Legal
Terms of use
What you agree to when signing up to use Cakemail
Privacy policy
What we will and won't do with the information you give us
Anti-spam policy
The rules and practices that protect email recipients
App License
When and how this application may be used
Currently reading
Privacy policy
To whom this policy applies
This privacy policy declaration applies to the following parties:
  • Cakemail Inc., proprietor and administrator of the service Cakemail as defined on the web site cakemail.com. The company Cakemail Inc., operating under the web address cakemail.com is referred to as Cakemail in this declaration;
  • Registered users of the service Cakemail possessing a member list. These Cakemail users are referred to as “Clients” in this declaration;
  • Members of the mailing list, recipients of the permission-based marketing e-mails by an intermediary of the Cakemail service. These mailing lists are generated by the Clients of Cakemail and the administration of such lists is facilitated by Cakemail. The members of these mailing lists are referred to as ”Subscribers”.
  • Internet users seeking information from web sites administered by Cakemail. The users of these sites are referred to as ”Users”.
Effective as of January 17, 2022
Personal information
Except as provided elsewhere in this privacy policy, Cakemail will not divulge any User’s personal information to any third party. The User can, without obligation, gather essential information regarding the Cakemail service on the Cakemail web site provided that the User or the Client does not reproduce the content for personal or commercial purposes.

If the User wishes to download electronic documents from the Cakemail web site, contact customer service, subscribe to a mailing list or become a Client of the Cakemail service, the User must consent to the collection by Cakemail of the User’s personal information with the objective of verifying, where applicable, the identity or registration, including last and first name, physical address, phone number, e-mail address and payment details for the purpose of opening a Cakemail account.

All personal data will be used exclusively for administrative purposes so as to offer Clients and Users the required and requested service.
Data protection and non-divulgation of personal information
Cakemail conforms to the rules governing Canada’s Personal Information Protection and Electronic Documents Act, Quebec’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act, and the European Union’s General Data Protection Regulation (collectively the “Applicable Privacy Laws”).

All personal data provided during registration of the Cakemail service will be stored in a secure database and protected with SSL (Secure Socket Layers). This data, including member lists belonging to the Clients of Cakemail, will be exclusively accessible by workstation intermediaries and protected by authentication.

Access to this data is only accessible to Cakemail authorized personnel for maintenance and analysis purposes. This data will be stored as long as is necessary unless a formal request for its destruction is made by the person to whom it relates.

Except as provided in this section and elsewhere in this privacy policy, Cakemail will not divulge any personal information to a third party allowing a Client or member to be identified without their prior written consent so as to avoid any damage to their personal reputation or their companies or to the intermediaries that represent them. Any and all transfers of such personal data that may be made to third parties outside of Canada will be made exclusively with service providers who comply with the General Data Protection Regulation.

Cakemail and its Clients promise to never rent, sell or disclose their member lists with third parties without the prior consent of members except that Cakemail may disclose personal information of its members in the rare circumstance where applicable law requires such disclosure in accordance with a court order.

Notwithstanding anything in this privacy policy to the contrary, we may share any information (whether personal information or not ) we have collected about Clients, Subscribers or Users or that has been submitted to us:
  • In response to subpoenas, court orders, or legal process, or to establish, protect, or exercise our legal rights or defend against legal claims or demands;
  • If we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, fraud, or situations involving potential threats to the safety of any person, or any violation of the Terms of Use;
  • If we believe it is necessary to investigate, prevent, or take action regarding situations that involve abuse of the Cakemail web site infrastructure or the Internet in general (such as spamming, denial of service attacks, or attempts to compromise the security of the Cakemail web site infrastructure or the Cakemail web site generally);
  • To a parent company, subsidiaries, joint ventures, or other companies under common control with Cakemail (in which case we will require such entities to honour this privacy policy);
  • If Cakemail is acquired by or merged with another entity (in which case we will require such entity to assume our obligations under this privacy policy, or inform all those affected that they are covered by a new privacy policy).
Communications with Clients
We use Typeform to collect data from clients which is transferred to Freshsales to manage and communicate with these clients. Typeform is used to collect data and store them safely on their Amazon AWS services. Freshsales, Zendesk, Google Mail, Olark. LeadInfo, Dropbox, Partner Stack and Slack are used to manage and send communications to build and manage customer relationships.

