GDPR Compliance

Last updated: November 18, 2025

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European Union regulation that governs how companies collect, process, and protect personal data of EU residents. We are committed to complying with GDPR and protecting your data rights.

This page explains your rights under GDPR and how we ensure compliance with these regulations.

Your GDPR Rights

Under GDPR, you have the following rights:

1. Right to Access

You have the right to access your personal data and receive a copy of the information we hold about you.

How to exercise: Submit a Data Access Request through your account settings or contact our Data Protection Officer.

2. Right to Rectification

You have the right to correct inaccurate or incomplete personal data we hold about you.

How to exercise: Update your information directly in your account settings or contact us for assistance.

3. Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data under certain circumstances.

How to exercise: Submit a deletion request through your account settings or contact our support team. Note that we may retain certain information where legally required.

4. Right to Restriction of Processing

You have the right to restrict how we process your personal data in certain situations.

How to exercise: Contact our Data Protection Officer with your specific restriction request.

5. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transfer it to another service provider.

How to exercise: Request a data export through your account settings or contact our support team.

6. Right to Object

You have the right to object to processing of your personal data for direct marketing purposes or based on legitimate interests.

How to exercise: Use the unsubscribe link in marketing emails or contact us to object to specific processing activities.

7. Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you.

How to exercise: Contact our Data Protection Officer to request human intervention in automated decisions.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent: You have given explicit consent for processing your data for specific purposes
  • Contract: Processing is necessary to fulfill our contractual obligations to you
  • Legal Obligation: Processing is required to comply with legal requirements
  • Legitimate Interest: Processing is necessary for our legitimate business interests, provided these do not override your rights

Data Protection Measures

We implement comprehensive data protection measures:

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest
  • Access Controls: Strict access controls and authentication mechanisms
  • Data Minimization: We only collect data necessary for specified purposes
  • Privacy by Design: Privacy considerations integrated into all systems and processes
  • Regular Audits: Periodic security and privacy assessments
  • Staff Training: Regular training for all staff on data protection practices
  • Data Protection Impact Assessments: Conducted for high-risk processing activities

International Data Transfers

When we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for countries deemed to have adequate data protection
  • Binding Corporate Rules for intra-group transfers
  • Certification mechanisms such as Privacy Shield (where applicable)

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk
  • Provide information about the nature of the breach and recommended protective measures
  • Document all data breaches and our response actions

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Account Data: Retained while your account is active and for a reasonable period after closure
  • Transaction Data: Retained as required by law (typically 7 years for financial records)
  • Marketing Data: Retained until you withdraw consent or opt-out
  • Log Data: Typically retained for 90 days for security purposes

Third-Party Processors

We work with the following categories of third-party processors:

  • Cloud hosting providers (e.g., Vercel, AWS)
  • Payment processors (Stripe - PCI-DSS compliant)
  • Authentication services (Firebase)
  • Analytics providers (Google Analytics with anonymization)
  • Customer support tools

All third-party processors are carefully vetted and required to comply with GDPR through Data Processing Agreements.

How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

  • Use the self-service tools in your account settings
  • Email our Data Protection Officer at: dpo@example.com
  • Submit a request through our contact form
  • Send a written request to our postal address

We will respond to your request within one month. In complex cases, we may extend this by an additional two months and will inform you of the extension.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where an alleged infringement occurred.

Our lead supervisory authority is: [Name of Supervisory Authority]

Data Protection Officer

Our Data Protection Officer oversees our GDPR compliance and can be contacted at:

  • Email: dpo@example.com
  • Address: [DPO Address]
  • Phone: [DPO Phone Number]

Updates to This Policy

We may update this GDPR compliance page to reflect changes in our practices or legal requirements. We will notify you of any material changes and obtain your consent where required.