Skip to main content

GDPR Compliance

Our commitment to data protection and your privacy rights

Last updated: 10 February 2026

1. Introduction

Thrust CRM is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we comply with data protection laws and what it means for you.

2. Our Role Under GDPR

2.1 Data Controller

For your account information (email, name, billing details), we are the data controller. We determine how and why this data is processed.

2.2 Data Processor

For customer data you store in your CRM (your contacts, companies, communications), we are the data processor. You are the controller, and we process this data on your behalf according to your instructions.

3. Your Rights Under UK GDPR

Eight Key Rights

  1. Right to be Informed: Know what data we collect and why
  2. Right of Access: Request a copy of your personal data
  3. Right to Rectification: Correct inaccurate or incomplete data
  4. Right to Erasure: Request deletion of your data ("right to be forgotten")
  5. Right to Restrict Processing: Limit how we use your data
  6. Right to Data Portability: Receive your data in a machine-readable format
  7. Right to Object: Object to processing based on legitimate interests
  8. Rights Related to Automated Decision Making: Object to automated decisions (we don't make automated decisions that significantly affect you)

How to Exercise Your Rights

To exercise any of these rights:

  • Email: dpo@thrustcrm.com
  • In-App: Account Settings > Privacy > Data Rights
  • Response Time: We'll respond within 30 days (may extend to 60 days for complex requests)

4. Lawful Basis for Processing

Data Type Lawful Basis Purpose
Account details Contract Provide the CRM service
Usage data Legitimate Interest Improve service, fix bugs
Marketing emails Consent Send promotional content
Financial records Legal Obligation Tax compliance (7 years)
Customer CRM data Contract Process on your behalf

5. Data Processing Agreement (DPA)

As a data processor, we provide a Data Processing Agreement that covers:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Your instructions for data processing
  • Our obligations regarding data security
  • Sub-processor disclosure and approval
  • Data breach notification procedures
  • Assistance with data subject rights requests
  • Data deletion upon termination

Download our Data Processing Agreement

6. Data Security Measures

We implement appropriate technical and organizational measures:

Technical Measures

  • TLS/SSL encryption for data in transit
  • AES-256 encryption for data at rest
  • Multi-factor authentication (MFA)
  • Regular security patching and updates
  • Intrusion detection and prevention systems
  • Regular penetration testing

Organizational Measures

  • Staff security awareness training
  • Background checks for employees with data access
  • Role-based access controls (least privilege)
  • Incident response procedures
  • Regular security audits and risk assessments
  • Supplier due diligence

7. International Data Transfers

Our primary servers are located in the UK. We may transfer data to:

  • EU/EEA: Adequacy decision in place (no additional safeguards needed)
  • USA: Only to providers with approved safeguards (Standard Contractual Clauses)

Sub-processors with data access:

  • AWS (UK/EU regions) - Cloud hosting
  • Stripe (EU operations) - Payment processing
  • Mailgun (EU infrastructure) - Email delivery

8. Data Breach Procedures

If a personal data breach occurs:

  1. Detection: We monitor systems 24/7 for security incidents
  2. Assessment: Evaluate the breach scope, risk, and impact within 24 hours
  3. Notification to ICO: Report to the Information Commissioner's Office within 72 hours if high risk
  4. Notification to You: Inform affected customers without undue delay
  5. Remediation: Contain breach, fix vulnerabilities, prevent recurrence
  6. Documentation: Maintain breach records as required by law

9. Your Responsibilities (as Data Controller)

When you use Thrust CRM to process customer data, you must:

  • Ensure you have lawful basis to process your contacts' data
  • Obtain necessary consents from your contacts (e.g., for marketing emails)
  • Provide fair processing notices (privacy policy) to your contacts
  • Honor data subject rights requests from your contacts
  • Implement appropriate security measures for data you upload
  • Comply with PECR (Privacy and Electronic Communications Regulations) for email/SMS marketing
  • Conduct your own Data Protection Impact Assessments (DPIAs) when required

10. Children's Data

Thrust CRM is not intended for children under 16. If you're using Thrust CRM to process children's data (e.g., for a school), you must:

  • Obtain parental consent for children under 13
  • Implement additional safeguards for children's data
  • Conduct a DPIA for processing children's data
  • Notify us that you're processing children's data

11. Automated Decision Making

Thrust CRM does not make automated decisions that produce legal effects or significantly affect you. Our automation features (workflows, email sequences) are tools you control and configure.

12. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for high-risk processing activities. If you're planning to use Thrust CRM for high-risk processing (e.g., large-scale profiling, processing special category data), we can provide information to assist your DPIA.

13. Supervisory Authority

We're regulated by the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Report a concern: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

14. Contact Our Data Protection Officer

For GDPR-related questions or to exercise your rights:

Related Legal Documents

Privacy Policy → Security → Terms of Service →