For more information, please refer to Typeform’s Privacy Policy, Amazon Security Privacy, Freshsales Privacy Policy, Zendesk’s Privacy Policy, Google Cloud Trust Principles, Olark Privacy Policy, LeadInfo Privacy Policy, Dropbox Privacy Policy, Partner Stack, Slack Legal.
Gathering of information for statistical and analytical purposes
Cakemail automatically collects certain information using Google Analytics and Postmastery, to help understand how visitors use Cakemail website, but none of this information identifies the Users personally. For example, each time Cakemail website is visited, Cakemail automatically collect IP address, browser and computer type, access times, the web page from which the visitor came, and the web page(s) accessed (as applicable).

Cakemail uses information collected in this manner only to better understand the needs of all Cakemail website visitors. Cakemail also makes use of information gathered for statistical purposes to keep track of the number of visits to Cakemail website and which pages on Cakemail website were visited, with a view to introducing improvements. For more information, please refer to Google Privacy Security Policy, Postmastery Privacy Statement.
Client management and secured payment processing
Cakemail uses Stripe, Bluesnap, Freshbooks, Freshsales, Profitwell, WePay and PayPal for third-party in the purchasing process of the Service. This intermediary has the exclusive permission to store, on our behalf, the data pertaining to the executed transactions by the Clients with the goal of ensuring a secure method of payment and proof of purchase archive, allowing for the protection of Clients, and swift follow-up. This transactional data may be used for validation and registration purposes of Clients. For more information, please refer to Stripe Privacy Policy, Bluesnap Privacy Policy, Freshbooks Privacy Policy, Freshsales Privacy Policy, Profitwell Policy, WePay Privacy Policy and PayPal Privacy Policy.
Data storage and hosting providers
We may store and process personal data with our contracted third-party service providers (“Service Providers”) in order to provide our Products and Services. These include Dropbox, eHawk, Amazon AWS, Google Docs and Google Cloud Services, Cloudflare, OVH, iWeb. For more information, please refer to Dropbox Privacy, eHawk Privacy Policy, Amazon Security Privacy, Google Cloud Trust Principles Cloudflare Privacy Policy. OVH Personal Data Protection, iWeb Privacy Policy.
Members, Clients and Users may decline at any time to make personal information available on the Cakemail web site. However, Cakemail reserves the right to accept or decline the registration of a Client to the Cakemail service if the personal data is found to be incomplete, fraudulent or furnished by a User who has not attained the age of majority (18 years for a resident of a Canadian province or 21 years for a resident of a state in the U.S.). Any data not conforming to the rules detailed above will be removed from the Client database by Cakemail within 72 hours. Similarly, permission-based marketing emails shall not be sent to Users who are minors without the prior written consent of their parents or legal guardians. In the case of any doubt regarding the registration information provided by a prospective Client, Cakemail reserves the right to require additional proof of identity and age. Cakemail reserves the right to cancel a Cakemail Client’s membership without warning when regulations governing the usage policy described above are not met.
Corrections and unsubscribing
A Client of the Cakemail service may communicate with Cakemail via email at support@cakemail.com regarding access to information submitted during registration and the correction thereof. Members of the Client mailing lists of the Cakemail service are asked to communicate directly with the Client in order to correct or validate any personal information regarding their registration to all permission-based marketing emails. If the Client does not, within a period of 72 hours, respond to a member’s request for access to personal information concerning them or the correction thereof, such member may communicate with Cakemail via email at support@cakemail.com. If a member’s modification requests are not respected by a Client of the Cakemail service, Cakemail reserves the right to impose sanctions on the Client’s usage.

Cakemail requires all Clients of the Cakemail service to include a clearly articulated option to unsubscribe from the mailing list in all permission-based marketing e-mails. Clients who must comply with Canada’s Anti-Spam Law have specific requirements for their unsubscribe mechanism. Please refer to the Anti-Spam Policy for details. A Subscriber must be able to unsubscribe at any time from a member list generated by a Client of the Cakemail service. The Subscriber may also unsubscribe at the same time from the member lists of any satellite subscriptions of a Client of the Cakemail service by submitting a verbal or written request to the Client. Should an unsubscribe request made by a member not be met by a Client of the Cakemail service within a period of 72 hours, the Subscriber may lodge a complaint directly with Cakemail through the contact section of the Cakemail web site.

