GDPR and Data Processing
A plain-English overview for ViralDesk users
This page explains how GDPR and UK data protection law applies to businesses using ViralDesk to manage leads and customer data. It is intended as a practical starting point — not a substitute for legal advice.
Your role as a data controller
When you use ViralDesk to collect enquiries, store contact details, or send messages to customers or leads, you are acting as a data controller under UK GDPR. This means you are responsible for how that data is collected, used and stored — and for ensuring you have a legal basis to do so.
ViralDesk's role as a data processor
ViralDesk processes your customer and lead data on your behalf. This makes us a data processor. We only use that data in accordance with your instructions (i.e. to operate the platform) and do not sell or share it with third parties for their own purposes.
Lawful basis for processing
Before collecting or contacting individuals through ViralDesk, you should identify your lawful basis. Common bases for small businesses include: consent (the individual has opted in), legitimate interests (you have a reasonable business reason that is proportionate and expected by the individual), or contract (you are processing data to fulfil a service the person requested). If in doubt, seek legal advice.
Email and SMS communication
When sending emails or SMS messages through ViralDesk, you must ensure you have the appropriate permission to contact each individual. For marketing messages, consent is usually required under the Privacy and Electronic Communications Regulations (PECR). For transactional messages (such as booking confirmations or reminders), a different basis may apply. You should not use ViralDesk automation to contact individuals who have not given permission to be contacted.
Collecting only necessary information
UK GDPR requires that you collect only the personal data that is necessary for your stated purpose (data minimisation). When building forms or capture flows in ViralDesk, only ask for the information you genuinely need to handle the enquiry or provide the service.
Individual rights
Individuals have rights under UK GDPR including the right to access their data, correct inaccurate data, request deletion, and object to certain types of processing. As the data controller, you are responsible for handling these requests. ViralDesk can help you find and manage records, but you are responsible for responding.
Data retention
You should not retain personal data longer than necessary for the purpose for which it was collected. ViralDesk allows you to archive or delete contact records. Establishing a clear retention policy for your business is recommended.
Further guidance
The Information Commissioner's Office (ICO) at ico.org.uk provides guidance for small businesses on UK GDPR compliance. We strongly recommend reviewing this guidance and, where appropriate, consulting a qualified legal professional.
Questions about data processing?
If you have questions about how ViralDesk handles data, contact us at info@thesocialspark.co.uk. For legal questions about your own obligations as a data controller, we recommend consulting a qualified legal professional or the ICO.