GDPR Compliance

1. Our Commitment to GDPR

Here's what we do to stay GDPR-compliant:

• Privacy by design built into every feature we ship
• Data minimization -- we only collect what we actually need
• All personal data encrypted at rest and in transit
• Regular security audits and data protection assessments
• Team training on data protection practices
• Data Processing Agreements (DPAs) with every sub-processor

2. Data Controller Information

The data controller under GDPR is:

When you use Spendmix to process your marketing data, we act as a data processor on your behalf (you're the controller). We only process data according to your instructions and our Data Processing Agreement.

3. Legal Basis for Processing

We process personal data under these legal bases (per GDPR Article 6):

• Contract performance (Art. 6(1)(b)): We need to process data to run the platform, manage your account, and deliver what we've agreed to.
• Legitimate interests (Art. 6(1)(f)): We process data to improve the product, keep things secure, prevent fraud, and run anonymized analytics -- as long as this doesn't override your rights.
• Legal obligation (Art. 6(1)(c)): Sometimes the law requires us to process certain data.
• Consent (Art. 6(1)(a)): For things like non-essential cookies or marketing emails, we ask for your consent. You can withdraw it anytime -- that won't affect anything we did before you withdrew.

4. Data Subject Rights

Under GDPR, here's what you can do with your personal data:

• Access (Art. 15): Ask us if we're processing your data, and get a copy of it along with details about how it's being used.
• Correction (Art. 16): Ask us to fix any data that's wrong or incomplete.
• Deletion (Art. 17): Ask us to delete your data when it's no longer needed, you've withdrawn consent, or the processing is unlawful.
• Portability (Art. 20): Get your data in a standard, machine-readable format, or have it sent to another provider.
• Restriction (Art. 18): Ask us to pause processing while we verify data accuracy, review an objection, or if processing is unlawful but you don't want deletion.
• Objection (Art. 21): Object to processing based on legitimate interests or for direct marketing.

5. Data Protection Officer

Our DPO oversees GDPR compliance and handles data protection questions. You can reach them directly:

6. International Data Transfers

Some of our infrastructure is outside the EEA. When we transfer data internationally, we protect it through:

• Adequacy decisions: Transfers to countries the European Commission has approved as having adequate data protection.
• Standard Contractual Clauses (SCCs): EU-approved contracts with all sub-processors outside the EEA.
• Technical safeguards: Encryption, pseudonymization, and access controls to keep data safe in transit and at rest.

7. How to Exercise Your Rights

Email legal@spendmix.com with the subject line "Data Subject Request" and include:

• Your name and the email on your Spendmix account
• Which right you want to exercise
• Any details that help us find your data

We'll verify your identity first, then respond within 30 days. For especially complex requests, we may need up to 60 extra days -- if so, we'll let you know and explain why.

8. Complaint Procedure

If you think we're not handling your data properly, you can file a complaint with a supervisory authority. We'd appreciate the chance to sort it out first though -- email us at legal@spendmix.com.

You can also contact the data protection authority in the EU country where you live, work, or where the issue happened. Find your local authority on the European Data Protection Board website.

9. Contact Information

For more on how we handle data, see our Privacy Policy, or get in touch: