GDPR Compliance

Our GDPR Commitment

Crittiks is fully committed to complying with the General Data Protection Regulation (GDPR), the European Union's comprehensive data protection law. We respect and protect the privacy rights of all our users, especially those in the European Economic Area (EEA), United Kingdom, and Switzerland.

We have implemented policies, procedures, and technical measures to ensure that personal data is processed lawfully, fairly, and transparently, and that individuals' rights are respected and protected.

Legal Basis for Processing Personal Data

We process personal data only when we have a lawful basis to do so. Our legal bases for processing include:

• Consent: You have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications)
• Contract Performance: Processing is necessary to fulfill our contractual obligations to you (e.g., providing the Crittiks platform)
• Legal Obligation: Processing is necessary to comply with legal requirements (e.g., tax reporting, fraud prevention)
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving our services, while not overriding your rights and freedoms

You have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

Your Data Subject Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure (Right to be Forgotten): Request deletion of your personal data under certain circumstances
• Right to Restriction of Processing: Request that we limit how we use your personal data
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing of your personal data based on legitimate interests or for direct marketing
• Right Not to be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or significant effects

To exercise any of these rights, please contact us at gdpr@crittiks.com. We will respond to your request within 30 days.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance and handle data protection matters:

Our DPO is responsible for monitoring our compliance with GDPR, advising on data protection impact assessments, cooperating with supervisory authorities, and serving as a point of contact for data subjects.

Data We Collect and Process

We collect and process the following categories of personal data:

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Active Accounts: We retain your data while your account is active and for a reasonable period after to allow reactivation
• Deleted Accounts: Personal data is deleted within 30 days of account deletion, except where we have a legal obligation to retain it
• Financial Records: Retained for 7 years to comply with tax and accounting regulations
• Legal Claims: Data may be retained longer if necessary to establish, exercise, or defend legal claims
• Anonymized Data: After retention periods expire, data may be anonymized for statistical purposes

International Data Transfers

Crittiks operates globally, which may require transferring personal data outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses for transfers to countries without adequate data protection laws
• Adequacy Decisions: Where possible, we transfer data to countries that the EU Commission has determined provide adequate protection
• Binding Corporate Rules: For intra-group transfers, we follow binding corporate rules approved by EU data protection authorities
• Additional Safeguards: We implement supplementary measures such as encryption and access controls to protect transferred data

Data Processing Agreements

We have Data Processing Agreements (DPAs) in place with all third-party processors who handle personal data on our behalf. These agreements ensure:

• Processors only process data according to our documented instructions
• Appropriate security measures are implemented and maintained
• Sub-processors are only engaged with our prior authorization
• Data subjects' rights can be exercised
• Data is deleted or returned upon termination of services
• Processors assist with data protection impact assessments and breach notifications

A list of our sub-processors is available upon request at gdpr@crittiks.com.

Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments for processing activities that pose high risks to individuals' rights and freedoms. DPIAs help us:

• Identify and minimize data protection risks
• Ensure compliance with GDPR requirements
• Demonstrate accountability and transparency
• Engage with stakeholders and data protection authorities when necessary

Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
• Provide information about the nature of the breach, potential consequences, and measures taken to address it
• Document all data breaches, including facts, effects, and remedial actions taken

We maintain robust incident response procedures to detect, contain, and remediate data breaches quickly. See our Security page for more details.

Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure data security:

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Controls: Role-based access controls and multi-factor authentication
• Pseudonymization: Data pseudonymization where appropriate to minimize risk
• Regular Testing: Ongoing testing and assessment of security measures
• Employee Training: Regular data protection training for all employees
• Vendor Management: Strict vetting and monitoring of third-party processors

Privacy by Design and Default

We embed data protection into our systems and processes from the design stage:

• Implement data minimization principles (collect only what's necessary)
• Design systems with privacy-enhancing technologies
• Set privacy-friendly default settings
• Provide users with clear privacy controls
• Conduct privacy reviews for new features and services

Children's Privacy

Crittiks is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete it promptly.

If you believe we have collected information from a child, please contact us at gdpr@crittiks.com.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you reside, work, or where an alleged infringement of GDPR occurred.

A list of EU supervisory authorities is available at the European Data Protection Board website.

Updates to This GDPR Policy

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes and update the "Last updated" date at the top of this page.

Contact Us About GDPR

If you have questions about our GDPR compliance or wish to exercise your data subject rights: