EU Privacy and Data Protection

Last updated: May 14th, 2018


Privacy and security has always been a priority for us. Our Privacy Policy and Terms of Use documents cover most of what you need to know about how we use personal information that is provided to us, but we wanted to be extra clear about our practices as they relate to recent EU privacy legislation.

Unless otherwise defined in this document, terms used in this document have the same meanings as in our Privacy Policy and Terms of Use.


If you use the Internet, GDPR affects you. Curated has made significant changes to become GDPR compliant and to help our customers make their newsletters compliant as well.

What is GDPR?

To quote the official GDPR website:

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

Put more simply, GDPR outlines some rules around how companies process the data of individuals, and has scary fines for non-compliance.

In light of this new regulation, here are the details about how we handle your data and how you can access it.

Security and Data Center Location

Curated’s servers are located in the UK and are provided by Brightbox Systems. Our databases are backed up hourly, and those hourly backups are stored for one week. The databases are also backed up daily, and those daily backups are kept for 30 days. All backups are stored on Amazon S3 in the UK.

Data Retention

We collect and retain the following information from our customers:

  • Full name
  • Email
  • Time zone
  • Billing address
  • IP address

We collect and retain the following information from our customers’ subscribers:

  • Email
  • Opt-in, aka consent (timestamp and source)
  • IP address
  • Number of opened newsletters
  • Number of newsletter links clicked

We collect this information for the purpose of providing the Curated newsletter products and services, identifying and communicating with customers, responding to customer requests/enquiries, getting paid for use of our products and services, and improving our products and services.

List of Sub-processors

As noted in our Privacy Policy, we may employ third party companies or service providers and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services and/or to assist us in analyzing how our Service is used.

These third parties have access to your Personal Information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purpose.

GDPR defines third party companies and service providers like these as “sub-processors”.

Where applicable, we’ve linked to each sub-processor’s policies; we recommend reading each one to make sure you’re OK with us sharing some of your data with them.

  • We use SparkPost to send the newsletters.
  • We use Stripe to process our customers’ payments for our Service.
  • We use MaxMind’s GeoIP2 product to approximate the location of our customers’ subscribers (countries and cities only).
  • We use Litmus Email Analytics to track opens and clicks for our newsletters.
  • We use Google Analytics to track visits to our website and our customers’ publication websites, but only if the visitor has consented to being tracked.

If you have specific questions about what data we send to any of those services, contact us using the information below and we’ll be happy to explain in more detail.

Access to Your Information (DSR Requests)

Another term that GDPR defines is “Data subject”. Put simply, a data subject is the individual whom particular personal data is about. A DSR (Data Subject Rights) request is when an individual asks a data controller (in this case, that could be Curated or a Curated customer) to take action on their personal data. An example of a DSR request would be if a Curated customer asks for an export of all the data we’ve collected about them, or to permanently delete all the information we’ve collected about them.

We plan on processing these requests manually, though we’ve built some tools to allow our customers to access, correct, amend, or delete most of their data themselves.

We will give an individual, either a Curated customer or a subscriber, access to any personal information we have about them within 30 days of any request for that information, and we won’t charge anything to process these requests. Individuals may request to access, correct, amend or delete information we hold about them by contacting us using the information below. Unless prohibited by law, we will remove any Personal Information about an individual, either a Curated customer or a subscriber, from our servers at their request.

Contact Us

If you have any questions about these terms, please contact us at or 2527 Broad Avenue, Memphis, TN 38112, US.

Start sending your newsletter with Curated. It’s free for up to 1,500 subscribers.

Get Started