GDPR Compliance

GDPR Compliance

Last Updated: March 13, 2026

GF Utility & GDPR

GF Utility is designed to help WordPress site owners comply with GDPR requirements, particularly through its Redact Sensitive Data utility. The Plugin itself processes minimal personal data and provides tools for data protection.

1. Data Processing Overview

GF Utility as Data Processor: When you use GF Utility on your WordPress site, you (the site owner) are the Data Controller. GF Utility acts as a Data Processor for the form data it handles.

Key Principles: The Plugin follows GDPR principles of data minimization, purpose limitation, and storage limitation. It only processes data necessary for its utilities to function.

2. Redact Sensitive Data Utility

This utility helps with GDPR compliance by:

  • Removing sensitive information from form entries (e.g., credit card numbers, social security numbers)
  • Processing occurs locally on your server - no external transmission
  • Configurable patterns for different types of sensitive data
  • Audit logging (optional) to track redaction actions

Important: The Redact utility must be properly configured to match your data protection requirements. It does not automatically detect all sensitive data.

3. Data Subject Rights

GF Utility supports GDPR data subject rights through:

Right to Erasure

The Redact utility helps remove sensitive data from existing entries, supporting partial erasure requirements.

Data Minimization

Utilities are opt-in - only enable what you need, reducing unnecessary data processing.

Access & Portability

GF Utility doesn't restrict access to form data - use Gravity Forms export for data portability.

Consent Management

While GF Utility doesn't handle consent directly, it works with Gravity Forms consent fields.

4. Data Protection Impact Assessment

For GDPR compliance, consider these aspects when using GF Utility:

  • Purpose: Each utility should have a defined purpose in your data processing activities
  • Necessity: Only enable utilities that are necessary for your specific use case
  • Data Types: Document what data each utility processes (e.g., form entries, page relationships)
  • Retention: GF Utility doesn't store data long-term - it processes data in real-time
  • Security: The Plugin follows WordPress security best practices

5. International Data Transfers

GF Utility is designed to minimize international data transfers:

  • Form data: Never leaves your server (processed locally)
  • License validation & updates: Handled by Freemius, our e‑commerce platform. Freemius uses global CDN infrastructure but processes and stores customer data in GDPR‑compliant regions.
  • Payment processing: Handled by PCI‑compliant payment processors (Stripe, PayPal) via Freemius
  • Support: Email communication may transit through international servers

When data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and GDPR‑compliant data processing agreements with our service providers, including Freemius.

6. Data Processing Agreement

As a GDPR Data Processor, we offer a Data Processing Agreement (DPA) for enterprise customers. The DPA includes:

  • Processing instructions and purposes
  • Technical and organizational security measures
  • Sub-processor information (see below)
  • Data breach notification procedures
  • Audit rights (with limitations)

Sub‑processors: We engage the following sub‑processors to provide GF Utility services:

  • Freemius Inc. – E‑commerce, license management, updates distribution, customer support platform
  • Payment processors (Stripe, PayPal) – Secure payment processing (via Freemius)
  • Email service providers – Transactional email delivery
  • Hosting providers – Website and update server infrastructure

All sub‑processors are bound by data processing agreements that comply with GDPR requirements. To request a DPA or receive notifications of sub‑processor changes, contact privacy@gravityextend.com.

7. Security Measures

We implement appropriate technical and organizational measures:

Technical

  • • Encryption in transit (HTTPS/TLS)
  • • Secure code development practices
  • • Regular security updates
  • • Access controls and authentication

Organizational

  • • Employee privacy training
  • • Data protection by design
  • • Incident response plan
  • • Regular risk assessments

8. Your Responsibilities

As a Data Controller using GF Utility, you should:

  • Configure the Redact utility appropriately for your data types
  • Document GF Utility in your Record of Processing Activities
  • Obtain necessary consents for form submissions
  • Inform data subjects about processing in your privacy policy
  • Conduct regular security assessments of your WordPress installation
  • Keep GF Utility updated to benefit from security improvements

9. Breach Notification

In the event of a personal data breach involving GF Utility, we will notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach, where feasible.

10. Contact & Resources

Data Protection Officer: Our appointed Data Protection Officer

Email: dpo@gravityextend.com

Privacy Policy: View our Privacy Policy

EU Representative: Not required (we are based in the EU)

GDPR Checklist for GF Utility Users

✓ Configuration

  • Redact utility configured for your sensitive data types
  • Only necessary utilities enabled
  • Plugin kept up to date

✓ Documentation

  • GF Utility included in your ROPA
  • Processing purposes documented
  • Data subjects informed in privacy policy
Back to Home