GDPR Compliance
Your Data Protection Rights Under EU Law
1. GDPR Overview
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It strengthens and unifies data protection for individuals within the European Union (EU) and the European Economic Area (EEA).
1.1 Who Does GDPR Apply To?
GDPR applies to:
- EU/EEA Residents: Anyone residing in the EU or EEA has GDPR rights
- EU/EEA Citizens: EU/EEA citizens anywhere in the world
- Data Processing in EU: Any data processing that takes place in the EU
- Offering Services to EU: Companies offering goods/services to EU residents
1.2 AIGH's GDPR Commitment
AIGH is committed to full GDPR compliance. We:
- Process data lawfully, fairly, and transparently
- Collect data only for specified, legitimate purposes
- Minimize data collection to what is necessary
- Keep data accurate and up-to-date
- Store data only as long as necessary
- Implement appropriate security measures
- Respect your rights and respond to requests promptly
1.3 GDPR Principles We Follow
Lawfulness
We process data only when we have a legal basis
Transparency
We clearly explain how we use your data
Purpose Limitation
We use data only for stated purposes
Data Minimisation
We collect only what we need
Accuracy
We keep your data accurate and current
Storage Limitation
We don't keep data longer than necessary
Security
We protect your data with strong security
Accountability
We can demonstrate our compliance
2. Your GDPR Rights
Under GDPR, you have several important rights regarding your personal data:
Right of Access
What it means: You can request a copy of the personal data we hold about you.
What you get:
- Copy of your personal data in a structured format
- Information about how we process your data
- Details about data sources and recipients
- Retention periods and your other rights
Response time: 30 days (can be extended to 60 days for complex requests)
Right to Rectification
What it means: You can request correction of inaccurate or incomplete personal data.
When to use:
- Your contact information has changed
- We have incorrect information about you
- Some of your data is incomplete
- You want to add supplementary information
Response time: 30 days (we may inform third parties of corrections)
Right to Erasure ("Right to be Forgotten")
What it means: You can request deletion of your personal data in certain circumstances.
When it applies:
- Data is no longer necessary for the original purpose
- You withdraw consent and there's no other legal basis
- Data has been unlawfully processed
- Erasure is required for legal compliance
- Data was collected from a child under 16
Limitations: We may retain data for legal obligations, public interest, or legitimate interests.
Right to Restriction of Processing
What it means: You can request that we limit how we process your data.
When it applies:
- You contest the accuracy of the data
- Processing is unlawful but you don't want erasure
- We no longer need the data but you need it for legal claims
- You've objected to processing pending our response
Effect: We can only store the data, not use it (except with your consent or for legal claims).
Right to Data Portability
What it means: You can request your data in a machine-readable format to transfer to another service.
Requirements:
- Data must be processed based on consent or contract
- Processing must be carried out by automated means
- Only applies to data you provided to us
Format: Common, structured formats like JSON, CSV, or XML.
Right to Object
What it means: You can object to certain types of data processing.
Types of objection:
- General objection: To processing based on legitimate interests
- Direct marketing: Absolute right to stop marketing communications
- Profiling: Object to automated decision-making
Our response: We must stop processing unless we have compelling legitimate grounds.
Rights Related to Automated Decision-Making
What it means: Protection against purely automated decisions that significantly affect you.
Your rights:
- Be informed about automated decision-making
- Request human intervention in the decision
- Express your point of view
- Contest the decision
AIGH's use: We use AI for analytics and recommendations but maintain human oversight for significant decisions.
