As a data protection advocate selling products on Gumroad (Notion templates and product membership among others), I’ve wondered how to comply with the GDPR while using the platform.
The risk being a heavy fine coming from European Data Protection authorities, oscillating around 4-digits for private individuals. But let’s not talk about upsetting things.
Let's talk instead about what to do to use Gumroad risk-free:
This first step is easy. For each of your product, you will need to include in the email checkout an information notice about what you do with your customers’ personal data, so that they will receive this information when they purchase the product.
To do so, you have two ways:
👉 Either fill in the Receipt text field
Go to your Gumroad dashboard. Open a product page at section « Checkout » and personalize the text field « Receipt » with something similar to what I do with The Nomad Planner:
« Your personal information will be processed for billing requirements, updates and promotional purposes. If you wish to object, please reply to this email. »
⚠️ If one of your customer objects, make sure to never send them an email again.
However, this feature is no more available to every Gumroad creator. If you don’t have it on your dashboard, better use the next way.
👉 Or set an automatic email
Open the « Workflow » tab in the « Posts » section on the left menu. Click on the button « New workflow » and create a workflow dedicated to « Post purchase emails » for your new customers.
Set up an automatic email to be sent 1 hour after their purchase like the following:
« Thank you for your purchase 🙌 Your personal information will be processed for billing requirements, updates and promotional purposes. If you wish to object, please reply to this email. »
« To learn more about the management of your personal data and to exercise your rights, please refer to our Privacy information notice. »
When a customer purchases one of your product, you collect their email address that you can then use to create and send email workflows directly from Gumroad.
Surprisingly or not, you are not allowed to send them your personal newsletter. But what can you send them then?
And that’s it.
To send your customers a personal newsletter or promotional emails about different products, you will need to collect their dedicated and explicit consent like below:
To do so, go to your Gumroad dashboard. Open a product page at section « Checkout » and personalize the « Payment form » by adding custom fields with optional checkboxes:
⚠️ If one of your customer doesn’t check the box, make sure to never send them the concerned emails.
Gumroad is located in the United States. However, with the GDPR you are not allowed to send your customers’ data outside the European Union and other approved countries unless you have a legal document stating that personal data will be protected.
The US is not a European country nor an approved one, so you will need this legal document called a Data Protection Agreement (DPA) signed between yourself and Gumroad.
To do so, send an email to firstname.lastname@example.org like I did below and ask for a DPA:
« Hello Gumroad team,
As I process personal data of European customer, I assume my activities on your website is subject to the GDPR. Here is my product: (link)
In that sense, a DPA including standard contractual clauses for transfers outside the EU is needed. Can you forward me that document in order to get compliant?
Thank you very much
Best Regards »
To which Gumroad’s support team will answer with the document and ask you to confirm by email your agreement:
Now that you’ve mastered these 3 steps, get back to making awesome products that you can sell on Gumroad the GDPR-friendly way 😉