Questions? Email [email protected] · All prices are one-time unless stated otherwise
D
Datapad Projects
Newsletter

Compliance

CampaignCanvas is built for GDPR and CAN-SPAM from the ground up: double opt-in, one-click unsubscribe, suppression enforcement, a consent audit trail, and right-to-erasure are all first-class features — not afterthoughts.

Double opt-in

Double opt-in (DOI) requires new signups to confirm their address by clicking a link in a confirmation email before they’re fully subscribed. It’s the gold standard for mailing list hygiene and is required by law in many jurisdictions (notably Germany).

Enabling DOI

DOI is a per-list setting. Open the mailing list editor and toggle Double Opt-In Required.

Flow

  1. Subscriber signs up via a form, the inline widget, or the subscribe-to-list field.
  2. Membership is created in PendingConfirmation state — they will not receive campaigns yet.
  3. A confirmation email is sent with a unique confirmation link. The email uses the tenant’s confirmation transactional template (see Transactional).
  4. The subscriber clicks the link. The landing page flips their membership to Subscribed and appends a consent entry.
  5. If the list has Send Welcome Email enabled, the welcome transactional email is dispatched.

Token security

  • Confirmation links use a purpose-specific token — an unsubscribe token cannot be used to confirm a signup and vice versa.
  • Tokens are signed with ASP.NET Data Protection and expire after 7 days. Expired links prompt the user to request a fresh one.
  • Tokens are one-time; the first successful use invalidates them.
Resend confirmation

Subscribers can request a fresh confirmation link from the confirmation landing page if their token expired. When the list has Send Resend Confirmation enabled, each resend gets a matching transactional email notification.

Unsubscribe

Every campaign email includes a working unsubscribe mechanism. CampaignCanvas enforces this at render time — you cannot accidentally send a campaign without an unsubscribe link.

One-click unsubscribe (RFC 8058)

All rendered emails include the List-Unsubscribe and List-Unsubscribe-Post headers. This enables the one-click unsubscribebutton that Gmail, Apple Mail, and Yahoo show at the top of messages. A single click unsubscribes the reader — no landing page required.

Unsubscribe landing page

When the visitor clicks an in-body unsubscribe link, they land on a confirmation page that:

  • Confirms the unsubscribe has been processed
  • Optionally collects a reason(e.g. “too many emails”, “never signed up”, “content not relevant”). The reason is stored with the unsubscribe event for reporting.
  • Lets them re-subscribe if they changed their mind

Confirmation email

If the list has Send Unsubscribe Confirmation enabled, the subscriber receives a final “you’ve been unsubscribed” email. Keep this on for transparency — it reassures the subscriber the request went through and gives them one more chance to notice if they unsubscribed by accident.

Enforcement

The rendering pipeline guarantees an unsubscribe link in every campaign body. If your content blocks omit it, a default footer with an unsubscribe link is appended at render time. You cannot ship a campaign without one.

Suppression list

The suppression list is a global do-not-mail registry. Addresses on it are never sent to, regardless of their subscriber or list state. This is your safety net against compliance incidents.

Reasons

ReasonHow it’s set
HardBounceAutomatically added after repeated hard bounces (threshold configurable, default 3)
SoftBounceAdded by manual import of ESP soft-bounce reports. Soft bounces don’t auto-suppress.
ComplaintAutomatically added when the ESP reports a spam complaint
UnsubscribeOptional — you can configure unsubscribes to add the address to the global suppression in addition to setting the per-list state
ManualAdded from the backoffice via the suppression editor
ErasureAutomatically added when a subscriber is erased (GDPR right-to-erasure). Stored as a hash rather than plain-text.

Enforcement

Every campaign send checks suppression per recipient, per send. If an address is on the list, the recipient row is marked as sent but the actual email is never dispatched. This keeps the recipient queue draining cleanly and preserves campaign analytics integrity.

Checking an address

The Suppression page has a quick-lookup field: enter an address and see whether it’s suppressed, when, and why. Handy when subscribers ask why they’re not getting emails.