Cakemail reserves the right to impose sanctions or to suspend service to any and all Cakemail Clients who do not conform to these requirements. A Client may, at any time, cancel use of the Cakemail service following, where applicable, the payment of fees set out in the preauthorized agreement accepted by the Client when registering for the service. Any User invited to participate in a promotional activity organized by a Cakemail Client (viral marketing of the “invite your friend to participate” type) retains the right to refuse the proposed promotional activity. All Clients of Cakemail are held responsible by Cakemail for the proper functioning of all viral marketing tools thereby avoiding an interruption of service.
Authorized content
Cakemail cannot be used for fraudulent purposes, those of an explicit nature or any activity not respecting applicable law. Clients may not use Cakemail for the following:
  • Promotion of a pornographic nature;
  • The sale of pirated products or those that do not conform to applicable law;
  • The commercial, promotional or pornographic exploitation of minors;
  • False advertising involving the extortion of a User;
  • Non-authorized publicity of an individual or business without official consent;
  • Promotion of web sites involving pirating, terrorism or the posting of information considered illegal in Canada, the U.S. and the European Union.
Any Clients of the Cakemail service not conforming to the aforementioned content rules will have their service blocked without warning. Cakemail reserves the right to pursue any Cakemail Client not conforming to these rules so as to protect the integrity of the services offered to its Subscribers, Clients and Users. Clients who must comply with Canada’s Anti-Spam Law have specific requirements for their email content. Please refer to the Anti-Spam Policy for details.
The Cakemail web site, as well as all electronic communications emitted by the Clients of Cakemail are permitted to contain hyperlinks to other web sites either belonging to partners of Cakemail or not. These web sites, independent of Cakemail, do not automatically conform to all the points of the present privacy policy. Cakemail is not responsible for the specific practices executed on these web sites and shall only be held responsible for the usage of the Cakemail service.
Usage of secondary information
Invisible GIFs and pixel tags are utilized in the permission-based marketing e-mails sent by the Clients of Cakemail so as to permit Cakemail to assemble general information regarding the success of transmission. Once a recipient opens an HTML e-mail sent by a Client of the intermediary services of Cakemail, the computer of the recipient grants access to the Cakemail servers to transmit these invisible GIFs. This tool allows Cakemail to assemble the following information: e-mail addresses and the dates and times of the delivery and opening of messages. This data allows Cakemail to optimize the e-mail delivery and assure that the transmission rules of all permission-based marketing e-mails are being respected by the Clients of the Cakemail service. Cakemail reserves the right to gather IP addresses in its files for statistical purposes or to test the functionality of Cakemail’s e-mail servers. Cookies are employed in the management execution of interfaces of the Cakemail web site. These cookies are used for the sole purpose of offering Clients of Cakemail access to more personalized information on the products and services of the company. The User visiting the Cakemail web site will always maintain anonymity. Cookies are also employed as part of online advertising campaigns. Third party vendors, including Google, display Cakemail advertisements on web sites on the internet. These third party vendors, including Google, use these cookies to serve ads based on a User’s prior visits to Cakemail.com. Users may opt out of Google’s use of cookies by visiting the Google advertising opt-out page.
Notification of changes
Cakemail’s creation of new services on the Cakemail web site or any other web site registered under Cakemail, may contain some modifications to the present privacy policy. In such a case, Cakemail will post a notice on the homepage of the web sites in question to inform present Clients or anyone requesting information. An archive of the previous policy will be available to Users for verification purposes. A similar process is in place regarding any updates of the Cakemail service. Any modifications in service taking place throughout the course of a Client contract will be documented and explained so as to facilitate the understanding of all executed upgrades. This update notice will be available on the homepage of the Cakemail web site. Cakemail’s Privacy Officer is responsible for ensuring that all parties conform to this privacy policy whether it be Cakemail staff or Clients of the Cakemail service and their Subscribers.

