GDPR Compliance

How FieldWise HQ supports customers in meeting their obligations under the EU General Data Protection Regulation.

  Last updated May 4, 2026

1. Overview

The EU General Data Protection Regulation ("GDPR") sets out obligations for organizations that process personal data of individuals in the European Economic Area ("EEA"). Although FieldWise HQ is operated from the United States, we design our Services to support customers whose operations are subject to the GDPR, and we make commercially reasonable efforts to align our practices with GDPR principles globally.

This page explains how we approach GDPR compliance. It is a summary, not a legal opinion; customers subject to GDPR should consult their own counsel.

2. Controller vs. Processor

Under the GDPR, FieldWise HQ acts in different roles depending on the data in question:

  • Customer Data (data controller = our business customer): When a company uses FieldWise HQ to manage its own operations — recording its customers, jobs, technicians, and invoices — the company determines what data to collect and why. That company is the data controller. FieldWise HQ is the data processor, acting on the controller's documented instructions.
  • Account and website data (data controller = FieldWise HQ): When we collect information directly — for example, someone signing up for our newsletter, requesting a demo, or creating a company account — we are the data controller of that information.

3. Legal Bases for Processing

Where FieldWise HQ acts as a controller of personal data of EEA individuals, we rely on one or more of the following legal bases:

  • Contract: to provide the Services you have subscribed to.
  • Legitimate interests: to operate, secure, and improve the Services (balanced against individual rights).
  • Legal obligation: to comply with applicable laws (tax, accounting, anti-fraud).
  • Consent: where explicitly obtained (e.g., marketing communications).

4. Data Subject Rights

Individuals in the EEA have the following rights regarding their personal data:

  • Right of access to personal data we hold about them.
  • Right of rectification of inaccurate data.
  • Right of erasure ("right to be forgotten"), subject to legal retention.
  • Right to restrict processing.
  • Right to data portability.
  • Right to object to certain processing (including direct marketing).
  • Right to withdraw consent where consent is the basis.
  • Right to lodge a complaint with a supervisory authority.

How to exercise these rights: If your personal data was entered into FieldWise HQ by a business customer (for example, you are their employee, technician, or end customer), please contact that business directly — they are the controller. FieldWise HQ will assist them in responding to your request. If you provided data directly to us (e.g., you signed up for our newsletter), email us and we will respond within 30 days.

5. Data Processing Agreement (DPA)

We make a Data Processing Agreement available to any customer whose activities are subject to GDPR. The DPA:

  • Sets out the subject matter, duration, nature, and purpose of the processing.
  • Describes the categories of data and data subjects.
  • Commits FieldWise HQ to process Customer Data only on documented instructions.
  • Binds our personnel to confidentiality.
  • Incorporates technical and organizational security measures.
  • Commits us to assist with subject-rights requests and incident response.
  • Incorporates Standard Contractual Clauses for transfers of EEA personal data to the United States.

To request a copy or execute our DPA, email us with the subject line "DPA Request."

6. Subprocessors

We use a small number of carefully selected subprocessors to deliver the Services. Each is bound by contractual confidentiality and data-protection obligations. Current categories include:

  • Cloud infrastructure and hosting providers
  • Payment processing (Stripe, Inc.)
  • SMS delivery (Twilio, Inc.)
  • Transactional email providers
  • Error monitoring and crash reporting

A current list of specific subprocessors, including name and location, is provided with our DPA. We notify customers of material changes to our subprocessor list in advance, giving them an opportunity to object.

7. International Data Transfers

FieldWise HQ is operated from the United States. Personal data of EEA individuals may therefore be transferred to, stored, and processed in the United States. We rely on the following safeguards:

  • Standard Contractual Clauses (as adopted by the European Commission) incorporated into our DPA.
  • Supplemental technical measures — encryption in transit and at rest, access controls, and audit logging.
  • Transparency — we respond to government data requests only when legally compelled and, where legally permitted, we notify affected customers.

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, including legal and legitimate business requirements. Specific retention periods are described in our Privacy Policy. Customer Data is returned or deleted at the end of the customer relationship, subject to any legal retention obligation.

9. Security Measures

Our technical and organizational measures are described in detail on our Security page and incorporated by reference into our DPA.

10. Breach Notification

In the event of a personal data breach affecting EEA individuals, we will notify affected controllers without undue delay and, where feasible, within 72 hours of becoming aware of the breach, consistent with our obligations under Article 33 of the GDPR. Our notification will describe the nature of the breach, likely consequences, and measures taken to address it.

11. Contact

For GDPR inquiries, DPA requests, subject-rights requests, or questions about our data-protection practices:

GDPR & Data Protection Inquiries

Please include "GDPR" or "DPA" in your subject line. We respond within 5 business days.