Today is D-Day: the European General Data Protection Regulation (GDPR) goes into force. If you're like us, you've also been spammed with GDPR updates left and right. Here's what the GDPR means for Passenger Enterprise customers. We'll keep it short, because there's not much to report.

"New" privacy policy

Yesterday we’ve published an update to our Privacy Policy. There weren't any real changes: we just clarified on which GDPR lawful basis we process data, we added an explanation of our data retention policy, and we explained your rights more clearly.

"New" EULA

We've also updated the Passenger Enterprise EULA, but again there weren't any real changes: we just added a reference to the privacy policy. This EULA doesn't really go into effect until you explicitly accept it, so please login to the Customer Portal and click the accept button.

Data exports & deletion

We have added the functionality of requesting a data export or deleting an account entirely via the customer portal (account/account_settings). At any time you can request a file containing all data Phusion holds on you, in machine-readable format (JSON).

We're not a data processor

Phusion does not act as a data processor to Passenger Enterprise customers. We only process your data in the role of a data controller. That's why we won't need you to sign a data processing agreement with us.


This blog post is so devoid of news, it's a bit boring. As it should be. Turns out we've been mostly GDPR-compliant for years, because we've always valued privacy. If you feel that a privacy concern is left out from our Privacy Policy, please feel free to contact

By the way: We’ve diligently kept a log book of the systems and workflows that needed modifying in order to be compliant. Curious? You can read about our journey on the Phusion blog.

Thank you for using Passenger!

— Hongli Lai, co-founder