GDPR Compliance Policy

1. Introduction

This GDPR Compliance Policy explains how CxStat ("we," "our," or "us") complies with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and your rights as a data subject.

The GDPR is a comprehensive data protection law that applies to organizations processing personal data of individuals in the European Economic Area (EEA). We are committed to protecting your personal data and ensuring full compliance with GDPR requirements.

2. Legal Basis for Processing

Under GDPR, we must have a legal basis for processing your personal data. We process your data based on the following legal grounds:

2.1 Consent

You have given clear consent for us to process your personal data for specific purposes, such as:

• Account registration and service provision
• Analytics and usage tracking (with your consent)
• Marketing communications (where applicable and with your consent)

You can withdraw your consent at any time by contacting us or adjusting your account settings.

2.2 Contractual Necessity

Processing is necessary for the performance of a contract to which you are a party, including:

• Providing access to CxStat services
• Managing your account and user profile
• Processing and storing your project data
• Enabling API integrations you configure

2.3 Legitimate Interests

Processing is necessary for our legitimate interests, such as:

• Improving our services and user experience
• Ensuring security and preventing fraud
• Analyzing usage patterns to enhance functionality
• Maintaining system security and performance

We always balance our legitimate interests against your rights and freedoms and will not process your data if your interests override ours.

2.4 Legal Obligation

Processing is necessary for compliance with legal obligations, such as:

• Responding to legal requests and court orders
• Complying with tax and accounting requirements
• Maintaining records as required by law

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

3.1 How to Exercise Your Rights

To exercise any of these rights, please contact us using the information provided in the "Contact Us" section. We will:

• Respond to your request within one month (may be extended by two months for complex requests)
• Verify your identity before processing your request
• Provide information free of charge (unless requests are manifestly unfounded or excessive)
• Explain any refusal to comply with your request and inform you of your right to lodge a complaint

4. Data Controller and Data Processor

Data Controller: CxStat is the data controller responsible for determining the purposes and means of processing your personal data.

Data Processors: We use the following data processors who process your data on our behalf:

• Google Firebase: Provides authentication, database storage, and cloud functions. Firebase acts as a data processor and is GDPR compliant. Firebase Privacy Policy
• Google Analytics: Provides website analytics services. Google Analytics is GDPR compliant and offers data processing agreements. Google Privacy Policy

We have data processing agreements in place with all processors to ensure they handle your data in accordance with GDPR requirements.

5. Personal Data We Process

We process the following categories of personal data:

5.1 Identity Data

• Email address
• Display name
• User ID (Firebase authentication)

5.2 Account Data

• Account creation date
• Account settings and preferences
• Project limits and configurations

5.3 Project Data

• Project names and identifiers
• Checklists and equipment information
• Issues and project management data
• Project settings and configurations

5.4 Technical Data

• IP address
• Browser type and version
• Device information
• Usage statistics and analytics

5.5 Credential Data

• Encrypted API credentials for third-party integrations (CxAlloy API)
• Authentication tokens (encrypted)

6. Data Processing Principles

We adhere to the following GDPR data processing principles:

6.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We clearly inform you about what data we collect and how we use it.

6.2 Purpose Limitation

We collect personal data only for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

6.3 Data Minimization

We collect and process only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

6.4 Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. You can update your information through your account settings.

6.5 Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law.

6.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure personal data is processed securely, including protection against unauthorized access, loss, or destruction.

6.7 Accountability

We are responsible for demonstrating compliance with GDPR principles and maintaining records of our data processing activities.

7. Data Security Measures

We implement comprehensive security measures to protect your personal data:

7.1 Technical Measures

• Encryption: Sensitive data, including API credentials, is encrypted using AES encryption
• Secure Transmission: All data transmission is encrypted using SSL/TLS protocols (HTTPS)
• Authentication: Strong authentication mechanisms and password hashing
• Access Controls: Role-based access controls and user data isolation
• Firewall and Network Security: Protection against unauthorized access

7.2 Organizational Measures

• Staff Training: Regular training on data protection and security
• Access Management: Limited access to personal data on a need-to-know basis
• Incident Response: Procedures for detecting, reporting, and responding to data breaches
• Regular Audits: Security assessments and compliance reviews

7.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Inform you without undue delay if the breach poses a high risk to your rights and freedoms
• Provide clear information about the nature of the breach and steps we are taking to address it

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the EEA, including the United States, where our service providers (Google Firebase, Google Analytics) are located.

We ensure that appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses: We use EU-approved standard contractual clauses with our service providers
• Adequacy Decisions: We rely on adequacy decisions where applicable
• Binding Corporate Rules: Where available, we use binding corporate rules
• GDPR Compliance: All service providers are required to comply with GDPR requirements

By using CxStat, you consent to the transfer of your data to these countries with the safeguards described above.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained until you delete your account or request deletion
• Project Data: Retained until you delete the project or your account
• Analytics Data: Retained in aggregated, anonymized form (typically up to 26 months)
• Log Data: Retained for security purposes (typically up to 90 days)
• Legal Requirements: Some data may be retained longer if required by law

When data is no longer needed, we securely delete or anonymize it in accordance with our data retention policies.

10. Children's Data

CxStat is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 16 years of age without parental consent.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

11. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or significantly affects you. All decisions regarding your account and data are made with human oversight.

Analytics and usage data are used only for service improvement and do not result in automated decisions that affect your access to services or rights.

12. Supervisory Authority

If you are located in the EEA and believe we have not addressed your concerns or that we have not complied with GDPR requirements, you have the right to lodge a complaint with your local supervisory authority.

You can find contact information for your supervisory authority at: European Data Protection Board

We encourage you to contact us first so we can address your concerns directly.

13. Updates to This Policy

We may update this GDPR Compliance Policy from time to time to reflect changes in our practices, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending you an email notification (if you have provided an email address)
• Displaying a prominent notice within the application

Your continued use of CxStat after any changes constitutes your acceptance of the updated policy.