Get in touch

GDPR

Learn about our commitment to data privacy and processing.

What is GDPR?

The General Data Protection Regulation (GDPR) took effect on May 25, 2018 and is a European Union regulation focused on protecting privacy and personal data for individuals within the EU.
Read the full overview here .

This regulation dictates how personal data is collected, processed, and stored and affects everyone in the EU, as well as online businesses (regardless of location) who sell products and/or collect any personal information from customers and site visitors in the EU.

All affected website owners must:

Alert visitors when their information is collected and stored
Explain how the data is used
Give the option to delete personal information
Provide visitors with information on data importers and subprocessors

Without Code and GDPR

We take GDPR very seriously and have adjusted our data collection methods and Privacy Policy to ensure the privacy and data protection of our site visitors. We also continue to improve our systems in our commitment to this data privacy. The following information serves to educate you about the requirements of GDPR and provide clear information about our practices and policies.

Disclaimer: The content presented on this page is for informational purposes only and should not be taken as legal advice. GDPR is a highly complex subject with many variations that are unique to each EU member state. To ensure compliance in a specific member state, we recommend consulting a legal / privacy expert in that location to determine how GDPR may apply to your specific organization.

Law 25

Law 25 was put into effect on September 22, 2022. Law 25 (originally called Bill 64) has been introduced in the Canadian province of Quebec and is intended to modernize and unify personal data privacy protection. The law is intended to align Quebec's privacy laws with the European Union's General Data Protection Regulation (GDPR).

Law 25 is more stringent than GDPR and provides a private right of action. This means that citizens protected under Quebec's privacy laws can take legal action (including collective action) against businesses that breach or infringe upon their rights under Law 25. While this law protects residents of Quebec, the extent of the law should be considered by any business with customers in Quebec. This means that international stores operating online, even if they have just a single customer from the Quebec province, requires compliance.

This page is not intended to explain what is required for full compliance of Law 25. But if you operate a website or store that has customers in Quebec, it is crucial that you comply with Law 25. In such cases, we highly suggest using cookie compliance software on your site. It is the business of cookie compliance companies to understand and comply with privacy law such as Law 25.

To learn more about Law 25, visit quebec.ca. And to learn more about how to make sure your site is in compliance with Law 25, contact your cookie compliance provider. Also see our list of providers in the article below.

Select a Topic to Explore

01: Data Management

Explore what data Without Code manages and collects about you and your site visitors.

02: Cookies

Learn about how we use cookies, and what your requirements are for client websites.

03: Builder Compliance

See how Without Code sites can be made GDPR compliant using built-in or third-party tools.

How does Without Code collect and store your information?

Without Code acts as the data processor for your master user account, including name, email, username for your master user account, as well as the username and email for sub-users attached to your account, and the billing details for any purchases. This is all for the purposes of account set up and continued use.

In addition, we may collect automatically received browser or mobile platform information, including your location, IP address, cookie information, and activity on the site. Analytics, including IP addresses are anonymized wherever possible. This information is processed in order to enhance the functionality of our site and services.

Finally, our website creation component, acts as a subprocessor for some of your data, including analytics information, contact form submissions, and ecommerce information.

How does Without Code collect and store your site visitor’s information?

Personal information collected by us about site visitors is used for operational needs to provide the service; this is never shared externally. Analytics, contact form submissions, and ecommerce information is collected and transferred by subprocessors

Analytics: This includes Google Analytics and other internal analytics. The IPs are anonymized, and they can also be disabled; send the Without Code team an email requesting this.
Contact Form: When you add a contact form to your site, the submitted personal information will be stored. This feature allows you to retrieve form responses but can be deleted from your account at any time.
Ecommerce : Customer information will be collected and disclosed to the third-party ecommerce platform (Ecwid) when purchasing from your store. Customers provide consent when entering information; this allows you to retrieve customer, order, and billing information for the purposes of selling products and/or services. This information is retained during the period of the contract and can be deleted directly through your site editor.

How do I update or delete my data?

