We maintain records of processing activities, conduct Data Protection Impact Assessments when required, and review policies annually. Our leadership team receives quarterly compliance reports.

You can reach our privacy team at [email protected] for all data protection enquiries; the team oversees privacy coordination, training, incident response, and liaison with supervisory authorities where appropriate.

Each processing activity is mapped to a lawful basis under GDPR Articles 6 or 9. We rely on consent only when we can obtain it in a clear, granular manner, with the ability to withdraw at any time.

Data minimisation principles guide product design; we only collect data strictly necessary for the stated purpose.

We provide in-app tools and ticket workflows for handling access, erasure, portability, and objection requests. Response timelines follow Article 12 GDPR.

Where we act as a processor for enterprise customers, we support their compliance by executing Data Processing Agreements and assisting with rights requests.

All vendors undergo security and privacy due diligence before onboarding. We execute Data Processing Agreements, including Standard Contractual Clauses for international transfers.

An up-to-date list of sub-processors is available on request and is notified to customers at least 30 days before changes.

We operate a 24/7 incident response process, with detection tooling, escalation playbooks, and post-incident reviews. High-risk personal data breaches are reported to authorities within 72 hours.

Affected users receive timely notifications describing the breach, likely consequences, and measures taken or proposed to mitigate potential adverse effects.

Employees undergo mandatory onboarding and annual refresher training on data protection, secure development, and handling personal data.

We run regular phishing simulations and policy updates to reinforce best practices and maintain a privacy-by-design culture.