We are committed to our users’ rights to privacy. We promise to share transparently all aspects of how the Buffer product and website work in regards to privacy, terms, and personal data, and we are in full support of efforts to ensure your protection online.
The following is a collection of information and resources to help answer any questions you have about your experience with Buffer. We’re grateful for your interest and proud to have you as a part of our community!
The EU’s General Data Protection Regulations (GDPR) take effect May 25, and we are fully behind the spirit of these regulations for a safe and secure Internet. We aspire to embrace privacy by design and, whenever possible, to not collect and store personally-identifiable information.
Overall, we aim for privacy by default: if data collection is not integral to the way our product works, then we won’t collect it. This approach has felt very much in line with the spirit of GDPR, and we’re fortunate that a lot of these data collection practices have been in place at Buffer for some time. As such, you may see few banners or forms requesting consent for us to collect personally-identifiable information for tracking or other purposes. We don’t deem this information necessary to provide Buffer’s service to you, and we choose not to engage in activities and strategies that make this data relevant.
At any time, you may request your information to be exported and sent to you for review, and we promptly honor any requests by you to have your information deleted and forgotten.
Here is our progress so far on GDPR compliance ahead of the May 25, 2018, deadline:
Data MappingStatus: Complete
We are auditing all areas of Buffer to determine what personal data we collect and for what purpose. In a case where collecting personal data is not essential, we are removing that collection process.
We’re working with a legal consultant to ensure that our policy contains the proper language, that it’s easy to understand, and that it communicates clearly any instances of personal data collection.
We have added a cookie notice to all marketing pages and blogs in order to comply with the E-Privacy Directive. We do not collect personally-identifiable information with our cookies, but we do want to acknowledge the use of cookie technology on our website.
A user has the right to request that we delete all of their personal data. Users who wish to inquire about the right to be forgotten will be able to reach out to us at any time.Delete my data
Access / PortabilityStatus: Complete
A user can request access to a copy of the personal data that we have collected. Users who wish to request portability can reach out to us at any time.Get in touch
In Buffer, if a user asks to change their information, we can do so within our admin portal. If a user has a modification to make, they can reach out to us at firstname.lastname@example.org.
Data Protection AgreementStatus: Complete
We are creating a legal agreement that users and external parties can receive from us, promising the protection all personally identifiable information that we collect and store.See the full agreement
Within Section 7 of our DPA, we commit to displaying a list of all current sub-processors in use by Buffer. A sub-processor includes any third party that we share personally identifiable info with.
Here is that list:
- MongoDB, Atlas
Like many websites, we also use "cookie" technology to collect additional website usage data and to improve the Site and our Service. A cookie is a small data file that we transfer to your computer's hard disk. A session cookie enables certain features of the Site and our service and is deleted from your computer when you disconnect from or leave the Site. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the Site. Persistent cookies can be removed by following your web browser help file directions. Most Internet browsers automatically accept cookies. Buffer may use both session cookies and persistent cookies to better understand how you interact with the Site and our Service, to monitor aggregate usage by our users and web traffic routing on the Site, and to improve the Site and our Service.
We may also automatically record certain information from your device by using various types of technology, including “clear gifs” or “web beacons.” This automatically collected information may include your IP address or other device address or ID, web browser and/or device type, the web pages or sites that you visit just before or just after you use the Service, the pages or other content you view or otherwise interact with on the Service, and the dates and times that you visit, access, or use the Service. We also may use these technologies to collect information regarding your interaction with email messages, such as whether you opened, clicked on, or forwarded a message, to the extent permitted under applicable law.
You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. Please note that if you delete, or choose not to accept, cookies from the Service, you may not be able to utilize the features of the Service to their fullest potential.
Frequently asked questions about GDPR and Buffer
Q: As a social media marketer, how will the GDPR affect me?
A: If you are a business with customers in the EU, the GDPR will be applicable to you when you are handling personal data of your EU customers. We recently published this blog post about what it means for social media marketers. We hope you find it useful, but advise you to consult a legal advisor to ensure you are compliant.
Q: Does the GDPR change how I can use Buffer?
A: No. Buffer’s features and functionality are unaffected by the GDPR.
Q: How does Buffer collect data—by e-mail, electronic forms, activity tracking, etc.?
A: We primarily collect data when a user sign-up for Buffer services. Where data tracking is enabled we make sure that we do not collect any personally identifiable information.
- Increased clarity on what personally identifiable information is collected and why
- Increased clarity on the storage and duration of personally identifiable information
- Clarity on what types of content may be considered hate speech or threatening
- Updated process for account suspension or removal