← Back to Issues
In ProgressBughigh

GDPR / Email Compliance for Legacy User Outreach

#43Opened by pew1Mar 18, 2026, 1:05 PM
P
pew1
6 days ago

## Problem

We plan to email up to 39K legacy users who signed up 8–14 years ago on salon.io. Under GDPR (EU users are the majority), we need a compliant basis for contacting them.

## Requirements

### Legal Basis

- **Legitimate interest** (Art. 6(1)(f) GDPR) is the most viable basis — we have an existing customer relationship and are informing them about a successor service for their data/content.

- Document the legitimate interest assessment (LIA) before sending.

### Email Content Requirements

- Every email must include a working **unsubscribe link** (one-click, per CAN-SPAM and GDPR)

- Every email must link to the **privacy policy**: https://docs.salon.io/docs/en/legal/privacy

- Every email must link to the **terms of service**: https://docs.salon.io/docs/en/legal/terms

- Emails must clearly identify the sender (salon.io / New Salon, Stefan)

- Physical address in footer (required by CAN-SPAM, good practice for GDPR)

### Technical Requirements

- Resend supports one-click unsubscribe headers (List-Unsubscribe)

- CRM must track unsubscribe status — never re-email someone who unsubscribed

- SPF/DKIM/DMARC must be configured on sending domain before any volume send

- Bounce handling: remove hard bounces from future sends

### Tiered Send Strategy (Risk Mitigation)

- **Test batch**: 10 emails to known addresses — verify deliverability

- **Tier 1**: 210 VIP users — warm, engaged, low risk

- **Tier 2–6**: Graduated sends per [Kickfund PRD](https://docs.salon.io/docs/en/legal/terms)

- **Tier 8**: 32K bulk send — only after earlier tiers prove deliverability and low complaint rates

- Monitor spam complaint rate: stay under 0.1% (Google/Yahoo requirement)

### Data Handling

- Legacy user emails stored in MongoDB (CRM). Do not export to third-party tools without DPA.

- Users who migrate to New Salon consent to new [Terms](https://docs.salon.io/docs/en/legal/terms) and [Privacy Policy](https://docs.salon.io/docs/en/legal/privacy) during signup/account linking.

- Provide data export/deletion path for legacy users who request it (GDPR Art. 15/17)

## Acceptance Criteria

- [ ] Legitimate Interest Assessment documented

- [ ] Unsubscribe mechanism working in Resend

- [ ] CRM tracks unsubscribe status per user

- [ ] SPF/DKIM/DMARC verified on sending domain

- [ ] Email templates include: unsubscribe link, privacy policy link, terms link, physical address

- [ ] Bounce handling configured

- [ ] Test batch sent and verified before Tier 1

Sign in to comment on this issue.

2
votes
Status
In Progress
Priority
high
Type
bug
Created
Mar 18, 2026