Questions? Email [email protected] · All prices are one-time unless stated otherwise
D
Datapad Projects
Reference

Privacy & GDPR Compliance

CampaignCanvas includes built-in tools for GDPR compliance, giving you control over data retention, sensitive field redaction, subject access requests, and the right to erasure. These features help you meet your obligations under the General Data Protection Regulation without…

Data Retention

Data retention lets you automatically delete old submissions after a specified number of days. This is useful for forms that collect time-sensitive data (e.g. event registrations, support requests) where you have no legal basis to store submissions indefinitely.

How it works

  1. Open a form in the backoffice and navigate to Settings.
  2. Set the Retention Period to the number of days you want to keep submissions. Leave it empty to keep submissions indefinitely.
  3. Submissions (and their associated uploaded files) older than the retention period are automatically and permanently deleted.

Examples

Retention PeriodBehavior
Not set (default)Submissions are kept indefinitely
30 daysSubmissions older than 30 days are deleted
90 daysSubmissions older than 3 months are deleted
365 daysSubmissions older than 1 year are deleted
Important

Deletion is permanent and irreversible. Once a submission is deleted, neither the data nor the uploaded files can be recovered. Make sure to export any data you need before setting a retention period.

Tip

Combine data retention with workflow email notifications to ensure you receive submission data by email before the automatic cleanup removes it from the database.

Sensitive Fields

Mark individual form fields as sensitive to restrict who can see their values in the backoffice. Users without the right permission see redacted values instead of the real data.

How it works

  1. In the form builder, select a field and enable the Sensitive toggle. Use this for fields containing personal data such as phone numbers, addresses, or payment references.
  2. When a backoffice user views submissions, CampaignCanvas checks whether they have the “Sensitive data” user group in Umbraco.
  3. Users without the permission see ****** instead of the actual field value.
  4. Users with the permission see the real value.

Where redaction applies

  • Submission listing in the backoffice
  • Submission detail view
  • CSV export (the same “Sensitive data” user group is enforced)

Recommended use cases

  • Phone numbers
  • Postal addresses
  • Payment references or transaction IDs
  • National identification numbers
  • Health or financial information
  • Any field where you want to restrict visibility to authorized personnel only
Note

“Sensitive data” is a built-in Umbraco user group. Assign it to a user under Users → select user → Assign access → Groups. CampaignCanvas does not introduce its own permission system.

SAR Search

Subject Access Requests (SARs) are a core GDPR right. When an individual asks what personal data you hold about them, you need to find every trace of it. The Privacy & GDPR panel runs that search across both form submissions andnewsletter subscribers in one operation, so you don’t have to pivot between sections.

How it works

  1. In the backoffice, open the CampaignCanvas section and click Privacy & GDPR under General.
  2. Enter a search term (e.g. an email address, name, phone number, or IP address) and click Search.
  3. CampaignCanvas runs two queries in parallel:
    • Form submissions — case-insensitive match across all field values, plus IP address and referer
    • Newsletter subscribers — match across email, first/last name, and custom field values
  4. Results are returned in two lists on the same screen — matching submissions (with form name, status, and preview) above matching subscribers (with email, list memberships, and last activity).

Authorization

The Privacy & GDPR panel requires the Umbraco “Sensitive data” user group. Users without this permission do not see the panel in the sidebar and the underlying endpoints refuse access. Unauthorized attempts are recorded in the audit log.

Tip

Search by email address for the most targeted results. You can also search by name, phone number, IP address, or any other identifier that may appear in form field values or subscriber profiles.

Right to Erasure

The right to erasure (also known as the “right to be forgotten”) lets a data subject request permanent deletion of their personal data. The same Privacy & GDPRpanel that powers SAR search handles erasure for both forms and newsletter subscribers — with slightly different mechanics for each.

How it works

  1. In the Privacy & GDPR panel, search for the data subject using the same query as SAR search.
  2. Review the two result lists to verify the scope of the request.
  3. Submissions: click Erase all matchingabove the submissions list. A confirmation dialog restates the match count and search term before the bulk delete runs — guarding against typos on a destructive action.
  4. Subscribers: erase one at a time from the row-level Erase action. Each erasure deletes the subscriber profile, custom fields, tags and campaign events, and adds a hashed entry to the global suppression list so the address cannot be re-imported. See Newsletter → Right to erasure for the full semantics.
  5. Every search and every erasure is written to the audit log with the operator’s identity, timestamp, and the search term used.
Why subscribers are row-by-row

Subscriber erasure has side effects beyond deletion — it writes a hashed suppression entry and cascades through tags, custom fields, and event history. Doing it per-row forces you to look at each profile and confirm it’s the right person, rather than accidentally scorching a dozen look-alike addresses.

Authorization

Erasure requires the Umbraco “Sensitive data” user group. Users without this permission cannot perform erasure operations.

Important

Erasure is permanent and irreversible. Always review the search results first to confirm which records will be deleted. The audit log records that an erasure was performed, but does not retain the deleted data itself.

Recommended workflow

  1. Receive an erasure request from a data subject.
  2. Use SAR search to identify all matching submissions and subscribers in one query.
  3. Export or document the search results if needed for your internal records.
  4. Bulk-erase matching submissions, then row-erase matching subscribers one by one.
  5. Confirm the deletion counts against the search results you captured.
  6. Notify the data subject that their data has been erased.
Note

Erasure only deletes data stored inside CampaignCanvas. If you have forwarded submission data to external systems (e.g. via email workflows, Slack notifications, or API integrations), you must separately ensure that data is also deleted from those systems to fully comply with the erasure request.