GroupBy is GDPR Ready

The General Data Protection Regulation (GDPR) is a European Union regulation that regulates the collection and processing of personal information (“PI”) (a) of European residents or (b) in the context of an establishment in the European Union. The GDPR became effective on May 25, 2018, and obligates organizations globally to protect this information.

This FAQ provides answers to questions from our customers about the steps GroupBy has taken with respect to the GroupBy platform to address the GDPR.

GroupBy determines the purposes and means of handling PI processed by GroupBy in connection with GroupBy's website available at Accordingly, under the GDPR (to the extent applicable), GroupBy acts as a controller (as defined in the GDPR) with respect to that PI. Please see GroupBy's privacy policy, available at for more details on how we handle that class of PI.

What Personal Information ("PI") Data Does GroupBy Collect

In accordance with GDPR, GroupBy only collects PI required to provide services for our platform. GroupBy believes in the importance of privacy, and end-user privacy should be protected. To that end, the only PI GroupBy collects from end-users of our customers' websites is end-user IP addresses using cookies placed on an end-user device, and only with consent provided by the end-user via customer’s website privacy controls. The GroupBy platform never collects, accepts, processes or stores names or email addresses from end-users of our customers' websites.

Data Security

GroupBy employs a wide range of security controls to protect customer data:

  • Data encryption (AES-256) at rest and in transit.
  • Secured service APIs and authenticated access.
  • Intrusion detection and resolution.
  • Access to systems is based on the principle of business need and requires approval.
  • Security is configured to grant the least amount of access required for functionality.
  • Watch Dogs monitor system functionality and notify appropriate staff when operational issues are identified.
  • Full system logging on all systems and applications is enabled.
  • Physical data center controls include electronic access cards, vehicle access barriers, perimeter fencing, metal detectors, bio-metrics access, and 24/7 monitoring of high-resolution interior and exterior cameras for intrusion detection.

Where Is Data Stored (Locality)

For North American customers, data is stored in data centers in the U.S., with the primary data center located in Idaho. For European customers or subsidiaries, data is stored in a data center in Belgium.

Data Access

Customers can only access data associated with their specific account via user accounts and passwords managed by the customer in combination with a randomly generated security key. All data is encrypted at rest and in transit by default using AES256.

Data Deletion and Date Retention

GroupBy permanently deletes all customer data within 180 days of the end of a contract, or at an earlier date upon customer request. Data is never retained beyond 180 days except to the extent permitted by applicable law.

Third-Party Audits and Certifications

GroupBy completes annual audits for their Subscription Service for the following standards:

  • SOC 2 Type II (Security, Confidentiality, Availability, Processing Integrity, and Privacy)

The GroupBy Subscription Service operates on the Google Cloud Platform ("GCP").

Where can I obtain more information about Data Privacy at GroupBy?

Any questions or general comments can be directed to [email protected]

Mailing address:

GroupBy Inc.

250 The Esplanade, Suite 500

Toronto, Ontario M5A 4J5


ATTN: Privacy Officer