Yes, it is but it must be GDPR compliant. This means that the people and organizations with access and the networks under which the data is stored are both secure, confidential, and essential for providing your services. You also need to let your users know if their data goes into 3rd party systems.
Below is an extract from our own GDPR statement which should help understand the rules on data privacy:
“We may process your data on a several different basis: based on your consent, based on our legitimate interests related to such data such as promoting and developing our services and processing contact requests and applications sent to us, to fulfill and execute a contract and to meet legal obligations. The legal basis for data on our customer’s sites is fully the responsibility of our customers.”
