GDPR Compliance

1. Our Commitment to GDPR

GrenFeedback is committed to complying with the General Data Protection Regulation (GDPR) and protecting the rights of individuals in the European Economic Area (EEA) and beyond. This document outlines how we meet GDPR requirements and respect your data rights.

2. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract: To provide the Service you've requested
• Consent: When you explicitly agree to specific processing activities
• Legitimate Interests: For service improvement, security, and fraud prevention
• Legal Obligation: When required by applicable laws

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

3.1 Right to Access

You have the right to obtain confirmation of whether we process your personal data and to access that data.

3.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

3.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or you withdraw consent.

3.4 Right to Restrict Processing

You can request that we limit how we process your personal data in specific situations.

3.5 Right to Data Portability

You can request a copy of your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.

3.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

3.7 Right to Withdraw Consent

When processing is based on consent, you can withdraw it at any time without affecting the lawfulness of previous processing.

3.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

• Email us at [email protected]
• Use the account settings in your dashboard for some actions (e.g., data export, account deletion)

We will respond to your request within 30 days as required by GDPR. We may request additional information to verify your identity before processing your request.

5. Data Processing Activities

5.1 Data Categories

We process the following categories of personal data:

• Identity data (email, name)
• Account credentials (encrypted passwords)
• Usage data (interactions with the Service)
• Feedback content and metadata
• Device information (platform, OS, version)

5.2 Data Recipients

Your data may be shared with:

• Google Cloud Platform (infrastructure provider)
• Polar (payment processing, when applicable)
• Email service providers (for transactional emails)

All data processors are selected carefully and required to comply with GDPR standards.

6. International Data Transfers

Your data is processed and stored primarily in the United States (Google Cloud Platform, us-central1). We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses (SCCs)
• Data processing agreements with subprocessors
• Adherence to Privacy Shield principles where applicable

7. Data Retention

We retain personal data only as long as necessary:

• Active accounts: Data retained while account is active
• Deleted accounts: Most data deleted within 30 days; some data retained for legal obligations (e.g., tax records, fraud prevention)
• Feedback data: Retained according to organization settings or until account deletion

8. Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit and at rest
• Access controls and authentication
• Regular security assessments
• Employee data protection training
• Incident response procedures
• Multi-tenant data isolation

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

10. Privacy by Design

We implement privacy by design principles in our Service development, including:

• Data minimization (collecting only necessary data)
• Purpose limitation (using data only for stated purposes)
• Storage limitation (retaining data only as long as needed)
• Default privacy settings
• Transparent data practices

11. Children's Data

We do not knowingly process personal data of individuals under 16 years of age without parental consent. If you believe we have collected data from a child, please contact us immediately.

12. Updates to This Document

We may update this GDPR Compliance document to reflect changes in our practices or legal requirements. Material changes will be communicated to active users.

13. Contact Information

For GDPR-related inquiries or to exercise your rights, contact us at:

Email: [email protected]