GDPR Tools

Why GDPR features belong on every plan

GDPR isn't optional if you have EU users. Most marketing platforms treat GDPR as an enterprise-tier feature because compliance is "expensive" — a way to upsell. We disagree: GDPR rights are legally required, not a nice-to-have, so they should be standard.

Monfri ships GDPR tools on Starter, Growth, and Scale. Self-serve, no support ticket, no additional SKU.

Data residency: EU by default

Your customer data is hosted in the EU (Bulgaria). Backups are replicated to Cloudflare R2 in EU regions. No data leaves the EU without your explicit action.

Compare this to HubSpot (US-hosted by default, EU on Enterprise tier only), Mailchimp (US AWS by default), Salesforce (US-hosted primary).

Self-serve data subject rights

Right of access (data export)

Any user requests their data: your admin clicks "Export" on their profile. Monfri generates a JSON archive containing all CRM data, email history, events, consents, and computed traits. Download link expires in 7 days.

Right to erasure (right to be forgotten)

Click "Delete" on a profile. Monfri:

• Immediately removes the profile from all active audiences, lists, segments
• Stops all active campaigns to that user
• Marks their identifiers as suppressed (so future imports don't re-create them)
• Schedules hard-delete of PII data after 30 days (allows for accidental deletion recovery)
• Writes an audit log entry with timestamp, admin, and reason

Right to rectification

Edit any profile field directly. Change history is logged automatically.

Right to object / restrict processing

Toggle consent flags per purpose. Blocked purposes stop all related processing immediately.

Consent management (per-purpose)

GDPR expects granular consent — not one big "accept marketing" toggle, but per-purpose consent with:

• What purpose (analytics, marketing, personalization, functional)
• When consent was given (timestamp)
• Where consent was given (page URL, IP address at time of consent)
• How it can be withdrawn (link to preference center)

Monfri stores all of this automatically via our consent API. Integrate with your cookie banner tool (OneTrust, Cookiebot, etc.) or use our built-in consent widget.

Audit logs

Every GDPR-relevant action is logged:

• Who accessed which user's data (admin + timestamp)
• Exports requested and downloaded
• Erasures requested, executed, and confirmed
• Consents granted and withdrawn (with source)
• Bulk operations (list exports, segment exports, API pulls)

Audit logs are immutable and retained per your plan (90 days Starter, 365 days Growth, 730 days Scale). Export for regulator response on demand.

Data Processing Agreement (DPA)

Our standard DPA includes:

• Standard Contractual Clauses for any non-EU sub-processor transfers
• 72-hour breach notification commitment
• Sub-processor advance notification (30 days)
• SOC 2 Type II evidence (under NDA)
• Liability terms appropriate for SMB-Enterprise contracts

Request DPA via admin panel or [email protected]. Auto-signed within 24 hours for standard terms.

Sub-processor transparency

Monfri publishes its sub-processor list at /privacy with:

• Name of each sub-processor
• What they process (PII, payment data, logs, etc.)
• Their location (country)
• Their compliance attestations

Major sub-processors: Cloudflare (CDN/DDoS), Paddle (billing), KumoMTA (email delivery), Twilio (SMS), OpenAI (AI features, opt-in).

CCPA support

For California users, we support the CCPA "Do Not Sell My Personal Information" right. Toggle per profile, applied across all processing.