Any person wishing to comment or lodge a complaint of non-conformity of Cakemail’s privacy practices with the Applicable Privacy Laws is asked to communicate with Cakemail by email at privacy@cakemail.com or by mail addressed to: Privacy Officer, Cakemail Inc.
4020 Saint Ambroise, #100
Montreal, QC, H4C 2C7, Canada


Complaints or Concerns. Alternatively, complaints may be lodged with the applicable governmental authority.
Data Processing Addendum

This Data Processing Addendum (“DPA”) is effective as of the Effective Date of any master agreement for the provision of Services (the “Agreement”) between Cakemail Inc. ("Cakemail") and the Client specified in the Agreement (“Client”). Alternatively, the DPA is effective as of the date the Client enters into the Cakemail online Terms of Use at https://www.cakemail.com/legal/terms-of-use, which shall also be deemed the “Agreement” under this DPA. 

Cakemail and Client shall hereafter be collectively known as the “Parties” and individually known as a “Party”. To the extent that any of the terms or conditions contained in this DPA may contradict or conflict with any terms or conditions regarding the processing of Personal Data in the Agreement, it is expressly understood and agreed that the terms of this DPA shall take precedence and supersede those other terms or conditions as it regards the subject matter.

The Parties agree as follows:

1. Definitions

1.1 For the purposes of this DPA, the following expressions bear the following meanings unless the context otherwise requires: 
Applicable Data Protection Laws” means, in respect of a Party, any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of Personal Data, including:

(a) the Directive 2002/58/EC (as amended) (the “e-Privacy Directive”), the e-Privacy Regulation 2017/003 (COD) (the “e-Privacy Regulation”), and any laws and regulations implementing these; and

(b) the Directive 95/46/EC (as amended) (the “Data Protection Directive”), the Regulation 2016/679 (the “GDPR”), and any laws and regulations implementing these; 

(in each case as amended, consolidated, re-enacted or replaced from time to time).

Data Subject”, “Personal Data”, “Process”, “Processed” and “Processing” shall each have the meaning as set out in the GDPR;

EU Data Protection Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data in force in the territory of the European Union, including the Data Protection Directive, the GDPR, the e-Privacy Directive and the e-Privacy Regulation;

Model Clauses” mean the Standard Contractual Clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, as adopted by the European Commission Implementing Decision of June 4, 2021; or alternatively the Standard Contractual Clauses (Controller to Processor) as set out in the European Commission Decision of 5 February 2010 (C (2010) 593), until such time as they are no longer valid on December 27, 2022;

Regulator” means the data protection supervisory authority which has jurisdiction over a Data Controller’s Processing of Personal Data; 

Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”) and the United Kingdom, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this DPA include Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Any capitalized terms used but not defined herein shall have the meaning given to them in the Agreement. 

2. Processing of personal data

2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the “Data Controller”, Cakemail is the “Data Processor” and that Cakemail will engage “Sub-Processors” pursuant to the requirements set forth in Section 8 below. 

2.2 The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 “Processing Details” of this DPA. 

2.3 The Data Processor shall only process the Personal Data on behalf of and in accordance with documented instructions from the Data Controller. The Parties agree that this DPA is Client’s complete and final instructions to Cakemail in relation to processing of Client Data. The Data Controller shall ensure that its instructions comply with all Applicable Data Protection Laws, and that the Processing of Personal Data in accordance with Data Controller’s instructions will not cause Data Processor to be in breach of the Applicable Data Protection Laws. The Data Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Data Controller acquired Personal Data and shall establish the legal basis for Processing under Applicable Data Protection Laws.

2.4 Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Laws. 

3. Authorized personnel

3.1 The Data Processor shall ensure that its personnel authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Data Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement. 

4. Rights of data subjects

4.1 The Data Processor shall, to the extent legally permitted, promptly notify the Data Controller if it receives a request from a Data Subject for access to its own Personal Data, or for the rectification or erasure of such Personal Data or any other request or query from a Data Subject relating to its own Personal Data (including Data Subjects’ exercising rights under Applicable Data Protection Laws, such as rights of objection, restriction of processing, data portability or the right not to be subject to automated decision making) (a “Data Subject Request”). Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws. In addition, to the extent the Data Controller, in its use of the Services, does not have the ability to address a Data Subject Request, the Data Processor shall upon Data Controller’s request provide commercially reasonable efforts to assist the Data Controller in responding to such Data Subject Request, to the extent the Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws. To the extent legally permitted, the Data Controller shall be responsible for any costs arising from the Data Processor’s provision of such assistance.

