top of page
Frame 3.png
Privacy Trust Center.png

At Shuttlerock we’re committed to the protection of your data and to help our partners and customers comply with the General Data Protection Regulations (GDPR).


Shuttlerock & the GDPR

The General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) data privacy law that went into effect on 25th May 2018. The GDPR seeks to provide EU citizens with greater control over their data. Shuttlerock complies with the requirements laid out in the GDPR including how we collect, use and store personal data and maintain documentation and reporting for increased accountability. At Shuttlerock, we champion efforts to improve the privacy of our customers and partners.

How we protect your data

As we’ve grown, our focus on protecting the data and privacy of users has remained our highest priority.

All the data we store about you is accessible only by Shuttlerock team members that need access to help you meet your goals and to provide customer support. The data we store is backed up daily and can be recovered in the event of a system failure.

At Shuttlerock your data is always yours. We do not sell your data, we comply with GDPR, and we will delete your data under GDPR requirements upon request. To make a request please contact the team.


Your Rights

The GDPR grants data subjects the right to access their data and the information organisations hold about them. You can read more about your rights in the DSAR request section.


Privacy Policy

You can read more about Shuttlerock’s privacy commitments through our Privacy Policy. This includes information about how we collect data, our use of cookies, our Opt-Out policy and more.


Data Retention & Deletion

Shuttlerock retains data in accordance with its Data Retention and Deletion Policies. These include methods of disposal, data minimisation practices and data disposal schedules.



To meet our GDPR commitments our data centres for the Shuttlerock Cloud are located in Ireland with redundancies in Germany. Where third-party providers are deployed that provide services to help us meet our service level agreements we seek to locate these in data centres in the EU.


Data Transfers

Several mechanisms are available to facilitate data transfers outside the EU. Adequate levels of protection ensure appropriate safeguards confirmed by adequacy decisions, such as the Swiss Data Protection Act. Where countries are not covered by an adequacy decision, we use other mechanisms including standard contractual clauses.


Data Processing Addendum

A signed copy of our standard Data Processing Addendum (DPA), incorporating Model Clauses, is available here.

Our DPA aims to facilitate our customer's and partners' compliance assessment when using Shuttlerock’s products and services.

sub-processor bg.png


Shuttlerock aims to provide transparency around how we use and collect your data and with whom the data is shared. The business activities Shuttlerock and its subsidiaries engage in require the deployment of third-party companies (‘sub-processors’) to process customer and client data in connection with the products and services we provide.

The IT Security Operations team at Shuttlerock conducts risk assessments on sub-processors. We do this to determine if sub-processors meet the technical and organisational measures that ensure the sub-processing of personal data is protected to the standards required by the applicable data protection laws.

Shuttlerock maintains an up-to-date list of the names and locations of sub-processors, click here. Personal data will be processed by these sub-processors for the duration the customer uses the Shuttlerock services, or for the period outlined by the Shuttlerock data retention policy or as required by relevant laws and regulations. For more information about the sub-processors we engage with, please email us at


Data Protection Officer

Shuttlerock has a designated Data Protection Officer (DPO) for Shuttlerock Limited and its subsidiaries.

Shaun Heath is Shuttlerock’s DPO, based at our HQ in Nelson in New Zealand.

You can contact our DPO by emailing


Supervisory Authority

You have a right to lodge a complaint with a data protection supervisory authority (SA), in particular in the Member State in the European Union where you are habitually resident or where any alleged infringement of Data Protection law has taken place.

Contact details for the SA in Europe and the UK can be found below.


Resources and Links


EU Supervisory Authority

Shuttlerock’s main operations in the EU are Berlin, Germany. The supervisory authority can be contacted at:

Friedrichstrasse 219
10969 Berlin
Visitor entrance:
Puttkamer Straße 16 – 18 (5th floor)

Tel: 030/138 89-0
Fax: 030/215 50 50


UK Supervisory Authority

Shuttlerock operates in the United Kingdom through its subsidiary. The supervisory authority can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113
Fax: 01625 524510


PrivacyMark System

PrivacyMark System is a system set up to assess private enterprises that take appropriate measures to protect personal information.

Shuttlerock Japan has been assessed under the system and found to take appropriate measures to protect personal information. The System complies with Japan Industrial Standards (JIS Q 15001: [Personal Information Protection Management System - Requirements]).

Data Subject Access Request (DSAR)

The GDPR is designed to reshape the way organisations across the world approach data privacy, especially
across the EU. While the GDPR is a piece of EU legislation, it applies to any business that handles personal data
in the EU and grants certain rights to individuals whose personal information has been collected. The availability
of these rights and the ways in which you can use them are set out below in more detail.


You are entitled to ask us if we are processing your data and, if we are, you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you and certain other information about it.


You are entitled to request that any incomplete or inaccurate personal data we hold about you is corrected.


You are entitled to ask us to delete or remove personal data in certain circumstances. There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.


You are entitled to ask us to suspend the processing of certain of your personal data about you, for example, if you want us to establish its accuracy or the reason for processing it.


In certain circumstances, you may request the transfer of certain of your personal data to another party.


Where we are processing your personal data based on a legitimate interest (or those of a third party) you may challenge this. You also have the right to object where we are processing your personal information for direct marketing purposes.


You may contest any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.


Where we are processing personal data with consent, you can withdraw your consent.


From time to time, we may contact you with marketing information and updates about our products and services. If you change your mind you are entitled to opt-out of our marketing material at any time by clicking the unsubscribe link on the email newsletter, alternatively, you can contact us directly.

How do I make a DSAR request?

Some of these rights will only apply in certain circumstances. If you would like to exercise, or discuss, any of
these rights, please contact us at


Get In Touch

Ready to get started? Want to learn more?
Get in touch with Shuttlerock today.

General IT Security

Data Security Enquiries

Privacy/GDPR Enquiries

Data Protection Officer - Shaun Health

bottom of page