Gumroad: the do’s and dont’s of complying with the GDPR

As a data protection advocate selling products on Gumroad (Notion templates and product membership among others), I’ve wondered how to comply with the GDPR while using the platform.

The risk being a heavy fine coming from European Data Protection authorities, oscillating around 4-digits for private individuals. But let’s not talk about upsetting things.

Let's talk instead about what to do to use Gumroad risk-free:

1. Inform your customers about what you do with their data

This first step is easy.  For each of your product, you will need to include in the email checkout an information notice about what you do with your customers’ personal data, so that they will receive this information when they purchase the product.

To do so, you have two ways:

👉 Either fill in the Receipt text field

Go to your Gumroad dashboard. Open a product page at section « Checkout » and personalize the text field « Receipt » with something similar to what I do with The Nomad Planner:

« Your personal information will be processed for billing requirements, updates and promotional purposes. If you wish to object, please reply to this email. »

⚠️ If one of your customer objects, make sure to never send them an email again.

However, this feature is no more available to every Gumroad creator. If you don’t have it on your dashboard, better use the next way.

👉 Or set an automatic email

Open the « Workflow » tab in the « Posts » section on the left menu. Click on the button « New workflow » and create a workflow dedicated to « Post purchase emails » for your new customers. 

Set up an automatic email to be sent 1 hour after their purchase like the following:

« Thank you for your purchase 🙌 Your personal information will be processed for billing requirements, updates and promotional purposes. If you wish to object, please reply to this email. »

And if you have a Privacy Policy on your website, kindly invite your customers to read it:

« To learn more about the management of your personal data and to exercise your rights, please refer to our Privacy information notice. »

2. Never send your customers a personal newsletter

When a customer purchases one of your product, you collect their email address that you can then use to create and send email workflows directly from Gumroad.

Surprisingly or not, you are not allowed to send them your personal newsletter. But what can you send them then?

• Updates and marketing emails about the product they purchased
• Promotional emails about a product you’re selling similar to the one they purchased

And that’s it.

To send your customers a personal newsletter or promotional emails about different products, you will need to collect their dedicated and explicit consent like below:

To do so, go to your Gumroad dashboard. Open a product page at section « Checkout » and personalize the « Payment form » by adding custom fields with optional checkboxes:

• « I would like to receive promotional communications »
• « I would like to subscribe to the newsletter » 
  

⚠️ If one of your customer doesn’t check the box, make sure to never send them the concerned emails.

3. Legally transfer your customers’ data to the US

Gumroad is located in the United States. However, with the GDPR you are not allowed to send your customers’ data outside the European Union and other approved countries unless you have a legal document stating that personal data will be protected.

The US is not a European country nor an approved one, so you will need this legal document called a Data Protection Agreement (DPA) signed between yourself and Gumroad.

To do so, send an email to support@gumroad.com like I did below and ask for a DPA:

« Hello Gumroad team,

Your Terms of Use specify that creators have to contact your support to get their hands on your Data Processing Agreement: https://gumroad.com/terms 

As I process personal data of European customer, I assume my activities on your website is subject to the GDPR. Here is my product: (link)

In that sense, a DPA including standard contractual clauses for transfers outside the EU is needed. Can you forward me that document in order to get compliant?

Thank you very much

Best Regards »

To which Gumroad’s support team will answer with the document and ask you to confirm by email your agreement:

Now that you’ve mastered these 3 steps, get back to making awesome products that you can sell on Gumroad the GDPR-friendly way 😉