted in transit.
Data at rest is encrypted using industry-standard encryption.
Consent management
Dapple lets you display custom terms and conditions and a consent checkbox on every submission form. Creators see the terms before submitting, must tick the checkbox to confirm acceptance, and Dapple stores a record of consent against each submission. Withdrawing consent is as easy as granting it — creators can request data deletion via their account or via you.
Data residency
Dapple maintains complete data residency within Europe — all organisational and creator data is stored securely in our Europe-based facilities. For international customers, Dapple implements robust data-transfer mechanisms (Standard Contractual Clauses where required) as detailed in our Customer Terms of Service, adhering to global data protection standards.
Third-party subprocessors
Dapple uses a small, vetted set of subprocessors to deliver the service:
Stripe — payment processing.
Intercom — customer support messaging.
(Additional subprocessors are listed in our subprocessor agreement, available on request.)
We thoroughly vet every subprocessor to ensure they meet GDPR's requirements. An up-to-date list of current subprocessors is available on request from privacy@dapplehq.com.
How creators can exercise their rights
Creators with a Dapple account can:
Sign in to see every submission they've ever made (right to access).
Withdraw any submission still in Draft (granular control).
Export their data as a CSV via support request (data portability).
Request deletion of their account via support (right to be forgotten).
Organisations are the data controllers and so creator requests should typically come to your team first. Dapple supports the technical execution of those requests.
What you should do as a controller
Maintain your own privacy policy describing how you use creator data.
Ensure your submission forms include a consent checkbox where appropriate.
Train your team on how to respond to access, deletion, and portability requests.
Document your subprocessors and data transfers.
Sign Dapple's Data Processing Agreement (DPA) — request one from privacy@dapplehq.com.