GDPR – Frequently Asked Questions

May 7, 2018
2 min read
GDPR – Frequently Asked Questions

In this article

Frequently Asked Questions

DISCLAIMER: The information below is not meant to serve as legal advice.

1. First off, what is the GDPR?

The EU General Data Protection Regulation (“GDPR”) is a new data protection and privacy law that takes effect on May 25, 2018. It replaces the existing Data Protection Directive 95/46/EC in order to harmonize data privacy laws across Europe as single set of rules which govern the processing and monitoring of EU data. Here’s a link to the regulation -

2. As a retailer using ReferralCandy, how should I think about ReferralCandy with respect to GDPR?

When you use ReferralCandy to run your referral program, you need to send data about your customers to your ReferralCandy account. As such, ReferralCandy is considered a 'Data Processor', and you are the 'Data Controller'.

As a Data Controller, you'll need to work with your customers to honor their requests about data you have processed or stored about them (whether in your ReferralCandy account or not).

ReferralCandy helps with this by providing tools that make it easy for you to change, delete and view the data in your ReferralCandy account at your customer's request.

As ReferralCandy is a Data Processor, you might need to obtain consent from your customers for how you plan to use ReferralCandy to process their data. If you need to so, we suggest you be as clear as possible about how you use ReferralCandy and why your end users might want to grant you consent to send their data to ReferralCandy.

With ReferralCandy, you can collect data via pages or widgets that you can use as part of your referral program. Data collected on these pages, where the experience is fully controlled by ReferralCandy, will be GDPR compliant by 25 May 2018.

However, we are not able to confirm that data collected and processed outside of our platform or on pages within the platform that have been edited or changed by you are GDPR compliant.

In these cases, we recommend that you seek help from your legal counsel to ensure you understand what it takes to become fully GDPR compliant.

3. How is ReferralCandy preparing for the GDPR?

Here are the main things that we are doing to meet GDPR obligations:

  1. Improving our internal processes and documentation to ensure that we meet GDPR standards.
  2. Assessing our data flows and reviewing any third-party Data Processors that personal data is pushed to to ensure their compliance.
  3. Reviewing the ReferralCandy product to add in features help you to easily comply with the GDPR.
  4. Updating our privacy policies and terms & conditions to ensure that they are compliant with the GDPR.

Over the next few weeks, we’ll be rolling out changes to be ready for the GDPR and make it easier for you to comply.

Update (24 May 2018): Our Privacy Policy has been updated to comply with the new requirements under the GDPR.

We've also appointed a Data Protection Officer to oversee data management and privacy. Get in touch by emailing

4. Features we’ve built to help you to comply with the GDPR

Here’re features that enable you to fulfill the rights of data subjects in your roles as a Data Controller:

Updating advocate data (“Right to rectification”, “Right to object”): You are able to edit the advocate’s data by clicking the ‘edit’ button on their specific page. Advocates also have access to their own settings page where they can personalize their referral links.

Unsubscribing advocates (“Right to object”): Each email that is sent to the advocate about the referral program has instructions to tell them how to unsubscribe from the referral program. You are able to unsubscribe advocates from the ReferralCandy dashboard as well if they request you to do so.

Exporting customer data (“Right to data portability”): You can download a full list of your advocates through the ‘Export to CSV’ feature. If you’d like more information about a specific advocate, please email us at with the name and email address of the advocate.

Delete advocate (“Right to be forgotten”, “Right to the restriction of processing”, “Right to object”): From the ReferralCandy dashboard in each advocate’s page, you are able to, at a click of a button, remove a customer and their data from the ReferralCandy systems.

5. Is it okay if customers are sent a referral email after a purchase even if they didn’t opt-in to it?

Yes, sending a referral email to customers if they didn’t specifically opt-in to it is allowed as long as certain conditions are fulfilled during the collection of their information and in the messages sent to them.


  • The customer’s information was collected in the context of a sale of product or service.
  • The customer needed to have been given the opportunity, free of charge, to object to marketing at the point of collection (e.g. when the purchase was made), in a clear manner, separate of any other information.
  • Each message sent to the customer for direct marketing should provide the opportunity to object too.

Here’s how, based on how you integrate with us, you can pass us marketing consent data of your customers:

  • Email integration: You can include marketing consent information in the invoice emails that are forwarded to ReferralCandy (e.g. Include this in the email ‘Marketing consent: false’). If marketing consent is ‘false’, the customer will be unsubscribed and excluded from the referral program. Learn more here.
  • Javascript integration: There is a field called ‘data-accepts-marketing’ that you can populate at the point of loading the script with ‘true’ or ‘false’. If you populate it with ‘false’, the customer will be unsubscribed and excluded from the referral program. Learn more here.
  • API purchase endpoint: You can pass us marketing consent via the ‘accepts_marketing’ field. If you set the field to ‘false’, the customer will be unsubscribed and excluded from the referral program. Learn more here.
  • Post-purchase popup script: There is a field called ‘data-accepts-marketing’ that you can populate at the point of loading the script with ‘true’ or ‘false’. If you populate it with ‘false’, the post-purchase popup will not be shown to the customer, and we’ll unsubscribe and exclude the customer from the referral program. Learn more here.

6. Stay Updated

This page will be updated to reflect GDPR-related information as it becomes available. If you have questions regarding ReferralCandy and the GDPR, please feel free to reach out to us.

Note: If you need any further help with this or any other issues you may be having with our services, check out our Help Center.


ReferralCandy is a customer acquisition tool used by hundreds of ecommerce retailers and business owners around the world.

Get the latest word-of-mouth marketing tips and resources in your inbox
Thanks for signing up to our newsletter! You can also follow us on Facebook and Instagram for latest updates.
Oops! Something went wrong while submitting the form. Please try again!