GDPR Compliance

Last updated: February 1, 2026

t18 is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This page outlines our compliance measures, your rights as a data subject, and how we ensure the security and privacy of your data.

Our Commitment to GDPR

t18 fully complies with the General Data Protection Regulation (EU) 2016/679. We have implemented comprehensive technical and organizational measures to ensure the protection of personal data processed through our platform. Our approach is built on the principles of data minimization, purpose limitation, and transparency.

Legal Basis for Processing

We process personal data under the following legal bases: Contract Performance — processing necessary to provide our services as agreed in our Terms of Service; Legitimate Interest — processing necessary for improving our services, security, and fraud prevention; Consent — processing based on your explicit consent, such as for testimonial publication and marketing communications; Legal Obligation — processing required to comply with applicable laws and regulations.

Data We Process

In providing our services, we process: Account Data — name, email address, organization details for account management; Testimonial Data — content, author information, and media submitted through collector forms; Usage Data — anonymized analytics data about how you use our platform; Technical Data — hashed IP addresses, browser type, and device information for security and optimization.

Data Protection Measures

We implement robust technical and organizational measures including: encryption of data in transit (TLS 1.3) and at rest (AES-256); regular security assessments and penetration testing; access controls with principle of least privilege; data processing agreements with all sub-processors; regular employee training on data protection best practices; incident response procedures and 72-hour breach notification.

Sub-Processors

We use the following sub-processors to provide our services: Convex (United States) — database and backend infrastructure; Clerk (United States) — authentication and user management; Vercel (United States) — website hosting and edge delivery; Google Cloud (EU/US) — AI translation processing; Dodo Payments (United States) — payment processing; Resend (United States) — transactional email delivery. All sub-processors are bound by data processing agreements ensuring GDPR compliance.

International Data Transfers

When personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission; Data processing agreements with all recipients; Assessment of the legal framework in the recipient country; Additional technical measures where necessary.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Account data is retained for the duration of the account plus 30 days after deletion. Testimonial data is retained until the project owner deletes it or the account is closed. Analytics data is retained in anonymized form and is not subject to deletion requests. Backup data is automatically purged within 90 days.

Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will: notify the relevant supervisory authority within 72 hours of becoming aware of the breach; notify affected data subjects without undue delay when the breach is likely to result in a high risk; document the breach, its effects, and remedial actions taken.

Your Data Subject Rights

Right of Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.

Right to Rectification

You can request correction of inaccurate or incomplete personal data. Update your profile directly or contact us.

Right to Erasure

You can request deletion of your personal data. We will process deletion requests within 30 days, subject to legal retention requirements.

Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format (JSON or CSV) for transfer to another service.

Right to Restrict Processing

You can request that we limit processing of your data in certain circumstances, such as when you contest data accuracy.

Right to Object

You can object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. This does not affect the lawfulness of prior processing.

Data Protection Officer

For any GDPR-related inquiries, data subject requests, or concerns about our data processing practices, please contact our Data Protection Officer.

dpo@t18.io

Ready to Build Trust with Social Proof?

Join thousands of businesses using t18 to collect and display testimonials in any language.

Get Started Free