5. Government access requests

5.1 The Data Processor shall promptly notify the Data Controller about any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited from doing so. The Data Controller shall have the right to defend such action in lieu of and/or on behalf of the Data Processor. The Data Processor shall reasonably cooperate with the Data Controller in such defense.

6. Security

6.1 The Data Processor shall implement and maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data.

7. Compliance

7.1 The Data Processor shall take reasonable efforts to make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Laws. Upon Data Controller’s request, the Data Processor shall provide the Data Controller with reasonable cooperation and assistance needed to fulfil Data Controller’s obligation under the GDPR to carry out a data protection impact assessment related to Data Controller’s use of the Services, to the extent the Data Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Data Processor. The Data Processor shall provide reasonable assistance to the Data Controller in the cooperation or prior consultation with the Regulator in the performance of its tasks relating to Section 7 of this DPA, to the extent required under the GDPR and Applicable Data Protection Laws.

8. Sub-processing

8.1 The Data Controller agrees that the Data Processor may engage Sub-Processors to Process Personal Data. The Sub-Processors currently engaged by Cakemail and authorized by the Client are listed in Schedule 2 “List of Sub-Processors”

8.2
The Data Processor shall ensure that such Sub-Processor has entered into a written agreement requiring the Sub-Processor to abide by terms no less protective than those provided in this DPA. The Data Processor shall be liable for the acts and omissions of any Sub-Processors to the same extent as if the acts or omissions were performed by the Data Processor.

8.3
The Data Processor shall make available to the Data Controller a list of Sub-Processors authorized to Process Personal Data (“Sub-Processor List”, currently found in Schedule 2) and provide the Data Controller with a mechanism to obtain notice of any updates to the Sub-Processor List. Notification of a new Sub-Processor shall be issued prior to such new Sub-Processor being authorised to Process Personal Data in connection with the Agreement. 

8.4 The Data Controller may object to Data Processor’s use of a new Sub-Processor where there are reasonable grounds to believe that the new Sub-Processor will be unable to comply with the terms of this DPA or the Agreement. If the Data Controller objects to Data Processor’s use of a new Sub-Processor, the Data Controller shall notify the Data Processor promptly in writing within ten (10) days after notification regarding such Sub-Processor. Data Controller’s failure to object in writing within such time period shall constitute approval to use the new Sub-Processor. The Data Controller acknowledges that the inability to use a particular new Sub-Processor may result in delay in providing the Services, inability to provide the Services or increased fees. The Data Processor will notify the Data Controller in writing (including by email) of any change to the Services or fees that would result from Data Processor’s inability to use a New Sub-Processor to which the Data Controller has objected. The Data Controller may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. The Data Processor shall have a right to terminate the Agreement if the Data Controller unreasonably objects to a Sub-Processor, or does not agree to a written amendment to the Agreement implementing changes in fees or the Services resulting from the inability to use the Sub-Processor at issue. shall take reasonable efforts to make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Laws. Upon Data Controller’s request, the Data Processor shall provide the Data Controller with reasonable cooperation and assistance needed to fulfil Data Controller’s obligation under the GDPR to carry out a data protection impact assessment related to Data Controller’s use of the Services, to the extent the Data Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Data Processor. The Data Processor shall provide reasonable assistance to the Data Controller in the cooperation or prior consultation with the Regulator in the performance of its tasks relating to Section 7 of this DPA, to the extent required under the GDPR and Applicable Data Protection Laws.

9. Return and deletion
9.1 The Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of the Services relating to Processing, and delete existing copies of the Personal Data unless prohibited by law or the order of a governmental or regulatory body or it could subject the Data Processor to liability.  

