Under the GDPR, businesses that receive or track data from their users are called 'data controllers'. Data controllers need to inform their users of which data they keep or collect and how they use it. To collect and process personal data (privacy) they need to ask their users explicitly for their approval. Data controllers can use third parties to process the data for them, e.g. an online reporting tool. Data controllers may only work with data processors that provide 'sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects'. These guarantees are included in so-called Data Processing Agreements. This obligation is very stringent and requires controllers to make a detailed assessment of each processor's capabilities, including its financial stability. Sooqr acts as a data processor for our clients and has included a Data Processing Agreement in our Terms & Conditions. You can find it here: https://www.sooqr.com/dpa