GDPR Standard Clauses¶
These standard clauses apply to all applications operated by Your Organization LLC and are incorporated by reference into each application's Privacy Policy.
1. Legal Bases for Processing (Article 6 GDPR)¶
We process personal data under one or more of the following legal bases:
| Legal Basis | Article | When We Use It |
|---|---|---|
| Consent | Art. 6(1)(a) | Marketing communications, non-essential cookies, optional features |
| Contract | Art. 6(1)(b) | Account management, providing the requested service |
| Legal Obligation | Art. 6(1)(c) | Tax records, regulatory reporting, responding to lawful requests |
| Legitimate Interests | Art. 6(1)(f) | Security monitoring, fraud prevention, product analytics |
2. Data Subject Rights (Articles 15–22 GDPR)¶
You have the following rights regarding your personal data:
Right of Access (Art. 15)¶
You may request a copy of the personal data we hold about you, including information about how it is used and shared.
Right to Rectification (Art. 16)¶
You may request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)¶
You may request deletion of your personal data where: - The data is no longer necessary for the purpose it was collected - You withdraw consent and there is no other legal basis - You object under Art. 21 and there are no overriding legitimate grounds - The data was unlawfully processed
Right to Restriction (Art. 18)¶
You may request restriction of processing while accuracy is contested, or while an objection under Art. 21 is assessed.
Right to Data Portability (Art. 20)¶
You may receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and have it transmitted to another controller where technically feasible.
Right to Object (Art. 21)¶
You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
Rights Related to Automated Decision-Making (Art. 22)¶
We do not make decisions solely by automated means that produce legal or similarly significant effects on you without human review.
3. Exercising Your Rights¶
To exercise any GDPR right, contact our Data Protection contact:
Include in your request: - Your full name - Email address associated with your account - The specific right you wish to exercise - Any supporting information
Response time: We will respond within 30 days. Complex requests may be extended by a further 60 days, with notice provided within the initial 30-day period.
4. Data Protection Officer (DPO)¶
Where required by law, we maintain a Data Protection Officer contact:
5. Supervisory Authority¶
If you are located in the EEA or UK and are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with your local data protection supervisory authority:
- EU: Your national DPA (e.g., CNIL for France, BfDI for Germany)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
6. International Data Transfers (Chapter V GDPR)¶
Where we transfer personal data outside the EEA/UK, we use one of the following safeguards:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCC 2021 sets are included in our vendor agreements
- Adequacy Decision: Where the recipient country has an adequacy decision
- Binding Corporate Rules: For intra-group transfers where applicable
Upon request, we can provide a copy of the relevant transfer mechanisms.
7. Special Categories of Personal Data (Art. 9 GDPR)¶
We do not intentionally collect special categories of personal data (health, biometric, ethnic origin, political opinions, religious beliefs, genetic data, sexual orientation) unless:
- You have provided explicit consent
- It is necessary for the establishment, exercise, or defence of legal claims
- Required by a specific statutory obligation
8. Legitimate Interests Assessment (Art. 6(1)(f))¶
Where we process based on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA). The key assessments are:
| Processing Activity | Our Legitimate Interest | Safeguards |
|---|---|---|
| Security monitoring | Protecting systems and users from fraud/attacks | Minimized data, access controls |
| Product analytics | Improving service quality | Anonymized/aggregated data |
| Incident logging | Investigating and resolving service issues | Retention limits, access controls |