Create Next App

1. Introduction

GDPRKit ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our GDPR compliance assessment tool and services at gdprkit.eu ("Service").

We comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and all applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

Company: GDPRKit
Address: [Your Address]
Email: [email protected]
DPO Contact: [email protected]

3. Data We Collect

3.1 Information You Provide

•Account Data: Email address, password (hashed), company name, full name
•Assessment Data: Responses to GDPR compliance questions
•Payment Data: Processed via Stripe (we don't store card details)
•Communication Data: Support tickets, emails, feedback

3.2 Automatically Collected Data

•Usage Data: Pages viewed, features used, time spent
•Technical Data: IP address, browser type, device information
•Cookie Data: Session cookies, preference cookies

4. How We Use Your Data

Primary Purposes

✓ Provide GDPR assessment
✓ Generate compliance documents
✓ Process payments
✓ Send service communications
✓ Provide customer support

Secondary Purposes

→ Improve our services
→ Send marketing (with consent)
→ Ensure security
→ Legal compliance
→ Anonymous analytics

5. Legal Basis for Processing

Purpose	Legal Basis
Providing services	Contract (Article 6.1.b GDPR)
Marketing emails	Consent (Article 6.1.a GDPR)
Legal compliance	Legal obligation (Article 6.1.c GDPR)
Service improvement	Legitimate interest (Article 6.1.f GDPR)

6. Data Sharing and Third Parties

We share your data only when necessary:

Service Providers (Data Processors)

✓

Supabase

Database & Auth (EU servers)

✓

Stripe

Payment processing

✓

DigitalOcean

Hosting (EU region)

✓

OpenAI

Document generation

⚠️

Important: We never sell your personal data to third parties. All processors have signed Data Processing Agreements (DPAs) compliant with GDPR Article 28.

7. Data Retention

Account dataDuration of account + 30 days

Assessment data3 years (compliance records)

Payment records7 years (legal requirement)

Marketing dataUntil consent withdrawn

Support tickets2 years after resolution

8. Your Rights Under GDPR

📋

Right to Access

Request copies of your data

✏️

Right to Rectification

Correct inaccurate data

🗑️

Right to Erasure

Request data deletion

⏸️

Right to Restriction

Limit data processing

📤

Right to Portability

Transfer your data

🚫

Right to Object

Object to processing

To exercise any right, email: [email protected]

Response time: Within 30 days (may extend to 60 days for complex requests)

9. Security Measures

🔒Encryption in transit (TLS/SSL) and at rest

🔒Password hashing using bcrypt

🔒Regular security audits and updates

🔒Access controls and authentication

🔒Data backup and recovery procedures

🔒Incident response plan

Breach Notification: In case of a data breach, we will notify affected users within 72 hours as required by GDPR Article 33-34.

10. Cookies and Tracking

Cookie Name	Purpose	Duration
session_id	Authentication	Session
preferences	User settings	1 year
_ga	Analytics (optional)	2 years

11. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify you via email or prominent notice on our Service.

12. Contact Information

Data Protection Inquiries

Email: [email protected]
DPO: [email protected]

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority.