Privacy Policy
Last updated: 24 February 2026
Table of Contents
1. Identity of the Controller
GDPR4All is operated by [Your Company Legal Name], a company registered in [Country].
- Registered address: [Your Registered Address]
- Company registration number: [Registration Number]
- Contact email: privacy@gdpr4all.com
- Data Protection Officer: [DPO Name / Contact Details, if applicable]
2. What Data We Collect
Account Data
When you register for an account, we collect your name, email address, password (stored in hashed form), user role, and organisation details (company name, VAT number, registration number, address).
Organisation Data
For organisations (tenants), we store the company name, slug, contact details, billing information, and subscription status.
Compliance Data
All data entered into the platform's compliance modules, including but not limited to: Records of Processing Activities (ROPA entries), breach incident records, consent records, Data Subject Request (DSR) records, Data Protection Impact Assessment (DPIA) records and risk items, vendor records and Data Processing Agreements (DPAs), training completion records and quiz attempts, and generated compliance documents.
Usage Data
We maintain audit logs that record actions performed on the platform, including timestamps, the user who performed the action, and the nature of the action.
Technical Data
If you have consented to analytics cookies, we may collect browser type, device information, pages visited, and interaction patterns through Google Analytics. This data is anonymised at collection (IP anonymisation is enabled).
Cookie Data
We use cookies as described in our Cookie Policy.
3. Lawful Bases for Processing
We process your personal data under the following lawful bases:
| Lawful Basis | Purpose |
|---|---|
| Contract (Art. 6(1)(b)) | Processing account data and compliance data to provide the platform service as agreed in our Terms of Service |
| Legitimate Interests (Art. 6(1)(f)) | Security logging, fraud prevention, platform improvement, and ensuring the integrity and availability of the service |
| Consent (Art. 6(1)(a)) | Analytics cookies (you may withdraw consent at any time via cookie settings), marketing communications (if any) |
| Legal Obligation (Art. 6(1)(c)) | Tax records, accounting obligations, and compliance with applicable data protection laws |
4. How We Use Your Data
- Providing the platform: To deliver, maintain, and improve the GDPR compliance management tools you have subscribed to
- Authentication & access control: To verify your identity and enforce role-based access to features and data
- Audit logging: To maintain security and compliance audit trails of actions performed on the platform
- Customer support: To respond to your enquiries, troubleshoot issues, and provide technical assistance
- Platform improvement: To analyse aggregated usage patterns and improve the platform experience (only with analytics consent)
- Billing & payments: To process subscription payments through our payment provider (Stripe)
- Legal compliance: To meet our obligations under applicable tax, accounting, and data protection laws
5. Data Sharing & Sub-Processors
We do not sell your personal data. We share data only with the following categories of recipients, each bound by appropriate Data Processing Agreements:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and management | EU (Frankfurt) |
| Vercel | Application hosting and deployment | EU / US (Edge network) |
| Stripe | Payment processing and subscription management | US (EU data residency available) |
| Google Analytics | Website analytics (only with consent) | US |
Data may also be shared with reseller partners where your organisation has been onboarded through a reseller, as described in the Reseller Partner Agreement.
6. International Transfers
Some of our sub-processors operate outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:
- Adequacy decisions: Where the European Commission has determined that a country provides an adequate level of data protection
- Standard Contractual Clauses (SCCs): EU-approved contractual clauses that provide appropriate safeguards for data transfers
- EU-US Data Privacy Framework (DPF): For US-based processors that are certified under the DPF
You may request a copy of the relevant transfer safeguards by contacting us at privacy@gdpr4all.com.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while your account is active. Deleted within 30 days of account closure, unless retention is required by law. |
| Compliance data | Retained for the duration of your subscription. You may export your data at any time. Data is deleted within 30 days of subscription termination, unless a longer retention is requested. |
| Audit logs | Retained for 2 years from the date of the logged event. |
| Billing records | Retained as required by applicable tax and accounting laws (typically 7 years). |
| Cookie consent preferences | 1 year from the date of consent. |
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you.
- Right to rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17): You have the right to request deletion of your personal data, subject to legal retention requirements.
- Right to restriction (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Article 21): You have the right to object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority (see Contact section below).
To exercise any of these rights, please contact us at privacy@gdpr4all.com. We will respond within 30 days.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. Material changes will be communicated to you via the platform (e.g., a notification banner) and/or by email. We encourage you to review this page periodically.
11. Contact
- Privacy enquiries: privacy@gdpr4all.com
- Data Protection Officer: [DPO Name / Contact Details]
- Supervisory authority: [Hellenic Data Protection Authority (HDPA) / Information Commissioner's Office (ICO) / your applicable authority]