GDPR Compliance

1. Your Rights Under GDPR

As an individual whose personal data we process, you have the following rights under GDPR:

1.1 Right to Information and Access

You have the right to know what personal data we collect, how we use it, and who we share it with. You can also request a copy of your personal data. This information is provided in our Privacy Policy, and you can request a copy of your data by contacting us.

1.2 Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected or completed. You can update most of your information directly in your account settings, or contact us for assistance.

1.3 Right to Erasure ("Right to be Forgotten")

You can request that we delete your personal data in certain circumstances, such as when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis
• The data has been unlawfully processed
• You object to processing and there are no overriding legitimate grounds

1.4 Right to Restrict Processing

You can request that we limit how we process your personal data when you contest the accuracy of the data, the processing is unlawful, or you need the data for legal claims.

1.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (like JSON or CSV) and to transfer it to another service provider when technically feasible.

1.6 Right to Object

You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

1.7 Rights Related to Automated Decision-Making

You have rights regarding automated decision-making and profiling that significantly affects you. Currently, Datastory does not engage in automated decision-making that produces legal or similarly significant effects.

2. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): To provide our platform services, process payments, and fulfill our contractual obligations
• Legitimate interests (Art. 6(1)(f)): To improve our services, ensure platform security, prevent fraud, and conduct analytics
• Consent (Art. 6(1)(a)): For marketing communications, optional features, and cookies (where required). For cookies and similar technologies, we obtain consent in accordance with GDPR and applicable ePrivacy laws. Please see our Cookie Policy for more information.
• Legal obligation (Art. 6(1)(c)): To comply with applicable laws, regulations, and legal processes
• Vital interests (Art. 6(1)(d)): To protect someone's life or physical safety (rare circumstances)

3. International Data Transfers

When we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Adequacy decisions: Transfers to countries deemed adequate by the European Commission
• Standard Contractual Clauses (SCCs): EU-approved contract terms that ensure data protection
• Binding Corporate Rules: Internal data protection rules for multinational companies
• Certification schemes: Approved data protection certification programs

Our current data processing primarily occurs within the EEA. When using third-party service providers, we ensure they provide adequate data protection through appropriate transfer mechanisms.

4. Data Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected:

• Account data: For the duration of your account plus 30 days after deletion
• Usage logs: 12 months for security and performance analysis
• Marketing data: Until consent is withdrawn or 3 years of inactivity
• Financial records: 7 years for tax and accounting compliance
• Legal claims data: Until the statute of limitations expires

5. Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

• Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
• Access controls: Role-based permissions and multi-factor authentication
• Regular audits: Security assessments and vulnerability testing
• Staff training: Regular data protection and security training
• Incident response: Procedures for detecting and responding to data breaches

6. How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

• Update information directly in your account settings
• Contact our Data Protection Officer at hello@datastory.tech
• Use our contact form with "GDPR Request" in the subject line

What to include in your request:

• Your full name and email address associated with your account
• Clear description of your request and which right you're exercising
• Any additional information that helps us locate your data
• We may request additional information if necessary to verify your identity before fulfilling your request.

Response time: We will respond within 30 days of receiving your request. For complex requests, we may extend this by up to 60 additional days with explanation.

7. Complaints and Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority:

7.1 Lead Supervisory Authority

As Datastory is based in Sweden, our lead supervisory authority is:

7.2 Local Data Protection Authorities

You can also contact your local data protection authority in your EU member state. A complete list is available on the European Data Protection Board website.

8. Children's Data Protection

We take special care to protect children's personal data:

• Our services are not intended for children under 16 years of age
• We do not knowingly collect personal data from children under 16
• If we become aware of such collection, we will delete the data immediately
• Parents or guardians can contact us if they believe we have collected their child's data

9. Contact Information

For any questions about GDPR compliance or to exercise your rights:

We may request additional information if necessary to verify your identity before fulfilling your request. We will respond within 30 days.

This GDPR compliance page supplements our Privacy Policy and Data Processing Addendum. For the most current information about our data practices, please review all relevant documents.