3. How We Process Your Data
3.1 Data Categories We Process
Identity Data
- Name, username, email address
- Profile information and preferences
- Account settings and customizations
Contact Data
- Email addresses and phone numbers
- Billing and shipping addresses
- Communication preferences
Financial Data
- Payment method information (tokenized)
- Billing history and invoices
- Subscription and plan details
Usage Data
- Website interaction and navigation
- Feature usage and engagement metrics
- Performance and analytics data
Technical Data
- IP addresses and device information
- Browser type and version
- Operating system and preferences
Marketing Data
- Marketing preferences and consents
- Campaign engagement data
- Lead source and attribution
3.2 Processing Activities
| Purpose | Data Categories | Legal Basis | Retention |
|---|---|---|---|
| Account management | Identity, Contact | Contract performance | Account lifetime + 2 years |
| Service delivery | Identity, Usage, Technical | Contract performance | Account lifetime |
| Payment processing | Financial, Contact | Contract performance | 7 years (legal requirement) |
| Customer support | Identity, Contact, Usage | Legitimate interest | 3 years after resolution |
| Marketing communications | Contact, Marketing | Consent | Until consent withdrawn |
| Analytics and improvement | Usage, Technical | Legitimate interest | 2 years (anonymized after 6 months) |
| Legal compliance | All categories | Legal obligation | As required by law |
4. Legal Basis for Processing
Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following:
Contract Performance
When we use it: Processing necessary to fulfill our contract with you
Examples:
- Creating and managing your account
- Providing our AI growth hacking services
- Processing payments and billing
- Delivering customer support
Consent
When we use it: You have freely given specific consent
Examples:
- Marketing email subscriptions
- Optional analytics and tracking
- Social media advertising
- Beta feature participation
Your control: You can withdraw consent at any time
Legitimate Interest
When we use it: Processing is necessary for our legitimate business interests
Examples:
- Fraud prevention and security
- Service improvement and optimization
- Business analytics and insights
- Internal administration
Balancing test: We always balance our interests against your rights and freedoms
Legal Obligation
When we use it: Processing required to comply with legal requirements
Examples:
- Tax and accounting records
- Anti-money laundering checks
- Regulatory reporting
- Court orders and legal requests
Vital Interests
When we use it: Rare cases where processing protects someone's life
Note: This is rarely applicable to our business services
Public Task
When we use it: Processing in the public interest or official authority
Note: Not typically applicable to AIGH's commercial services
5. International Data Transfers
Some of your personal data may be transferred outside the EU/EEA. We ensure adequate protection through:
5.1 Transfer Mechanisms
Adequacy Decisions
Transfers to countries that the EU has determined provide adequate data protection:
- United Kingdom
- Switzerland
- Canada (commercial organizations)
- Japan
- South Korea
Standard Contractual Clauses (SCCs)
EU-approved contract terms that ensure adequate protection:
- Used for transfers to countries without adequacy decisions
- Include specific safeguards and data subject rights
- Enforceable obligations on data recipients
- Right to obtain copies upon request
Certification Schemes
Participation in approved certification programs:
- ISO 27001 information security certification
- SOC 2 Type II compliance
- Cloud security certifications
- Privacy framework compliance
Binding Corporate Rules (BCRs)
Internal policies for multinational companies:
- Ensure consistent data protection standards
- Apply across all group companies
- Approved by relevant data protection authorities
- Enforceable rights for data subjects
5.2 Third-Party Service Providers
| Service Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| AWS | EU, US | Cloud hosting | SCCs, Adequacy Decision (EU) |
| Google Cloud | EU, US | Analytics, Storage | SCCs, Data Processing Amendment |
| Stripe | EU, US | Payment processing | SCCs, Privacy Shield certified |
| Intercom | EU, US | Customer support | SCCs, GDPR compliance |
6. Data Retention Periods
We retain personal data only as long as necessary for the purposes for which it was collected:
Account Data
- Active accounts: While account remains active
- Closed accounts: 2 years after closure
- Inactive accounts: 3 years without login
- Essential data: May be retained longer for legal compliance
Financial Data
- Payment records: 7 years (tax requirements)
- Invoice data: 7 years (accounting requirements)
- Subscription history: 3 years after termination
- Refund records: 7 years
Analytics Data
- Raw analytics: 6 months
- Aggregated data: 2 years
- Anonymized data: Indefinitely
- Usage logs: 1 year
Support Data
- Support tickets: 3 years after resolution
- Chat logs: 2 years
- Call recordings: 1 year
- Feedback data: 2 years
Marketing Data
- Email lists: Until consent withdrawn
- Campaign data: 3 years
- Lead data: 2 years without engagement
- Preference data: Until updated or withdrawn
Security Data
- Access logs: 1 year
- Security events: 2 years
- Fraud detection: 7 years
- Incident reports: 5 years
7. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
7.1 Technical Safeguards
Encryption
- Data in transit: TLS 1.3 encryption for all communications
- Data at rest: AES-256 encryption for stored data
- Database encryption: Encrypted database storage
- Backup encryption: Encrypted backup systems
Access Controls
- Role-based access: Minimum necessary access principle
- Multi-factor authentication: Required for all admin access
- Regular access reviews: Quarterly access audits
- Secure authentication: Strong password requirements
Monitoring & Detection
- 24/7 monitoring: Continuous security monitoring
- Intrusion detection: Automated threat detection
- Anomaly detection: AI-powered security analytics
- Incident response: Rapid response procedures
Infrastructure Security
- Secure hosting: Enterprise-grade cloud infrastructure
- Network segmentation: Isolated security zones
- Regular patching: Automated security updates
- Vulnerability scanning: Regular security assessments
7.2 Organizational Measures
Staff Training
All employees receive regular training on:
- GDPR requirements and data protection principles
- Security best practices and procedures
- Incident response and breach notification
- Privacy by design and data minimization
Policies & Procedures
We maintain comprehensive policies covering:
- Data protection and privacy policies
- Information security procedures
- Incident response and breach notification
- Data retention and deletion procedures
Regular Audits
We conduct regular assessments including:
- Data protection impact assessments (DPIAs)
- Security audits and penetration testing
- Compliance reviews and certifications
- Third-party security assessments
8. Data Breach Procedures
In the unlikely event of a data breach, we have established procedures to ensure rapid response and appropriate notifications:
8.1 Breach Response Process
Immediate Response (0-2 hours)
- Activate incident response team
- Contain and assess the breach
- Secure affected systems
- Begin investigation and evidence collection
Assessment (2-24 hours)
- Determine scope and impact of breach
- Identify affected personal data
- Assess risk to data subjects
- Document all findings and actions
Authority Notification (Within 72 hours)
- Notify relevant supervisory authority
- Provide breach details and impact assessment
- Describe containment measures taken
- Outline remediation plans
Individual Notification (Without undue delay)
- Notify affected individuals if high risk
- Explain nature and impact of breach
- Provide clear guidance on next steps
- Offer support and mitigation measures
8.2 When We Notify You
We will notify you directly if a breach:
- Results in high risk to your rights and freedoms
- Could lead to identity theft or fraud
- Involves sensitive personal data
- Affects your ability to control your personal data
8.3 What We Tell You
Our notification will include:
- Description of the breach and affected data
- Likely consequences and potential impact
- Measures taken to address the breach
- Recommended actions you should take
- Contact information for further questions
9. Submit a Data Protection Request
Use this form to exercise your GDPR rights. We will respond within 30 days and may request additional verification for security purposes.
10. Data Protection Officer
Our Data Protection Officer (DPO) is responsible for ensuring GDPR compliance and handling data protection inquiries.
Sarah Johnson
Data Protection Officer
123 Tech Street, Suite 100
San Francisco, CA 94105
DPO Responsibilities
- GDPR Compliance: Ensure all data processing complies with GDPR
- Data Protection Advice: Provide guidance on data protection matters
- Training & Awareness: Conduct staff training on data protection
- Impact Assessments: Oversee data protection impact assessments
- Breach Response: Coordinate data breach response procedures
- Supervisory Authority Liaison: Act as contact point with regulators
- Data Subject Rights: Handle requests and complaints