GDPR Compliance

1. Overview of GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that took effect on May 25, 2018. It establishes strict requirements for how organizations collect, store, process, and protect personal data of individuals in the European Union (EU) and European Economic Area (EEA).

1.1 What is Personal Data?

Under GDPR, personal data is any information relating to an identified or identifiable natural person. This includes:

• Name, email address, phone number, and postal address
• IP addresses, cookie identifiers, and device identifiers
• Location data and online identifiers
• Financial information and payment details
• Any other data that can identify an individual directly or indirectly

1.2 Key GDPR Principles

We process personal data in accordance with the following GDPR principles:

• Lawfulness, Fairness, and Transparency: Data processing is lawful, fair, and transparent to data subjects
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes
• Data Minimization: Only data necessary for the stated purposes is collected
• Accuracy: Personal data is kept accurate and up to date
• Storage Limitation: Data is retained only as long as necessary
• Integrity and Confidentiality: Appropriate security measures protect personal data
• Accountability: We can demonstrate compliance with all principles

2. Legal Basis for Data Processing

We process personal data only when we have a valid legal basis. Our legal bases include:

2.1 Consent

When you provide explicit consent for us to process your personal data for specific purposes, such as:

• Subscribing to marketing communications
• Participating in surveys or research
• Using optional features that require data processing

You have the right to withdraw consent at any time, which will not affect the lawfulness of processing based on consent before withdrawal.

2.2 Contractual Necessity

Processing necessary for the performance of a contract with you, including:

• Providing our Services as outlined in our Terms of Service
• Processing payments and managing subscriptions
• Delivering customer support and technical assistance

2.3 Legitimate Interests

Processing necessary for our legitimate business interests, such as:

• Improving and optimizing our Services
• Detecting and preventing fraud and security threats
• Conducting analytics and research
• Marketing our Services to existing customers

We carefully balance our legitimate interests against your rights and freedoms before processing data on this basis.

2.4 Legal Obligations

Processing required to comply with legal obligations, including:

• Responding to lawful requests from authorities
• Complying with tax and accounting regulations
• Meeting regulatory requirements

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

3.1 Right to Access

You have the right to request access to your personal data. You can:

• Obtain confirmation of whether we process your personal data
• Access your personal data and receive a copy
• Request information about how we process your data

How to exercise: Email privacy@minimal.lat with your access request. We will respond within 30 days.

3.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed.

How to exercise: Update your information in your account settings or email privacy@minimal.lat.

3.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required for compliance with legal obligations

How to exercise: Email privacy@minimal.lat with your deletion request. We will respond within 30 days.

3.4 Right to Restriction of Processing

You have the right to request restriction of processing when:

• You contest the accuracy of your personal data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You object to processing pending verification of legitimate grounds

3.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

How to exercise: Request data export from your account settings or email privacy@minimal.lat.

3.6 Right to Object

You have the right to object to processing of your personal data based on:

• Legitimate interests
• Performance of a task in the public interest
• Direct marketing (including profiling)

3.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

We currently do not engage in automated decision-making that produces legal or similarly significant effects.

4. How We Collect Personal Data

4.1 Data You Provide Directly

• Account registration information
• Payment and billing information
• Communication with our support team
• Feedback, surveys, and user research participation

4.2 Data Collected Automatically

• Usage data and analytics through cookies and similar technologies
• Log files including IP addresses, browser type, and access times
• Device information and operating system details

4.3 Data from Third Parties

• Authentication services (when you use social login)
• Payment processors for transaction information
• Analytics and advertising partners (with your consent)

5. How We Use Personal Data

We process personal data for the following purposes:

• Service Delivery: Providing and maintaining our Services
• Communication: Sending service updates, security alerts, and support messages
• Personalization: Customizing your experience and recommendations
• Analytics: Understanding usage patterns and improving our Services
• Security: Detecting and preventing fraud, abuse, and security incidents
• Legal Compliance: Meeting legal and regulatory obligations
• Marketing: Sending promotional communications (with consent)

5.1 AI Data Processing (Beta)

During our beta period, we process AI interaction data for service improvement purposes. This includes:

• AI Prompts and Responses: Questions submitted to and answers generated by our AI systems
• Conversation Context: The flow and context of AI interactions
• Feedback Data: Ratings, corrections, and feedback you provide about AI outputs
• Usage Patterns: How you interact with AI features, including frequency and timing

Legal Basis: We process this data based on:

• Legitimate Interest (Art. 6(1)(f) GDPR): To improve our AI systems, enhance accuracy, and develop better features
• Consent (Art. 6(1)(a) GDPR): Where we collect optional feedback or participation in beta testing programs
• Contract Performance (Art. 6(1)(b) GDPR): To deliver the AI-powered services you have requested

Your Rights Regarding AI Data:

• You may object to AI training data processing under Art. 21 GDPR
• You may request deletion of your AI interaction history under Art. 17 GDPR
• You may request access to your AI interaction data under Art. 15 GDPR
• To exercise these rights, contact privacy@minimal.lat

Important: During beta, our team may review AI interactions to improve quality. We recommend not submitting sensitive personal data, special category data (Art. 9 GDPR), or confidential information to AI systems.

5.2 Third-Party AI Providers

Our AI features may utilize third-party AI providers. When data is processed by third parties:

• We have Data Processing Agreements (DPAs) in place as required by Art. 28 GDPR
• Third-party providers are bound by contractual obligations to protect your data
• International transfers are protected by Standard Contractual Clauses (SCCs)
• We conduct regular assessments of third-party security practices

6. Data Sharing and Transfers

6.1 Third-Party Service Providers

We share personal data with service providers who process data on our behalf:

• Cloud hosting and infrastructure providers
• Payment processors and billing services
• Customer support and communication tools
• Analytics and monitoring services

All service providers are bound by data processing agreements that require GDPR compliance.

6.2 International Data Transfers

We may transfer personal data outside the EU/EEA. When we do, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers
• Adequacy Decisions: Transfers to countries with adequate data protection
• Additional Measures: Supplementary security measures where needed

Data transferred to the United States is protected under Standard Contractual Clauses and additional security measures.

6.3 Legal Requirements

We may disclose personal data when required by law or to:

• Respond to legal process (court orders, subpoenas)
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Investigate fraud or security issues

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

• Active Accounts: Data retained while account is active
• Deleted Accounts: Data deleted within 90 days, except where legal retention required
• Financial Records: Retained for 7 years per tax regulations
• Marketing Data: Retained until consent is withdrawn
• Legal Holds: Data retained longer when subject to legal obligations

8. Data Security Measures

We implement comprehensive technical and organizational measures to protect personal data:

8.1 Technical Measures

• Encryption in transit (TLS) and at rest using AWS encryption services (AES-256)
• Hosted on AWS infrastructure, which maintains SOC 2, ISO 27001, and other certifications
• Service monitoring via AWS CloudWatch
• Regular data backups
• Network isolation via AWS VPC

8.2 Organizational Measures

• Privacy by design and by default
• Incident response procedures
• Breach notification procedures in accordance with GDPR requirements

9. Cookies and Tracking

We use cookies and similar technologies to provide and improve our Services. In accordance with GDPR and the ePrivacy Directive, we obtain your consent before placing non-essential cookies.

9.1 Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner with two options:

• Accept: Enables all cookies, including analytics (e.g., Google Analytics), to help us improve our services
• Decline: Only essential cookies are used. No analytics or tracking cookies will be set.

You can change your cookie preferences at any time by clearing your cookies and revisiting the site.

9.2 Types of Cookies We Use

• Essential Cookies (Always Active): Required for basic functionality and to remember your cookie preference. Legal basis: Strictly necessary (no consent required under GDPR/ePrivacy)
• Analytics Cookies: Allow us to measure and improve site performance (e.g., Google Analytics). Only set if you click "Accept". Legal basis: Consent

9.3 Managing Cookies

You can control cookies through:

• Our Cookie Consent Banner: Choose "Accept" or "Decline" when you first visit
• Browser Settings: Most browsers allow you to view, delete, and block cookies
• Clear Cookies: Clear your browser cookies to see the consent banner again

9.4 Cookie Retention

Your cookie consent preference is stored for 365 days. After this period, or if you clear your cookies, you will be asked to provide consent again.

10. Children's Privacy

Our Services are not directed to children under 16. We do not knowingly collect personal data from children. If we discover we have collected data from a child under 16, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@minimal.lat.

11. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance and handle data protection matters.

Contact our DPO: dpo@minimal.lat

12. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have processed your personal data unlawfully.

For EU/EEA residents, you can find your local supervisory authority at: https://edpb.europa.eu/about-edpb/board/members_en

13. Changes to This Policy

We may update this GDPR Compliance Policy to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Last updated" date at the top
• We will notify you via email or through our Services
• For significant changes, we may seek renewed consent

Contact Information

For questions, concerns, or to exercise your GDPR rights, please contact us: