GDPR Compliance

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union that strengthens and unifies data protection for all individuals within the EU. We are committed to full compliance with GDPR requirements.

2. Lawful Basis for Processing

We process your personal data based on the following lawful bases:

Consent: You have given clear consent for us to process your personal data for a specific purpose
Contract: Processing is necessary for a contract we have with you
Legal Obligation: Processing is necessary to comply with the law
Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party

3. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

3.1 Right to Access

You have the right to request a copy of all personal data we hold about you. We will provide this information in a commonly used electronic format within 30 days of your request.

3.2 Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. We will make corrections within 30 days.

3.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

The data is no longer necessary for the purpose it was collected
You withdraw consent and there is no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
The data must be erased to comply with a legal obligation

3.4 Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

3.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

3.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

3.7 Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

3.8 Right to Withdraw Consent

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

4. How to Exercise Your Rights

To exercise any of your GDPR rights:

Email us at: gdpr@your-domain.com
Include your full name and account email address
Specify which right(s) you wish to exercise
Provide any additional relevant information

We will respond to your request within 30 days. If we need more time, we will notify you and explain the reason for the delay.

5. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. You can contact our DPO at: dpo@your-domain.com

6. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the EU Commission
Transfers to countries with adequacy decisions
Privacy Shield certification (where applicable)
Binding Corporate Rules (BCRs)

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data: Retained while your account is active, plus 30 days after closure
Transaction Data: Retained for 7 years for legal and accounting purposes
Marketing Data: Retained until you withdraw consent or opt out
Support Tickets: Retained for 2 years after resolution

8. Cookies and Tracking

Under GDPR, we must obtain your consent for non-essential cookies. We provide:

Clear information about all cookies we use
Granular consent options for different cookie categories
Easy way to withdraw cookie consent
Cookie preference management tool

9. Children's Data

We do not knowingly collect personal data from children under 16 without parental consent. If we discover we have collected data from a child under 16 without proper consent, we will delete it promptly.

10. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours
Notify affected individuals without undue delay
Provide clear information about the breach and our response
Offer appropriate measures to mitigate potential harm

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

For complaints within the EU, you can find your local supervisory authority at: European Data Protection Board - Members

12. Privacy by Design and Default

We implement privacy by design and by default principles:

Data minimization - we collect only necessary data
Purpose limitation - data used only for specified purposes
Storage limitation - data kept only as long as necessary
Accuracy - we maintain accurate and up-to-date data
Integrity and confidentiality - appropriate security measures

13. Record of Processing Activities

We maintain comprehensive records of our data processing activities as required by GDPR Article 30, including:

Purposes of processing
Categories of data subjects and personal data
Categories of recipients
International transfers
Retention periods
Technical and organizational security measures

14. Contact Information

For GDPR-related inquiries or to exercise your rights:

Email: gdpr@your-domain.com
Data Protection Officer: dpo@your-domain.com
Website: https://your-domain.com/