Any requests for update or deletion of a master account, billing information, and sub-user information can be made to Without Code at any point. We will provide written confirmation that this has been updated or removed from our system, as well that the relevant items have been update or removed from our web creation component.

Analytics: Send us an email requesting that the analytics feature be disabled, and we will provide written confirmation that this has been done.
Contact Form : You can delete any form responses from your account; simply visit your site editor, enter the Content tab, and select “Manage Form Responses.”
Ecommerce: You can remove customer and site visitor data right from your site editor. To delete information for someone who purchased/signed up for information through your Ecwid store, simply visit the control panel, delete the customer profile, along with any orders or other information from them.

Note: do not delete information needed for order fulfillment or required for other legal reasons.

International Transfer of Data

Overview

We may transfer and process your data, as well as your site visitor’s data out of the EU and/or Switzerland to another country. This transfer is required for account sign-up and continued use of the site builder, ecommerce, and a variety of widgets, as well as additional resources provided on our website. According to the GDPR, you are known as the data exporter, Without Code is known as the data importer, while our website creation component and other third-party companies act as subprocessors on our behalf. Through Standard Contractual Clauses (SCC), you agree to allow us to transfer your data on your behalf and we guarantee that Without Code, along with our subprocessors, provide an adequate level of data protection. As well, the SCCs lay out the path for claim of compensation for your end users.

Data Processing Agreement

Obtain a Data Processing Addendum (DPA) and the relevant SCCs between Without Code, as the Data Importer and you, as the Data Exporter here. These agreements have been pre-signed by Without Code, and can be digitally signed by customers using our signature provider, HelloSign.

Click to sign our Data Processing Addendum

Subprocessors

Without Code uses the following subprocessors for our core application, as well as supporting systems. You may request a copy of a signed agreement between Without Code. and a subprocessor by emailing info@wocode.com. In the event that a subprocessor provides their agreements in their Terms of Use or Privacy Policy, Without Code will send the relevant URL for your reference.

Core Application

Siteground (SG Hosting Inc.)

Cloud Hosting & Data Storage (app.wocode.com), Email Hosting

Data Location: Iowa, USA

Duda, Inc.

Cloud Website Creation and Hosting Services

Location: California, USA

Google Inc.

Cloud Hosting & Data Storage (WOC Media Drive), Visitor Analytics

Location: California, USA

Stripe, Inc.

Payment Processing and Card Storage

Location: California, USA

Supporting Systems

Help Scout (Help Scout PBC)

Customer Support and Ticketing

Location: Boston, USA

Dropbox, Inc.

Cloud File Storage

Location: California, USA

JotForm, Inc.

Data Collection Forms (Customer Communication

Location: California, USA

SendGrid (Owned by Twilio, Inc.)

Email Delivery Services

Location: California, USA

Xero, Inc

Purpose: Cloud Based Accounting & Bookkeeping

Location: New Zealand

Supporting Systems

Slack Technologies, Inc.

Customer & Internal Communications

Location: California, USA

Tucows.com Co.

Email Hosting Services

Location: Toronto, Canada

Facebook, Inc.

Advertising

Location: California, USA

Campaign Monitor

Email Marketing / Communications

Location: New South Wales, Australia

HelloSign

Contract Delivery and Signatures

Location: California, USA

Cookies & Consent

Learn about storing cookies and obtaining consent

02: Cookies

What are cookies and how do they apply to GDPR?

Cookies are small data files that are stored on a users computer when they visit a website. They contain data specific to that user or website and are often used to track a user's progress through a site (e.g. the items in their cart during a checkout) or to record browsing activity / analytics such as which buttons are clicked, or what pages they have visited in the past.

Cookie policy is not governed by the GDPR, rather the ePrivacy Directive. For the purpose of this article we will refer to the requirements related to cookies as the Cookie Law.

What is the Cookie Law?

The Cookie Law requires that website visitors give consent prior to a third-party cookie being placed on their computer (first-party cookies are exempt). This is typically achieved through the use of a banner or notification informing users of the websites Cookie Policy. Consent must be a clear and defined action. Common consent actions may include:

Navigating beyond a cookie banner or scrolling through the page
Clicking a button agreeing to the cookie policy
Closing or dismissing the banner

Your Cookie Policy must detail the purpose for the installation of cookies, and outline the category and purpose of all third-party cookies, including links to their respective privacy policies. You are not required to list each individual third-party cookie.

