GDPR and Extu

At Extu, we value our users’ privacy.

What has Extu done to comply with the GDPR?

Extu is committed to being responsible custodians of the personal information you trust us to collect and process. As part of our commitment to privacy, we have taken specialist legal advice and established an internal GDPR team to assess our responsibilities and implement the measures required for GDPR compliance. We have also adopted the GDPR as our global standard for data privacy and protection. Here is a summary of the key steps we have taken:

  • Gap analysis: We have performed a gap analysis of the requirements imposed by GDPR, as applicable to Extu’s business operation.
  • Data Maps: We’ve created comprehensive data maps that track personal data flows throughout our systems and services.
  • Disclosure: We have updated disclosures on our marketing materials and landing pages.
  • Privacy notice: We have updated our website privacy notice and internal privacy notices to make them GDPR compliant as well as being more clear, concise and transparent about how we process personal data.
  • Data breach notification: We have updated our data breach plan and incident response procedures to bring them into line with the GDPR.
  • Data security: We have reviewed and where appropriate updated/upgraded our technical and organizational system security practices.
  • Data subject rights: We have put in place processes for dealing with key data subject rights, such as the right to access, right to request portability of data and right to erasure.
  • Data processing records: We have GDPR-compliant data processing records, including cross-border transfer procedures.
  • Data protection policies and training: We have developed data protection and handling policies and have put in place a training framework for all Extu personnel.
  • Vendors and third parties: We have reviewed our relationships with third party providers and have ensured the terms we have in place meet the requirements of the GDPR.

Our GDPR compliance journey involves a process of continuous improvement.  We are here to support your marketing initiatives and working as team we can build a trusting and transparent relationship with your current and prospective subscribers.

As we have adopted the GDPR as the standard for our global data privacy compliance program, we are able to meet many of the requirements under the CCPA.  Where required, we have updated our internal policies and controls to address the CCPA, such as our data incident plans.  We have also updated our privacy notice.  

How has Extu addressed the California Consumer Protection Act (CCPA)?

The CCPA includes a right for residents of California to object to the “sale” of their personal information.  Extu does not sell personal information.  We only disclose personal data to third parties who are service providers or to third parties, such as our sponsors, for business purposes, or where you have authorized us to do so.

Quick FAQs

We use a top-tier, third-party data hosting provider (Amazon Web Services), to host our services. For more information about AWS’s approach to compliance with the GDPR, see

A full list of our third-party processors can be found here.

Yes, if you are established in the EU, or where you are established outside of the EU, to the extent that any of your subscribers are located in the EU, you will be considered the controller of your subscriber information. There are also data privacy requirements that you are obligated to meet under Extu’s General Terms of Service. Therefore, when you participate in the Extu program and under our General Terms of Service, your obligations under the GDPR include making sure that:

  • you have a GDPR-compliant subscriber list
  • your privacy notice has adequate disclosure in line with GDPR requirements
  • you have appropriate technical and organizational security measures in place to mitigate risk of a privacy breach
  • you notify Extu immediately if you receive a privacy complaint or request or are involved in a potential or actual data breach incident.

Extu is committed to helping you meet your GDPR obligations with respect to subscriber preference management, cookie disclosure, personal information requests and other data subject rights. We will be doing our best to make sure our service is delivered in compliance with applicable privacy regulations and are working to help you deliver your marketing message to customers in line with the GDPR.

Please see our partner GDPR obligations section for further information.

We have technical measures and organizational procedures in place to safeguard the security and confidentiality of personal information. Some of these include:

  • Network protection: Multiple layers of security controls protect access to and within our environment, including firewalls, intrusion protection systems and network segregation. We engage data security experts on a regular basis and leverage their expertise to protect our systems.
  • Data encryption: We encrypt all data that goes between you, your subscribers and Extu using industry-standard TLS (Transport Layer Security).
  • Secure data centers: Our servers are located within enterprise-grade hosting facilities that employ robust physical security controls. Extu maintains geographically separated data replicas and hosting environments to minimize the risk of data loss or outages.
  • Internal policies and controls: We maintain extensive data protection policies and IT security policies, as well as conducting regular audits of systems and controls.

This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.