EU Privacy and Data Protection

Last Updated May 29, 2018


Privacy and security is a priority for us. Our Privacy Policy and Terms of Use documents cover most of what you need to know about how we use personal information that is provided to us, but we wanted to be extra clear about our practices as they relate to recent EU privacy legislation.

Unless otherwise defined in this document, terms used in this document have the same meanings as in our Privacy Policy and Terms of Use.


If you use the Internet, GDPR affects you. Ballpark has made significant changes to become GDPR compliant.

What is GDPR?

To quote the official GDPR website:

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

Put more simply, GDPR outlines some rules around how companies process the data of individuals, and has scary fines for non-compliance.

In light of this new regulation, here are the details about how we handle your data and how you can access it.

Security and Data Center Location

Ballpark’s servers are located in the US and are managed by Heroku. Our databases are backed up daily, and those daily backups are stored for one week. The databases are also backed up weekly, and those weekly backups are kept for 30 days. All backups are stored by Heroku. You can learn more about Heroku’s data architecture here.

Data Retention

We collect and retain the following information from our customers:

  • Full name
  • Email
  • Company name

We collect this information for the purpose of providing the Ballpark Service, identifying and communicating with our customers, responding to our customer requests/enquiries, getting paid for use of our products and services, and improving our products and services.

List of Sub-processors

As noted in our Privacy Policy, we may employ third party companies or service providers and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services and/or to assist us in analyzing how our Service is used.

These third parties have access to your Personal Information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purpose.

GDPR defines third party companies and service providers like these as “sub-processors”.

Where applicable, we’ve linked to each sub-processor’s policies; we recommend reading each one to make sure you’re OK with us sharing some of your data with them.

  • We use Stripe to process our customers’ payments for our Service.
  • We use Mandrill, a Mailchimp product, to send transactional emails (like invoices, receipts and notifications).
  • We use Google Analytics to track visits to our website, but only if the visitor has consented to being tracked.
  • We use Intercom to provide customer support and to communicate with customers that are logged into the Service.

If you have specific questions about what data we send to any of those services, contact us using the information below and we’ll be happy to explain in more detail.

Access to Your Information (DSR Requests)

Another term that GDPR defines is “Data subject”. Put simply, a data subject is the individual whom particular personal data is about. A DSR (Data Subject Rights) request is when an individual asks a data controller to take action on their personal data. An example of a DSR request would be if a Ballpark customer asks for an export of all the data they have entered into Ballpark, or to permanently delete all the information they’ve entered into Ballpark.

We plan on processing these requests manually, though we’ve built some tools to allow our customers to access, correct, amend, or delete most of their data themselves.

We will give a Ballpark customer access to any personal information we have about them within 30 days of any request for that information, and we won’t charge anything to process these requests. Individuals may request to access, correct, amend or delete information we hold about them by contacting us using the information below. Unless prohibited by law, we will remove any Personal Information about an individual from our servers at their request.

Contact Information

If you have any questions or concerns about this document, please contact us by email at or by mail at 2527 Broad Avenue, Memphis, TN 38112, US.