GDPR Compliance
Last Updated: 2024-11-25
1. Legal Basis for Processing
1.1 Contract Fulfillment: Propulix processes personal data as necessary for the performance of our contract with users. This processing includes essential operations required to provide our AI-powered interior design platform services. We process data to manage user accounts, handle subscription payments, generate AI designs, and deliver platform features. All processing activities are conducted with the minimum data necessary to fulfill these contractual obligations.
1.2 Legitimate Interests: We process certain data based on our legitimate business interests, always balanced against users' privacy rights. This includes processing for service improvement, implementing robust security measures, preventing fraudulent activities, conducting platform analytics to enhance user experience, and providing effective user support. We regularly assess these interests against potential privacy impacts to ensure appropriate balance.
1.3 User Consent: For specific processing activities, we obtain explicit user consent. This includes sending marketing communications, participation in analytics programs beyond essential service metrics, cookie usage beyond strictly necessary cookies, and participation in feature testing programs. Users can withdraw this consent at any time through their account settings or by contacting our Data Protection Officer.
2. Data Subject Rights
2.1 Access Rights: Under GDPR, you have comprehensive rights to access your personal data. You can request copies of all data we hold about you, receive information about how and why we process your data, and verify the accuracy of stored information. We provide this information in a clear, accessible format within 30 days of request receipt.
2.2 Control Rights: You maintain significant control over your personal data. You may request corrections to inaccurate data, deletion of personal data where no compelling reason for continued processing exists, limitations on how we process your data, and transfer of your data to another service provider in a structured, commonly used format.
2.3 Additional Rights: Users possess additional rights under GDPR, including the right to withdraw previously given consent at any time without penalty. You may object to processing based on legitimate interests and file complaints with supervisory authorities. We facilitate the exercise of these rights and provide necessary support in seeking appropriate remedies.
3. Data Protection Measures
3.1 Technical Safeguards: We implement comprehensive technical measures to protect user data. This includes end-to-end encryption for data in transit and at rest, robust access control systems with multi-factor authentication, continuous security monitoring of our infrastructure, and advanced breach detection systems. Our security measures are regularly updated to address emerging threats.
3.2 Organizational Measures: Beyond technical controls, we maintain strong organizational security measures. Our staff undergoes regular privacy and security training, follows detailed security policies and procedures, and operates under strict access logging requirements. We conduct regular audits to ensure compliance and effectiveness of these measures.
4. International Transfers
4.1 Transfer Mechanisms: For international data transfers, we ensure compliance through appropriate legal mechanisms. We utilize Standard Contractual Clauses approved by the European Commission, rely on adequacy decisions where applicable, maintain Privacy Shield certification for relevant transfers, and implement binding corporate rules for intra-group transfers. Each transfer mechanism is carefully selected based on the specific circumstances of the transfer.
4.2 Transfer Safeguards: All international transfers are protected by robust security measures. We employ strong encryption for data in transit, implement strict access restrictions based on need-to-know principles, maintain detailed transfer logs for accountability, and conduct regular security reviews of our transfer mechanisms and procedures.
5. Processing Records
5.1 Documentation: We maintain detailed records of all processing activities as required by GDPR Article 30. These records include comprehensive documentation of processing activities, legal bases for processing, categories of data processed, and implemented security measures. Our documentation is regularly updated to reflect any changes in processing activities.
5.2 Assessments: Regular assessments form a crucial part of our compliance program. We conduct Data Protection Impact Assessments for high-risk processing activities, perform regular risk evaluations of our processing operations, maintain ongoing compliance reviews, and implement thorough security audits of our systems and procedures.
6. Data Breach Procedures
6.1 Detection and Response: Our comprehensive data breach response system includes advanced monitoring systems for early detection, detailed response procedures for various breach scenarios, established notification protocols for timely communication, and documented recovery plans to minimize impact. Our team regularly tests and updates these procedures to ensure effectiveness.
6.2 Notification Process: In the event of a data breach, we follow strict notification procedures. We notify relevant supervisory authorities within 72 hours of breach detection, inform affected users without undue delay when high risk to rights and freedoms exists, maintain detailed documentation of all incidents, and implement necessary fixes to prevent future occurrences.
7. Compliance Updates
7.1 Regular Reviews: We maintain an active compliance monitoring program through regular reviews. This includes ongoing policy reviews to ensure alignment with current requirements, process audits to verify effective implementation, security checks to validate protective measures, and compliance updates to address any identified gaps.
7.2 Documentation: Our compliance program maintains comprehensive documentation including detailed compliance records, complete audit trails of all compliance activities, thorough process documentation, and records of all staff training activities. This documentation ensures accountability and demonstrates our commitment to GDPR compliance.
8. Contact Information
For GDPR-related matters: Email: gdpr@propulix.com Address: 251 Consumers Rd North York, ON M2J 4R3 Canada
Data Protection Officer: Email: dpo@propulix.com
This statement was last updated on November 25, 2024, and is regularly reviewed to ensure continued accuracy and compliance with GDPR requirements. We remain committed to protecting user privacy and maintaining the highest standards of data protection.