GDPR Compliance

1. Overview of GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that took effect on May 25, 2018. It establishes strict requirements for how organizations collect, store, process, and protect personal data of individuals in the European Union (EU) and European Economic Area (EEA).

1.1 What is Personal Data?

Under GDPR, personal data is any information relating to an identified or identifiable natural person. This includes:

• Name, email address, phone number, and postal address
• IP addresses, cookie identifiers, and device identifiers
• Location data and online identifiers
• Financial information and payment details
• Any other data that can identify an individual directly or indirectly

1.2 Key GDPR Principles

We process personal data in accordance with the following GDPR principles:

• Lawfulness, Fairness, and Transparency: Data processing is lawful, fair, and transparent to data subjects
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes
• Data Minimization: Only data necessary for the stated purposes is collected
• Accuracy: Personal data is kept accurate and up to date
• Storage Limitation: Data is retained only as long as necessary
• Integrity and Confidentiality: Appropriate security measures protect personal data
• Accountability: We can demonstrate compliance with all principles

2. Legal Basis for Data Processing

We process personal data only when we have a valid legal basis. Our legal bases include:

2.1 Consent

When you provide explicit consent for us to process your personal data for specific purposes, such as:

• Subscribing to marketing communications
• Participating in surveys or research
• Using optional features that require data processing

You have the right to withdraw consent at any time, which will not affect the lawfulness of processing based on consent before withdrawal.

2.2 Contractual Necessity

Processing necessary for the performance of a contract with you, including:

• Providing our Services as outlined in our Terms of Service
• Processing payments and managing subscriptions
• Delivering customer support and technical assistance

2.3 Legitimate Interests

Processing necessary for our legitimate business interests, such as:

• Improving and optimizing our Services
• Detecting and preventing fraud and security threats
• Conducting analytics and research
• Marketing our Services to existing customers

We carefully balance our legitimate interests against your rights and freedoms before processing data on this basis.

2.4 Legal Obligations

Processing required to comply with legal obligations, including:

• Responding to lawful requests from authorities
• Complying with tax and accounting regulations
• Meeting regulatory requirements

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

3.1 Right to Access

You have the right to request access to your personal data. You can:

• Obtain confirmation of whether we process your personal data
• Access your personal data and receive a copy
• Request information about how we process your data

How to exercise: Email privacy@minimal.lat with your access request. We will respond within 30 days.

3.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed.

How to exercise: Update your information in your account settings or email privacy@minimal.lat.

3.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required for compliance with legal obligations

How to exercise: Email privacy@minimal.lat with your deletion request. We will respond within 30 days.

3.4 Right to Restriction of Processing

You have the right to request restriction of processing when:

• You contest the accuracy of your personal data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You object to processing pending verification of legitimate grounds

3.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

How to exercise: Request data export from your account settings or email privacy@minimal.lat.

3.6 Right to Object

You have the right to object to processing of your personal data based on:

• Legitimate interests
• Performance of a task in the public interest
• Direct marketing (including profiling)

3.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

We currently do not engage in automated decision-making that produces legal or similarly significant effects.

4. How We Collect Personal Data

4.1 Data You Provide Directly

• Account registration information
• Payment and billing information
• Communication with our support team
• Feedback, surveys, and user research participation

4.2 Data Collected Automatically

• Usage data and analytics through cookies and similar technologies
• Log files including IP addresses, browser type, and access times
• Device information and operating system details

4.3 Data from Third Parties

• Authentication services (when you use social login)
• Payment processors for transaction information
• Analytics and advertising partners (with your consent)

5. How We Use Personal Data

We process personal data for the following purposes:

• Service Delivery: Providing and maintaining our Services
• Communication: Sending service updates, security alerts, and support messages
• Personalization: Customizing your experience and recommendations
• Analytics: Understanding usage patterns and improving our Services
• Security: Detecting and preventing fraud, abuse, and security incidents
• Legal Compliance: Meeting legal and regulatory obligations
• Marketing: Sending promotional communications (with consent)

6. Data Sharing and Transfers

6.1 Third-Party Service Providers

We share personal data with service providers who process data on our behalf:

• Cloud hosting and infrastructure providers
• Payment processors and billing services
• Customer support and communication tools
• Analytics and monitoring services

All service providers are bound by data processing agreements that require GDPR compliance.

6.2 International Data Transfers

We may transfer personal data outside the EU/EEA. When we do, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers
• Adequacy Decisions: Transfers to countries with adequate data protection
• Additional Measures: Supplementary security measures where needed

Data transferred to the United States is protected under Standard Contractual Clauses and additional security measures.

6.3 Legal Requirements

We may disclose personal data when required by law or to:

• Respond to legal process (court orders, subpoenas)
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Investigate fraud or security issues

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

• Active Accounts: Data retained while account is active
• Deleted Accounts: Data deleted within 90 days, except where legal retention required
• Financial Records: Retained for 7 years per tax regulations
• Marketing Data: Retained until consent is withdrawn
• Legal Holds: Data retained longer when subject to legal obligations

8. Data Security Measures

We implement comprehensive technical and organizational measures to protect personal data:

8.1 Technical Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Automated backup and disaster recovery
• Network segmentation and access controls

8.2 Organizational Measures

• Privacy by design and by default
• Regular employee training on data protection
• Data protection impact assessments (DPIAs)
• Incident response and breach notification procedures
• Third-party vendor assessments

9. Cookies and Tracking

We use cookies and similar technologies to provide and improve our Services. For detailed information about our cookie usage, please see our Cookie Policy.

9.1 Types of Cookies We Use

• Essential Cookies: Required for basic functionality
• Performance Cookies: Help us understand how visitors use our Services
• Functional Cookies: Remember your preferences
• Marketing Cookies: Track effectiveness of marketing campaigns (with consent)

9.2 Managing Cookies

You can control cookies through your browser settings and our cookie consent tool. Note that disabling certain cookies may affect functionality.

10. Children's Privacy

Our Services are not directed to children under 16. We do not knowingly collect personal data from children. If we discover we have collected data from a child under 16, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@minimal.lat.

11. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance and handle data protection matters.

Contact our DPO: dpo@minimal.lat

12. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have processed your personal data unlawfully.

For EU/EEA residents, you can find your local supervisory authority at: https://edpb.europa.eu/about-edpb/board/members_en

13. Changes to This Policy

We may update this GDPR Compliance Policy to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Last updated" date at the top
• We will notify you via email or through our Services
• For significant changes, we may seek renewed consent

Contact Information

For questions, concerns, or to exercise your GDPR rights, please contact us: