No matter what sector or line of business you’re in, it’s important to be aware of and understand the General Data Protection Regulation (GDPR). It’s a set of laws introduced by the EU which came into force in May 2018 setting out the obligations of organisations to handle personal data in a secure and transparent manner. Even though the UK is no longer a member of the EU, it has retained a UK-version of GDPR. GDPR therefore continues to apply to businesses established in both the EU and UK and any business that processes data of EU or UK citizens who are being offered goods or services or whose behaviour is being monitored.

We work hard at Turtl to ensure that every aspect of our own operations is GDPR-compliant, but we also want to make it easier for our customers and partners to achieve compliance in the use of our software. As such, we are fully committed to provisioning Turtl software with functionality to help you comply with GDPR.*

GDPR sets out seven principles which are summarised below along with information on how Turtl complies with each.


How Turtl complies

Lawfulness, fairness and transparency

Turtl allows you to embed your own CRM or Marketing Automation forms, including your own privacy policy and/or consent wording, meaning you can continue to manage GDPR compliance from your existing systems. Or if you prefer to use Turtl’s native forms, you can customise these by adding a link to your own privacy notice.

Purpose limitation

Turtl only processes personal data on your behalf as required for the purpose of providing our core services to you and measuring performance. These purposes will need to be covered by the terms of your own privacy policy. We also process a limited amount of personal data you provide us as a data controller, for example user login details, in accordance with the terms of our Privacy Policy.

Data minimisation

Turtl only processes personal data provided to us by you, as well as a limited set of analytics data generated by our software for the purposes of measuring performance.


The majority of information stored by Turtl is analytics data, which is very unlikely to be inaccurate or incomplete, or any personal data contained within Turtl Docs . Turtl will assist you as reasonably required to comply with any requests by data subjects to exercise their rights to rectify or erase personal data under GDPR.

Storage limitation

Turtl deletes personal data within 30 days of the end of a customer contract. This includes all data in production systems and in backup datasets.

Integrity and confidentiality

Turtl takes data security extremely seriously and has a complete set of controls in place to keep your data safe, including best-practice security measures and ISO27001 certification. For more information see here.


Turtl is transparent about its use of sub-processors, onward data transfers and, where relevant, any appropriate safeguards in place to enable you to document such use in accordance with GDPR.

If you have any further questions about how Turtl makes it easy for you to comply with GDPR when using our services, please get in touch.

*While Turtl takes steps to assist you to comply with GDPR, you will need to take your own legal advice to satisfy yourself that your intended use of our software complies with GDPR.