Removing from suppression

Manual suppression entries can be deleted from the backoffice. Use this when you have clear opt-in from an address that was previously added by mistake. Automatic entries (hard bounce, complaint) can also be removed, but the underlying signal should give you pause — verify with the subscriber first.

Hashed erasure entries

Addresses suppressed via right-to-erasure are stored as a cryptographic hash, not plain text, so the readable address is destroyed. Re-import protection still works because imports are hashed and checked against the suppression list. This satisfies GDPR’s erasure requirement without losing the ability to block re-imports.

Consent audit trail

Every opt-in event is recorded as an append-only consent entry on the subscriber profile. This is your defensible record of who agreed to what, when, from where, and under which policy version.

What’s captured

FieldContents
SourceWhere the consent came from — e.g. form:{formId}, import:2026-04-21, admin:{userKey}, inline-widget
Policy versionIdentifier for the consent text shown (e.g. v1, privacy-2026-04). You control the naming; pair it with version-controlled privacy copy.
TimestampUTC instant of the opt-in event
IP addressCaptured when available (form signups, inline widget, confirmation clicks)

When entries are written

  • A form signup completes successfully
  • A CSV row is imported
  • A subscriber confirms a DOI link
  • An admin manually adds a subscriber

Viewing the trail

Open any subscriber’s detail drawer. The Consent historysection lists every entry in chronological order — useful when responding to a subject access request or proving consent under audit.

Subject access requests

Under GDPR a data subject can request a copy of everything you hold about them. CampaignCanvas gives you two complementary tools for answering that request without writing a custom export.

Unified Privacy & GDPR panel

For any investigation that starts from an identifier — an email, IP, or name — the Privacy & GDPR panel (under Generalin the section sidebar) runs a parallel search across form submissions and newsletter subscribers and returns matching records in both categories on one screen. It’s the fastest way to build a complete picture of an individual’s footprint in CampaignCanvas.

Subscriber detail drawer

When you already know the subscriber — or want the full profile view — open their detail drawer from the Subscribers page. It pulls together, in one place:

  • Profile (name, email, language, all custom field values)
  • List memberships with current state and signup source
  • Tags applied
  • Full consent history
  • Activity timeline — every campaign open, click, bounce, or complaint ever recorded for that address

Right to erasure

The right to erasure (also known as the “right to be forgotten”) lets a data subject request permanent deletion of their personal data.

What happens on erasure

Erasing a subscriber permanently deletes:

  • The subscriber row (profile, name, language)
  • All custom field values
  • All tags
  • All campaign events — opens, clicks, bounces, complaints — associated with that subscriber

The address is then added to the global suppression list as a hashed entry. This has two important effects:

  1. The readable address is destroyed — you no longer hold it.
  2. If the same address is later imported, it’s hashed on import and checked against the suppression list, so it cannot be re-added without a deliberate removal step.

Triggering an erasure

Subscriber erasures can be started from two places:

  • Subscriber detail drawer— open the subscriber from the Subscribers page and click Erase.
  • Privacy & GDPR panel— search for the subject, then use the row-level Eraseaction in the subscribers result list. This is the fastest path when you’re working from an erasure request rather than browsing subscribers.

Both paths hit the same service. Subscriber erasures are always row-level(not bulk) because each one writes a hashed suppression entry and cascades through tags, custom fields, and campaign events — the per-row confirmation prevents accidentally scorching look-alike addresses. The action is irreversible and is recorded in the audit log with the operator’s identity and timestamp.

Delete vs. erase

Deleteremoves the subscriber but doesn’t add them to suppression, so a re-import can recreate them. Use delete for operational cleanup (test data, duplicates). Use erase for GDPR requests, where you need a defensible record that the address was permanently removed and cannot be re-added.

Audit log

Every state-changing action in the Newsletter module — list creation and deletion, subscriber creation and erasure, campaign scheduling and sending, suppression updates — is written to the audit log with the operator’s identity, timestamp, and the affected resource.

The audit log is queryable from the backoffice and is retained for the lifetime of the install. It’s your primary record for:

  • Internal compliance audits
  • Who-did-what investigations
  • Demonstrating process to external auditors