What are exempt (or first-party) cookies?

First-party cookies are exempt from the consent requirements, and can be placed on a computer without prior consent. Cookies that fall into this category are typically those used to remember user's data and preferences. These may include:

Cookies that are necessary to provide the requested service, such as session ID cookies, authentication cookies, UI customization cookies and social media content sharing cookies.
Statistical cookies that are managed by your business and are not used for personal data tracking (i.e. cannot be used to identify a specific user).

What are third-party cookies?

Third-party cookies are those set and controlled by companies outside of your own. These typically include cookies for advertisements, analytics or embedded services (such as video or audio players). Consent is required before your website can place a third-party cookie on a user's website.

You are not required to list each individual third-party cookie used on your site, however you do need to clearly outline their purposes and general category. The law does not require that you manage consent for all third-party cookies directly, but rather inform users of their usage and link to their individual privacy policies. This approach gives users the ability to disable / withdraw consent through the individual service providers.

What cookies are being used on the Without Code website I built?

By default, a website generated by Without Code does not include any third-party cookies that need prior consent. We use various first-party cookies that are exempt from the consent requirements and are not used to track user data.

As the site designer, it is your responsibility to ensure that if you integrate third-party services, such as Google Analytics or YouTube videos, that you are aware of their cookie practices and taking the appropriate steps to comply with privacy regulations. All major third-party service providers have integrated GDPR compliant options into their services.

For example, YouTube videos should be embedded using "Privacy-Enhanced mode" to avoid the use of tracking cookies. Embeds should reference the URL "www.youtube-nocookie.com" instead of the standard www.youtube.com. More information is available here.

Google Analytics may track personal user data, such as IP addresses and geographic information. This is considered personally identifiable information and is subject to prior consent. To avoid this, we highly recommend enabling IP anonymization. More information is available here . Learn how to enable IP anonymization through Google tag manager in this video tutorial .

If you have any questions about a third-party service and their GDPR practices, it's best to contact them directly. Without Code can not act as an intermediary between our end-users and third-party service providers (your subprocessors).

Builder Compliance

See how websites built on Without Code can be made compliant using our built-in tools.

03: Builder Compliance

What tools are available from Without Code to enable me to build a compliant website?

The Without Code website builder was upgraded in early 2018 to integrate new tools and procedures to simplify GDPR compliance. We will actively continue to develop new tools and integrate services to help you build GDPR compliant websites.

Privacy Pages

A comprehensive privacy page is essential for GDPR compliance and the Without Code builder makes creating one easy; in your builder, visit the Settings section, and click “Privacy Settings"; from here you can customize a privacy page for your business. Alternatively, you can manually create a privacy page by creating a new standard page.

Cookie Notifications

The Without Code website builder comes integrated with a cookie notification bar that can be used to inform users of your cookie policies. This bar assumes that no third-party cookies are being used in the site, as it does not have the ability to control the placement of a cookie prior to consent.

In the event that you are using a third-party service that is making use of cookies, we recommend integrating an outside cookie solution, such as Cookiebot. Cookie bot can be configured to allow cookies to be delayed until consent is given. Please note that each third-party service will use cookies differently, and we are unable to provide a guide explaining how to individually delay the placement of cookies.

We highly recommend using Google Tag Manager (GTM) to integrate all third-party services if possible. This will simplify the enabling / disabling of cookies based on user consent, since most third-party scripts can be toggled and managed by GTM.

Contact Forms

In order to remain compliant, you must have permission from site visitors to collect their information, as well as delete this information upon request. Contact forms in the builder include the option to add an “opt-in” checkbox. This ensures that your site visitors agree to submit their information when using forms and can be customized to include privacy information, as well as link directly to your privacy policy. Any form responses can be deleted from your account by selecting the Content tab and clicking “Manage Form Responses.”