General Data Protection Regulations (GDPR) FAQs

We’ll update these FAQs periodically as more information becomes available.

Last updated: May 24, 2018

The General Data Protection Regulation (GDPR) is a legal framework approved by the European Commission in 2016. The GDPR builds on the existing European Union Data Privacy Directive, which has been the basis of European data protection law since 1995.

Under the GDPR, the new regulations enhance existing data privacy rights and freedoms for EU residents, consistent with the European understanding of privacy as a fundamental human right.

The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. and our parent company Finity SA welcome these new regulations and are committed to GDPR compliance and to data protection in general.

The GDPR goes into effect on 25 May 2018.

The regulation must be followed by every organisation- whether a private business or public authority- that processes personal data of European Union residents, no matter where the organization is located or where the data is processed.

If you are a EU resident and your personal data is being processed by an organization, then you have enhanced rights related to your personal data under the GDPR.

In actuality, the new GDPR regulations reinforce our already high standards for data protection and privacy for all our users, no matter their geographical location. However, has used these regulations as an opportunity to document and provide additional transparency to users, paper subscribers and site visitors regarding how and when data is being processed and stored. (For complete details, you may refer to our updated Privacy Policy.)

The GDPR is an extremely long document written by lawyers, so it should come as no surprise that the document is full of legal language. Below are some of the key terms to know.

Personal Data

The GDPR considers personal data any information that could be used, on its own or in conjunction with other data, to identify an individual. Name, address, email, IP address, billing information are all considered examples of personal data.

If you access personal data, you do so as either a data subject or a processor, and there are different requirements and obligations depending on which category you are in.


A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.

Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities).


A processor is the organization that processes the data on behalf of the controller.

Data Subject

If you, as an EU resident, have provided personal data to an organization, you are considered the data subject, and as such, have extended rights under the GDPR.

In parlance, papers are created and managed by “publishers” ( users).

Paper Subscribers, as Data Subjects

In the context of and our related services, when stores subscriber email addresses and sends out the newsletters on behalf of a publisher (creator of a paper), is acting as controller of subscriber emails that publishers collect and subscribers are considered data subjects. Because publishers may view email addresses, they are considered recipients of subscriber data.

Right to be forgotten- As a subscriber to paper(s), you have the right to remove yourself from a publisher’s subscription list by clicking on the unsubscribe link in footer of the newsletter. Subscribers may also contact us directly ( to request deletion of their subscriber email from a paper or across multiple papers.

Right to rectification- In the case where you, as a subscriber to paper(s), need to correct or update your email address, you may either unsubscribe using the unsubscribe link in the footer of the newsletter or contact us directly ( to request deletion of the outdated email address. You are then requested to re-subscribe in order to track consent, as required under GDPR.

Right to object to processing- Per our Privacy Policy, does not process or store subscriber emails for any other purpose other than sending newsletters on the publisher’s behalf. If you object to our processing of your subscriber email, you may of course unsubscribe by using the unsubscribe link.

In some cases, a publisher may have installed a third-party subscription box to collect emails and send out newsletters using another service, other than In this case, does not access those subscription emails and is neither the controller nor processor of those subscriber emails. In this case, a subscriber should contact the publisher directly.

Publishers, as recipients of subscriber data

If you, as publisher (creator of a paper), are using the service to store subscriber emails and send newsletters, is considered controller of the subscriber emails, with all the responsibilities the role entails. By viewing these emails, you are considered the recipient of the information., acting as the controller of the subscriber data, is implementing changes in order to be fully compliant with the GDPR:

  • On the subscription form, we have described the purpose of providing an email (clear opt-in) and have included a link to our Privacy Policy, which has been simplified and re-written in clear, straightforward language.

  • Any data subject (potential subscriber) who enters an email into a paper subscription box will receive an email with a link to confirm their subscription.

  • If a data subject (potential subscriber) does not confirm their subscription within 30 days using the link, their email is deleted from our system. If/when subscriber clicks on the confirmation link, records the date and time of the "opt-in".

Publishers, as controllers of subscriber data

On the other hand, if you, as publisher (creator of a paper), have embedded a third-party subscription box (including Mailchimp) to collect emails, you should check with the third-party service you are using to ensure GDPR compliance. Additionally, if you choose to export an existing subscriber list from your paper to use in another email service, you assume the role (and responsibilities) of controller of that subscriber data.

Publishers, as Data Subject also acts as the controller of all publisher (creator of a paper) personal data such as publisher name, email and billing information (for PRO users). In this context, since publishers provide to their personal data, publishers located in the EU are also considered data subjects.

As such, publishers located in the EU have expanded rights under the GDPR. is prepared to address any requests made by our publishers related to their expanded individual rights under the GDPR.

Right to be forgotten- At any time, you may choose to delete your publisher account, which will erase from our database your publisher data (and any papers under the account), as well as third-party data in, a communication tool. Here's how.

If you have submitted a help ticket in the past, an account in Zendesk has been created. This correspondence is stored indefinitely in Zendesk.

Right of rectification- You may access your publisher settings and edit your name, email, billing address and more, here's how.

Right of access- Information regarding what information we are storing, purpose and for how long is found in our Privacy Policy.

Social Media Posts

Social media posts pulled into a paper are determined by the criteria chosen in the publisher’s (creator of paper) content sources.

Consent and data use are effectively covered by the terms and conditions and privacy notices of these social networks. The information we receive from social media networks is solely determined by each social media network, according to their privacy policy and terms of service. We encourage you to check their terms and privacy policies to understand what information is publicly available.

If a publisher is contacted directly by a social media user who does not want their social media content or posts to be included in a paper and/or the entire service, the publisher may inform the social media user to contact us directly via @paper_li or contact us via our support address (

Publishers may inform website owners who do not want an extract of their content to be promoted in their paper and/or the entire service to contact us directly via @paper_li or via our support address (

The full text of the regulations can be found here.

If you have additional questions regarding how long we store data and how it’s used, please refer to our Privacy Policy.

If you have specific questions regarding use of data that you don’t feel are covered by our Privacy Policy or FAQ, feel free to contact us at

We’ll update these FAQs periodically (if needed) as more information becomes available.

Disclaimer: This guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal or other professional counsel to determine how the GDPR may apply to your organization.