Is Onside GDPR compliant?

Our full GDPR information

Onside Privacy Policy - GDPR

If you are based in the European Union (EU) and use our website and/or our services, these additional terms (GDPR Addendum) form part of our privacy policy.

The General Data Protection Regulation (GDPR) regulates the collection, processing and transfer of EU individuals’ personal data (as defined in the GDPR). The personal information described in our privacy policy is personal data under the GDPR. We are committed to complying with the GDPR when dealing with Account and Marketing Data (as defined in the privacy policy) about our website visitors and service users based in the EU.

For the purposes of the GDPR:

- We are the data controller (as defined in the GDPR) when processing Account and Marketing Data; and

- Our customers are the data controller when processing Visitor and Employee Data (as defined in the privacy policy)

We will not process Visitor or Employee Data except as provided in our Terms of Service (including, if applicable, the Onside Data Processing Addendum) and we require our customers to comply with applicable privacy and data protection laws.

The remainder of this GDPR Addendum applies to Account and Marketing Data only, and does not apply to Visitor or Employee Data.

This GDPR Addendum was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. Any requests for further information should be sent to

Processing personal data

The Account and Marketing Data we may process is described in our privacy policy. This Account and Marketing Data may be processed for the purposes outlined in our privacy policy.

The legal basis for our processing of Account and Marketing Data is your consent and, for certain Account and Marketing Data, processing is necessary for the performance of a contract to which you are a party.

Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.

You do not have to provide us with your name or contact information to access and use the website. However, you must provide us with your name and contact information when using the Service and some of our other services. The consequence of not providing your name and contact information is that we will not be able to provide all of our services to you.

Your Rights

Your rights in relation to your personal data under the GDPR include:

Right of access

If you ask us, we will confirm whether we are processing your personal data and provide you with a copy of that personal data.

Right to rectification

If the personal data we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take every reasonable step to ensure personal data which is inaccurate is rectified. If we have shared your personal data with any third parties, we will tell them about the rectification where possible.

Right to erasure

We delete your personal data when it is no longer needed for the purposes for which you provided it. You may request that we delete your personal data and we will do so if deletion does not contravene any applicable laws. If we have shared your personal data with any third parties, we will take reasonable steps to inform those third parties to delete such personal data.

Right to withdraw consent

If the basis of our processing of your personal data is consent, you can withdraw that consent at any time.

Right to restrict processing

You may request that we restrict or block the processing of your personal data in certain circumstances. If we have shared your personal data with third parties, we will tell them about this request where possible.

Right to object to processing

You may request that we stop processing your personal data at any time and we will do so to the extent required by the GDPR.

Right to data portability

You may obtain your personal data from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal data in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal data directly to another data controller.

The right to complain to a supervisory authority 

You can report any concerns you have about our privacy practices to the relevant data protection supervisory authority.

Where personal data is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.

If you would like to exercise any of your above rights, please contact us at If you are not satisfied by the way your query is dealt with by our data protection officer, you may refer your query to your local data protection supervisory authority e.g. in the United Kingdom, this is the Information Commissioner’s Office.


We do not intend to collect personal data from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal data to us through our website and/or by using our services, please contact us at


We use cookies, pixel tags (also known as web beacons or clear gifs) and similar storage technologies. Please refer to our Cookie Policy for further information, including information on how you can disable these technologies.

International transfer of data

The Account and Marketing Data may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place.

Some of the Account and Marketing Data we collect is processed in New Zealand (where our registered office is located). New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision in transferring personal data to New Zealand.

Some of the Account and Marketing Data we collect is processed by third party data processors in other countries, including the United States. These countries are not subject to an adequacy decision by the European Commission and instead, in transferring your personal data to these countries, we take other appropriate safeguards as prescribed by the GDPR. We have verified that our data processors in the United States have self-certified under the EU-US Privacy Shield framework.

Data retention policy

Account and Marketing Data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.

Contact us

You can contact us at