How to comply with privacy regulations like the GDPR?

Over the last few years, many countries have introduced legislation to protect personal data and privacy for individuals and establish guidelines for organizations that process this data. We can't address all legislation. Therefore, in this article, we describe how personal data is used in FlippingBook Online, so you can comply with applicable legislation. We focus on the GDPR, which is generally regarded as the strictest when it comes to data rights and processing requirements.
Disclaimer: We’ve taken great care to ensure the information provided here is accurate and up to date. However, this content is for general informational purposes only and does not constitute legal advice. For guidance specific to your situation, please consult a qualified attorney or legal professional.

Note!This article concerns data from your visitors, i.e., the people who view your flipbooks, and how we process their data as part of the service we provide for you. You, the user of our service, are the controller of this data.
In this article, we don't discuss the processing of your own personal data (if any) to provide our service to you.

How is personal information used in FlippingBook Online?

Before we dive into the details, FlippingBook is only available as a paid service and does not rely on advertising as a revenue stream at all. We have never served ads in publications to our users, and never will; not to paid users, and not even to free trial users. This means that we do not need to collect and process users’ personal information beyond what is required for the functioning of our products. FlippingBook Online publications, by default, don't process any personal information. However, there are a few situations where personal information can be gathered and processed. We will describe them first and then provide more detailed information per topic.

Personal information that is part of your PDFs
If you upload a PDF, it may contain personal information about, e.g., your customers or employees.
Information you gather using the Lead capture form
Some FlippingBook Online plans allow you to add a Lead Capture form to your publications. With this Lead Capture Form, you can gather information about your visitors. In the vast majority of cases, this is personal information.
Information you gather using Trackable links
With FlippingBook Online, you can create trackable links. Such links are often sent to a specific recipient, so you can see if they actually open your link and which pages they viewed. This way, you gather personal information.
Information you gather using Google Analytics
In some FlippingBook Online plans, you can set up Google Analytics to gather data about the usage of your flipbooks. Even if you cannot see any personal data in Google Analytics, Google could combine data about your visitor with other data that it already has and combine this into personal data.
Information that is gathered when you embed third-party content
In some FlippingBook Online plans, you can embed third-party content, such as YouTube videos, Typeform Forms, and more. If you do so, you may gather personal data directly (through questionnaires) or indirectly.

Personal information that is part of your PDFs

When you create a flipbook, you upload a PDF that may contain Personal information. This could be just the name and email of one of your employees in a marketing brochure somewhere. In some cases, we see PDFs with much more structured personal data, like internal directories. Publishing personal information is not necessarily prohibited. But to comply with the GDPR, you need a legal basis for any form of personal data processing: most commonly consent from the data subject, but there are other possibilities such as a contract, a legal obligation, a public task, a vital interest, or legitimate interests.

You should ensure that you have a legal basis to publish such data. This is typically done by asking for consent when you acquire the data. We advise implementing a process to check PDFs you upload for the presence of personal data, and if you are allowed to (either because the data subjects consented or you have another legal basis).
The GDPR requires taking measures to make sure to protect personal data from unauthorized access. This means that if you publish Personal Information, you should restrict it to the appropriate audience.
If we receive requests from people about whom you publish data, using e.g., their Right to Erasure or Right to Rectification, we will forward these requests to you and ask you to take action (or to prove you have a legal basis). By handling such requests promptly (typically within 30 days), you stay compliant with the GDPR.

Information you gather using the Lead capture form

With the Lead capture form, you can gather data about your visitors. If you ask for any kind of personal data, then the GDPR requires you to have a valid legal basis for processing this data. Depending on the context, this may be consent from the data subject (for example, for certain direct marketing), a contract, a legal obligation, or legitimate interests. When you rely on consent, it should be freely given, specific, informed, and unambiguous. To do so, you will need to insert a link to a privacy policy that describes things like:

Who are you? (Your organisation’s name and contact details)
What will you use this data for? (e.g., "To send you monthly marketing emails”)
With whom will you share this data?
For how long will you keep their data?
An explanation of how to withdraw consent (and, where relevant, how to exercise other GDPR data subject rights).

If one of your data subjects contacts you to exercise, e.g., their right to erasure, then you can contact our support team at support@flippingbook.com, and we will promptly erase the data.

If you fear that you or a colleague may violate the GDPR by not properly using it, then our support team can disable the Lead Capture Form feature for you.

Information you gather using Trackable links

If you create a trackable link and share that with an individual, you are gathering personal data about them. Under the GDPR, this also requires a valid legal basis for processing, which in many cases will be consent. While you can obtain such consent just before sharing this link with your recipient, a better way is to obtain it earlier, e.g., when you obtain their contact data in the first place. At that moment, you should clearly state in, e.g., your privacy policy that you will use their email to send proposals, and track if you open these proposals to see if you should send a reminder.

If you do not have such consent or another valid legal basis, we advise you not to make use of this functionality by sending trackable links to individuals.

If you fear that you or a colleague may violate the GDPR by not properly using it, then our support team can disable the Trackable links feature for you.

Information you gather using Google Analytics

Google Analytics is a hotly contested topic when it comes to compliance with the GDPR. While there are ways to use Google Analytics and be compliant, even within the countries within the EU/EEA, there is no uniformity on what exactly is required. Hence, if you share your flipbooks in the EU/EEA, the best way to stay compliant is not to use Google Analytics. Instead, you can use FlippingBook's built-in analytics, which are fully compliant.

If you fear that you or a colleague may violate the GDPR by not properly using it, then our support team can disable Google Analytics for you.

Information that is gathered when you embed third-party content

If you embed content from other platforms, like YouTube or Vimeo videos, or Microsoft Forms in your flipbooks, then you make use of services that are completely beyond our control. Unfortunately, that means that we cannot guarantee that such services don’t gather personal information from your viewers. When you embed such content, even if no personal information is gathered today, there are no guarantees that this will still be the same next year. As the data controller, you remain responsible for ensuring that any third-party services you use comply with applicable data protection law and that your viewers are appropriately informed.

In such cases, we advise you not to embed the content directly into your flipbooks, but instead add a link to content on the provider's platform. When your visitors open this link, the platform, e.g., YouTube, will inform your visitors about personal data processing and ask for consent if required, so you don't have to worry about this.

If you fear that you or a colleague may violate the GDPR by not properly using it, then our support team can disable the Content Editor for you.

Is FlippingBook fully GDPR-compliant?

If you follow the steps above, you should be fully GDPR-compliant when using FlippingBook Online. FlippingBook has made all the technical and organizational measures required. For full transparency, we want to add the following points that you may require for your own compliance documentation:

We process your data in the US, specifically in the AWS data center in N. Virginia. See our subprocessors. The US is recognized as providing an adequate level of protection. Some organizations have internal procedures that discourage (or even forbid) data transfer to the US, but there is no legal requirement for that.
Our Terms of Service that you accept include our Data Processing Agreement. If you require a signed DPA, then feel free to download and countersign the DPA and send it to our Support Team.
We retain all data mentioned above (i.e., PDFs, trackable links, Lead Capture form data) as follows:
- For specific flipbooks that you delete in your account, data is retained for 90 more days in case you want to restore them.
- When you stop using your account, we retain all data for 180 days after the expiration date of the account.

If you want to embed flipbooks on your own website, learn how to make flipbooks react to your cookie banner and what technical data we collect from readers.