General Data Protection Regulation

Last updated August 4, 2021

SaladBowl’s Commitment to Privacy & Data Protection

SaladBowl is committed to protecting and honoring your privacy rights. In light of a number of jurisdictions having enacted laws that affect how companies handle personal information, we wanted to take a moment to share what measures SaladBowl has put into place to comply with two significant data protection laws: the General Data Protection Regulation and the California Consumer Privacy Act.

General Data Protection Regulation

The GDPR is a European law establishing protections for the personal data of EU residents that came into force on May 25, 2018. Under the GDPR, organizations that collect, maintain, use, or otherwise process EU residents’ personal data (regardless of the organization’s location) must implement certain privacy and security safeguards for that data. SaladBowl has established a comprehensive GDPR compliance program and is committed to partnering with its customers and vendors on GDPR compliance efforts. Some significant steps SaladBowl has taken to align its practices with the GDPR include:

  • Revisions to our policies and contracts with our partners, vendors, and users
  • Enhancements to our security practices and procedures
  • Closely reviewing and mapping the data we collect, use, and share
  • Creating more robust internal privacy and security documentation
  • Training employees on GDPR requirements and privacy/security best practices generally
  • Carefully evaluating and building a data subject rights’ policy and response process

Below, we provide additional details about the core areas of SaladBowl’s GDPR compliance program and how customers can use SaladBowl to support their own GDPR compliance initiatives.

Data Processing Agreements

Under the GDPR, “data controllers” (i.e. entities that determine the purposes and means of processing data) are required to enter into agreements with other entities that process data on their behalf (called “data processors”).

International Data Transfers

EU data protection laws require organizations to use a recognized legal mechanism to transfer data from the EU to countries that do not have a similar data protection framework, including the United States.

Although we cannot rely on Privacy Shield to transfer EEA and Swiss data, SaladBowl has decided to keep its Privacy Shield certification to continue to safeguard the data already transferred under Privacy Shield and as a commitment to its data protection safeguards.

The regulatory guidance in this area continues to evolve, and we are tracking additional guidance from data protection authorities closely. SaladBowl remains committed to the privacy of our customers and will continue to work to make sure we comply with data protection laws.

Data Access, Management, and Portability Tools

The GDPR gives individual data subjects in certain circumstances the rights to, among other things, access, delete, and make corrections to their personal data. SaladBowl is committed to facilitating data subject requests consistent with the GDPR, as further described in our Privacy Policy.

Privacy Documentation

At its core, the GDPR is focused on transparency, fairness, and accountability. Accordingly, the law requires organizations to maintain documentation about their privacy practices and their decisions about how they handle individuals’ personal data. SaladBowl shares the GDPR’s commitment to these principles and has included within its ongoing GDPR compliance program documentation about its data collection and processing activities, and the various policies and guidelines it follows pursuant to the GDPR. You can learn more about how SaladBowl collects, uses, and discloses personal data by visiting SaladBowl’s Privacy Policy.

Data Security

The GDPR requires organizations to use appropriate technical and organizational measures to protect the security, confidentiality, and integrity of personal data. Security continues to be a priority for SaladBowl, and we have successfully completed our SOC 2 (Type I) and (Type II) audits for controls relevant to security, availability, and confidentiality. This means that an independent third party has both validated our processes and practices with respect to these three trust services criteria and confirmed our ability to maintain compliance with the controls we have implemented. We have likewise implemented a variety of safeguards to protect the security of our platform, including encrypting web connections to protect data transmissions, replicating our databases to support reliability of the platform, and controlling access to our facilities and office network.

Exercising Your Rights Under the GDPR

If you would like to exercise your rights under the GDPR, please submit your request by contacting us at

California Consumer Privacy Act

The CCPA, which comes into force on January 1, 2020, is a law that provides California consumers certain rights with respect to their personal information. Specifically, the law requires that businesses subject to the statute grant consumers the ability to request access to and deletion of their data, and the ability to opt out of “sales” of their personal information. The law also restricts how service providers that process personal information on behalf of a business may use that information.

SaladBowl does not sell its customers’ or users’ personal information. Where a business subject to the CCPA has entered into a services or subscription agreement with SaladBowl, SaladBowl will also act as a service provider to that business. Specifically, SaladBowl will process such customers’ personal information only for the purposes set forth in the applicable agreement, and will cooperate with customers to fulfill deletion or access requests.

Exercising Your Rights Under the CCPA

For more information about how SaladBowl provides individual consumers with the ability to access and request deletion of their personal information under the CCPA, please see Section VI (“Privacy Information for California Residents”) of our Privacy Policy.

If you would like to exercise any of your rights under California law with respect to your personal information, please submit your request by contacting us at

Ongoing Compliance and Communication

Both the GDPR and CCPA’s requirements are comprehensive, but the law and regulatory guidance continues to evolve when it comes to privacy and data protection – and not just in the EU or the United States. As data protection authorities and regulators interpret and issue guidance on the GDPR, CCPA, and other currently existing data protection laws around the world and as countries pass new data protection laws, we will continue to follow these developments closely and evaluate our program for any changes or enhancements as needed.

Finally, we value communication with our customers. If you have any questions about our data protection practices, please contact us at