9.2 The Data Controller acknowledges and agrees that the Data Processor shall have no liability for any losses incurred by the Data Controller arising from or in connection with Data Processor’s inability to provide the Services as a result of Data Processor complying with a request to delete or return Personal Data made by the Data Controller pursuant to Section 9.1.
10. Data breach
10.1 In the event there is, or Data Processor reasonably believes that there is, any improper, unauthorized or unlawful access to, use of, or disclosure of, or any other compromise which affects the availability, integrity or confidentiality of Personal Data which is Processed by Data Processor under or in connection with this DPA and/or the Agreement (“Data Breach”), then upon becoming aware of such Data Breach, Data Processor shall promptly notify the Data Controller and provide the Data Controller with the following information as it becomes available:
  • a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned;
  • the name and contact details of the Data Processor contact from whom more information can be obtained; and
  • a description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
10.2 The Parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Regulators in connection with a Data Breach, provided that nothing in this Section 10.2 shall prevent either party from complying with its obligations under Applicable Data Protection Laws.
11. International transfers
11.1 The Data Processor will only process data in, or transfer Personal Data to, a Third Country where such processing or transfer takes place based and in compliance with the Model Clauses, with the processing details that comprise Appendix 1 to the Model Clauses, and the technical and organizational security measures that comprise Appendix 2 to the Model Clauses. The Data Processor shall comply with the obligations of the data importer and Data Controller shall comply with the obligations of the data exporter as set out in the Model Clauses.

11.2 Where the Data Processor appoints an affiliate or third-party Sub-Contractor to process Personal Data in a Third Country, the Data Processor must ensure that such processing takes place in accordance with the requirements of the Applicable Data Protection Laws. The parties agree that Personal Data may be transferred to an affiliate or third-party Sub-Contractor in the United States who agrees to process Personal Data according to the Model Clauses.
Schedule 1: Processing details

Processing Activities
The Personal Data Processed by Data Processor will be subject to the following basic Processing activities: 

Provision of the Services, as outlined in the Agreement and as otherwise agreed upon by the Parties.

Duration 
The Personal Data Processed by Data Processor will be Processed for the following duration: 

The length of the Term of the Agreement between Data Controller and Data Processor.

Data Subjects
The Personal Data Processed by Data Processor concern the following categories of Data Subjects: 
Clients and their Subscribers, as those terms are defined in the Agreement or the Cakemail Privacy Policy at https://www.cakemail.com/legal/privacy-policy, and Cakemail website visitors.

Categories of Data
The Personal Data Processed by Data Processor includes the following categories of data: 

Client information: 
- Contact information (First name, Last name, Phone, Email)
- Address (includes civic address, city / town, postal code, country)
- Invoicing and billing information (credit card holder name, number, expiration date, CVV number and billing address)

Subscriber information:
- First name, Last name
- Email

Analytics information: 
- Unique analytics identifiers
- IP addresses

Advertising information: 
- Unique advertising identifiers

Special Categories of Data (if applicable)
The Personal Data Processed by Data Processor concern the following special categories of data:

None by default.

Schedule 2: List of sub-processors

Amazon AWS (hosting, storage of Personal Data)
Canada
https://aws.amazon.com/privacy/

Stripe (payment processing)
United States
https://stripe.com/privacy

Freshsales (CRM)
United States
https://support.freshsales.io/support/solutions/articles/233227-privacy-policy

eHawk  (Anti spam or fraud detection)
United States
https://www.ehawk.net/support/privacy/index.php

Postmastery (Delivery data analytics)
Netherlands
https://www.postmastery.com/privacy-statement/

250ok  (Delivery data analytics)
United States
https://www.validity.com/privacy-policy/

Typeform (collection of Personal Data)
United States
https://admin.typeform.com/to/dwk6gt/

Zendesk (CRM and Client support via email and chat)
United States
https://www.zendesk.com/company/agreements-and-terms/privacy-policy/

Olark (CRM and Client support)
United States
https://www.olark.com/privacy-policy

Leadinfo (CRM)
United States
https://www.leadinfo.com/en/privacy/

OVH (data processing, storage)
Canada
https://www.ovh.com/ca/en/support/privacy-policy.xml

iWeb (data processing)
Canada
https://iweb.com/legal/privacy

Slack (client support via chat)
United States
https://slack.com/legal

Google Cloud (storage, database processing), Google (mail), Google (analytics), Google (advertising)
United States
https://policies.google.com/privacy

Amplitude (analytics)
United States
https://amplitude.com/privacy

Segment (analytics)
United States
https://segment.com/legal/privacy/

AppCues (onboarding optimization)
United States
https://www.appcues.com/privacy

PartnerStack (affiliation program management)
United States
https://partnerstack.com/policies#privacy-policy

Get email marketing insights sent right to your inbox.