At Balloon we embrace the changes being brought in by the new GDPR regulation and see it as an opportunity to further improve how we communicate with you, use and share your data and fundamentally, how we place your privacy, security and rights at the forefront of everything that we do. As both a data controller and processor, we have taken measures to ensure our compliance with the GDPR.

GDPR preparedness checklist

We have been working hard over the recent months to ensure compliance with the GDPR. Below is a high-level overview of the key activities we have performed:

  • Appoint a Data Protection Officer
  • Assess our product and business to determine areas impacted by GDPR
  • Conduct an internal audit to ensure that all third parties and suppliers used by Balloon are GDPR compliant
  • Perform necessary changes to the platform (incl. easier to access communication preference controls, explicit acceptance of Terms and Privacy Policies on signup)
  • Update our Privacy Policy
  • Update our Terms & Conditions
  • Create a dedicated page to document our GDPR activities and compliance
  • Create a dedicated page to outline how we secure our customers data
  • Communicate our compliance with our customers


Balloon servers are all hosted in the cloud by Amazon Web Services (AWS). The AWS infrastructure puts strong safeguards in place to help protect customer privacy.

  • All data is stored in highly secure AWS data centres.
  • AWS ensures that all data is encrypted in transit with TLS across all services.

Protecting Your Data

Protecting your data is of paramount importance and a constant focus here at Balloon.

  • Data is backed up daily and in some cases, more frequently than that.
  • All access to the Balloon website is restricted to HTTPS encrypted connections.
  • All data retrieval (and posting) to connected social accounts is done via HTTPS and using a unique, per user, access token (which you can revoke at any time).
  • We never store credit card or payment details in our database. This is strictly stored and managed by Stripe to ensure maximum security. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available.
  • User passwords are encrypted. Passwords are never stored in plain text. Even our engineering team has no way to know what the password is.

Employee Access

Access to infrastructure and other aspects of the Balloon environment, as well as customer data, is strictly limited to those within our team that absolutely need it.

  • Only our Engineering team has access to our production environment. SSH keys are required for console access to servers in all of our environments.
  • Whilst we will often use aggregated snapshots of customer data to help us understand and identify performance, financial and business insights, we will only access individual customer records if it is necessary to do so in order to carry out a customer support request or a significant systems issue.

How to Report a Security Incident

To report an incident of suspected abuse, misuse, or a security issue you have discovered you should contact immediately. For incidents that affect a single account, please reach out to us via our usual support channels.

  • Balloon's will acknowledge your report, usually within 1 business day.
  • A point of contact will be assigned. This person will be responsible for keeping track of the issue, as well as keeping you updated. Please note that this person may need to liaise with you to better understand the reported issue and the circumstances around it.
  • We will investigate the issue and determine the impact.
  • In most cases, for security reasons it is likely that we will be unable to disclose details of the issue until our investigation has been completed.
  • Once the issue has been resolved, we will post an update along with thanks and credit for the discovery.

Frequently Asked Questions

Does Balloon have a Data Processing Agreement (DPA) we can sign?

As a Data Controller, our updated Terms & Conditions include the necessary data processing clauses. When we are acting as a Data Controller, the terms of our Privacy Policy will govern. If you specifically require a signed copy of our Terms & Conditions, then please contact and we will send you a copy to sign.

Where does Balloon store its data?

Our server infrastructure is hosted by Amazon Web Services (AWS) - in their North Virginia (US) region. AWS ensures that all data is encrypted in transit with TLS across all services.

Can you delete my data or answer any other questions about my data?

Please email us if you'd like to exercise your rights under GDPR. You can request to have your data deleted as well as request further information on how your data is being used - amongst other things.

How is my data being used?

We are continually auditing the third-party services that we use, in order to ensure that we are only making use of services that add value to Balloon, the product and its customers. To view a full list of those that we use, please head over to our Privacy Policy. If you have any further questions please don't hesitate to get in touch with us via our Support Chat or by emailing us on