Privacy
Our corporate information and product privacy page
How we protect your personal data
Since May 25th, 2018, the EU General Data Protection Regulation (GDPR) has been in effect, regulating the processing of personal data for EU member states and its citizens.
Under the GDPR, you (our customer) are the controller of your personal data, and efficy acts as your processor. This means that it’s our responsibility to ensure any data we store and process on your behalf is accessed and protected in full compliance with GDPR.
Is efficy GDPR compliant?
Yes. To meet GDPR requirements, efficy has conducted a comprehensive assessment across our infrastructure, business operations, and development setup.
We’ve implemented an Information Security and Privacy Management System to ensure the maximum level of compliance and security. This is demonstrated through our certifications:
• ISO/IEC 27001:2022 (Information Security Management)
• ISO/IEC 27701:2019 (Privacy Information Management, an extension of ISO/IEC 27001)
These certifications reflect our commitment to establishing, implementing, maintaining, and continually improving both security and privacy management systems.
efficy also monitors ongoing developments in privacy law and has conducted a supplier compliance and data transfer assessment following the Schrems II decision, ensuring alignment with applicable legislation.
Where is your personal data stored?
All personal data is hosted and processed within the EEA/EU, with no transfer to third parties outside, except for a limited use of Intercom (for support chat in some of our products), which can be disabled on request.
Your data is safe in Europe.
| Product | Data storage location | ||
| Maxo | France | ||
| Apsis One / Pro | Ireland, backup Germany | ||
| Tribe | Netherlands | ||
| efficy Starter | France | ||
| efficy SMB | France | ||
| efficy Enterprise | France | ||
| efficy Corporate | France | ||
| webCRM | Ireland |
What types of information stored by efficy are affected by GDPR?
Data created and/or uploaded by customers (such as email, documents, contact information, etc.). This data is controlled by the customer and only known to the customer. As a result, customers have full control over the deletion process themselves.
Logs and backups are cleaned and deleted in cycles, with GDPR requirements taken into consideration.
Product-specific personal data details
| Product | Personal data | ||
| CRM | Name (call name, first name, surname, and insertions), gender, email, website, and telephone numbers (mobile, landline, Skype, and fax), address details (street, house number, postcode, city and country) and employer. | ||
| Apsis One | Data Input: Controllers populate profiles with data into both default and additional data fields using self-service tools like File Import Wizard, Migration Wizard, or the APSIS One API. Additionally, APSIS One also provides mechanisms to capture information directly from website visitors into both default and additional fields, using customer configured Sign-up bars, Cookie Banner, Forms and other APSIS One activities. Default Data Fields (Attributes): The following data fields are created by default, referred to as Default Attributes: Name, email, mobile number, birth date, CRM-ID, and cookie ID. Default Data Fields (Events): APSIS One only collects default event data (events or event data) automatically, and only in relation to APSIS One activities created and activated by the controller. Additional Data Fields: Controllers may import and/or collect additional data to populate custom attributes and events. These are specific to the controller, and considered as "additional data". efficy has limited insights into the controller’s additional data. | ||
| Apsis Pro | Default Data Fields: The following are categories of data fields that are default: Email, name, telephone number, unique identifiers (ProfileId and CookieId), IP address, behavioural data, and geo-location (only APSIS Profile Cloud). Customizable Data Fields: In addition to data in the above default data fields, controllers may upload and/or collect additional data in customisable data fields that are specific to controller (by manual and/or automated setup) via the Subscription Service (“Additional Data”). By default, the processor has limited insight into the controller’s Additional Data. |
Does efficy use any third-party partners relevant to GDPR?
efficy publishes its list of sub-processors on its website, available here: Sub-processors information | efficy.
We apply a strict Third-Party Management Policy to ensure that only secure and compliant sub-processors are selected. Controllers are notified in writing of any changes to the sub-processor list.
Does efficy have a Data Protection Officer?
Yes, our Data Protection Officer (DPO) can be reached at [email protected].
How do you secure your products?
Please reach our Trust Center portal to get access to this and other relevant information.
How does efficy handle data subject requests?
When efficy receives a data subject request, we forward it to the controller (you) and assist as needed.
However, all efficy products include built-in features that allow you to handle data subject requests autonomously — including the ability to correct, export, and delete personal data on your own.
How does efficy handle data breaches?
efficy has implemented a Personal Data Breach policy.
• Detection: A personal data breach can be detected automatically ( depending on the products) or manually by an employee or external party.
• Response: Once a breach is detected, an Incident Response Team is activated to implement appropriate measures to mitigate the breach.
• Notification: efficy will notify the controller without undue delay. In most cases, within 48 hours of discovering the breach.
• Assistance: efficy will then provide all the necessary support to help the controller.
How does efficy ensure that all its personnel will process personal data correctly?
All efficy personnel:
• Sign a Non-Disclosure Agreement (NDA) as part of their work agreement.
• Undergo GDPR training during the onboarding.
• Complete mandatory annual GDPR training.
• Participate in ongoing awareness programs (e.g., through security ambassadors initiatives).