Privacy & unsubscribes

How Sjocamp handles unsubscribes, data deletion, and GDPR / CAN-SPAM requirements.

You’re the data controller; Sjocamp is the processor. This page covers what’s automatic, what you need to configure, and how to handle deletion requests.

Unsubscribes

Every blast email includes an unsubscribe link in the footer — required by CAN-SPAM in the US and GDPR in the EU, and you can’t disable it. When a recipient clicks:

  1. They land on a confirmation page.
  2. The lead is added to your suppression list.
  3. They’re excluded from all future blasts on that campaign.

Suppression list

The suppressed-leads view (in the campaign’s Leads tab, filter by Status: unsubscribed) shows everyone who has opted out. They’re not deleted — you keep the record so you don’t accidentally re-add them — but they receive no further sends.

A lead can re-subscribe by signing up again from the form.

One-click unsubscribe (Gmail / Yahoo bulk-sender requirements)

Sjocamp adds the List-Unsubscribe and List-Unsubscribe-Post headers required by Gmail and Yahoo’s 2024 bulk-sender rules. This means a one-click “Unsubscribe” button appears next to your sender name in supported clients — you don’t configure anything.

Right-to-delete (GDPR Art. 17 / CCPA)

If a lead asks you to delete their data:

  1. Open the campaign’s Leads tab.
  2. Find the lead by email.
  3. Click Delete.

This is a hard delete — the lead’s email, custom fields, referral history, and event log are all removed permanently. There’s no recovery. The lead’s referral count is preserved for the people they referred (anonymized — referrer is set to “deleted”), so the people they brought in aren’t penalized.

For bulk deletion (e.g., a regional shutdown), contact support — we can run it server-side faster than the UI.

Right-to-export (GDPR Art. 20)

A lead’s full record is exportable from the lead detail panel — click Export this lead to download a JSON file with everything Sjocamp knows about them. Hand it over to satisfy a Subject Access Request.

For bulk exports of all leads, the Export button on the Leads tab generates a CSV with every field — see Viewing leads.

Cookies and tracking

The embedded widget sets one cookie per campaign:

  • lc_session — opaque session token, used to remember whether the visitor has already submitted (so they don’t see the form again on a return visit). 30-day expiry.

If your site has a cookie-consent banner, the widget respects the functional cookie category — drop our cookie when functional consent is given. We don’t set advertising or analytics cookies.

Data residency

Lead data is stored in AWS regions managed by Sjocamp. EU data residency (data physically stored in EU regions) is available on the Team plan — contact support to enable it on your account.

Sub-processors

Sjocamp uses these third parties to operate the service:

  • AWS — hosting and storage
  • Stripe — payments
  • Resend — outbound email delivery
  • Cloudflare — DNS and edge caching

A current list, kept up to date as we add or remove vendors, is at sjocamp.co/legal/subprocessors.

DPA

A Data Processing Agreement is available on the Team plan. Email [email protected] with your account ID and we’ll countersign and return.