PRIVACY POLICY

GDPR Compliant | CCPA California | EU Cookie Consent Law

PREAMBLE & SCOPE

This Privacy Policy ("Policy") applies to [Company Name], operating at [Website URL] and mobile applications ("Service"). We respect your privacy and are committed to transparency regarding data collection, use, and your rights per GDPR (EU Regulation 2016/679), CCPA (California Civil Code Β§1798.100 et seq.), and German BDSG (Bundesdatenschutzgesetz).

Last Updated: [Date] | Version: 1.0

1. DATA CONTROLLER & CONTACT INFORMATION

1.1 Data Controller (Person responsible for data):

Company Name: [Legal Entity Name]
Address: [Full Business Address]
Email: [privacy@company.com]
Phone: [+49 ... / +1 ...]
Registration: [HRB / CIK Number]

1.2 Data Protection Officer (Required if personal data processing at scale per GDPR Art. 37):

☐ Not required (data processing non-systematic or limited scope)
☐ Designated: [DPO Name/Contact, if required]

1.3 Legal Jurisdiction & Rights Authority:

☐ EU-based company (GDPR primary regulator + national DPAs)
☐ US-based company (CCPA primary, GDPR secondary if EU customers)
☐ Multi-jurisdictional (all applicable laws honored)

2. WHAT PERSONAL DATA WE COLLECT

2.1 Direct Collection (Information you provide us): Per GDPR Art. 13-14

(a) Account Registration: Name, email, phone, password, company affiliation
(b) Payment Information: Billing address, payment method (credit card last 4 digits only; full processing by PCI-DSS compliant processor)
(c) Service Usage: Profile information, preferences, communication history
(d) Customer Support: Support requests, feedback, inquiries (retained [X months] for customer service)

2.2 Automatic Collection (Technical data - Cookies/Tracking): Per ePrivacy Directive 2002/58 (Cookie Consent Law)

(a) Cookie Data: Session ID, user preferences, [list specific cookies]
(b) IP Address & Device Info: Collected for security/fraud prevention, not sold to third parties
(c) Analytics: Page views, click paths, time on page (via [Google Analytics / Matomo / Other])
(d) Cookie Categories:
☐ Essential (mandatory for service function)
☐ Functional (remember user preferences)
☐ Analytics (understand user behavior)
☐ Marketing (ad targeting) - REQUIRES EXPLICIT CONSENT per GDPR Art. 7

2.3 Third-Party Data (Information from others):

(a) From social media platforms (if you connect account)
(b) From payment processors / identity verification services
(c) From publicly available sources (LinkedIn, company websites)

3. HOW WE USE YOUR DATA (LAWFUL BASIS)

3.1 Legal Basis for Processing: Per GDPR Art. 6 (Lawful Basis), we process data based on:

(a) Contract Performance (Art. 6(1)(b)): To deliver Service and fulfill contractual obligations
(b) Legitimate Interest (Art. 6(1)(f)): To improve Service, prevent fraud, ensure security
(c) Legal Obligation (Art. 6(1)(c)): Compliance with tax laws, anti-money laundering (AML), know-your-customer (KYC) per EU 5th AML Directive 2015/849
(d) Explicit Consent (Art. 6(1)(a)): Marketing emails, analytics tracking (revocable via unsubscribe / cookie settings)

3.2 Purposes of Use:

βœ“ Providing Service functionality
βœ“ Sending account notifications, password resets
βœ“ Processing payments and issuing invoices
βœ“ Customer support and technical troubleshooting
βœ“ Improving user experience (analytics, A/B testing)
βœ“ Fraud prevention and account security monitoring
βœ“ Compliance with legal obligations (law enforcement requests, tax filings)
βœ— Selling personal data to third parties (prohibited - see Section 4)
βœ— Political profiling, discriminatory targeting, or automated decision-making with significant effects (per GDPR Art. 22)

4. DATA SHARING & THIRD PARTIES

4.1 We DO NOT Sell Personal Data. We do not sell, rent, or trade your personal data for marketing purposes per CCPA Β§1798.140(ac) Definition of "Sale".

4.2 Data Processors (Vendors acting on our behalf): Per GDPR Art. 28 (Data Processing Agreements)

(a) Hosting Provider: [e.g., AWS, Google Cloud, Replit] - Data Processing Agreement signed, EU adequacy ensured
(b) Payment Processor: [Stripe, PayPal, etc.] - PCI-DSS compliant, encrypted
(c) Analytics: [Google Analytics / Matomo] - anonymized IP, data retention [X months]
(d) Email Service: [Mailgun / SendGrid / Other] - encrypted in transit/rest
(e) All processors contractually bound to GDPR/CCPA compliance, Standard Contractual Clauses (SCC) per EU Decision 2021/914 for international transfers

4.3 Legal Disclosure (Law Enforcement): We may disclose data if required by law:

(a) Court orders, subpoenas, regulatory requests
(b) We provide advance notice to user ([X days]) unless legally prohibited
(c) Per 18 USC Β§1833(b) - Whistleblower Protection

5. DATA RETENTION & DELETION

5.1 Retention Schedule: Per GDPR Art. 5(1)(e) (Storage Limitation)

(a) Active Account Data: Retained while account active + [12 months] after termination
(b) Payment Records: Retained [7 years] for tax/accounting compliance per German AO Β§257 (Tax Code)
(c) Support Tickets: Deleted after [6 months] unless dispute/legal hold
(d) Analytics Data: Aggregated/anonymized after [X months]

5.2 Your Right to Deletion (Right to be Forgotten): Per GDPR Art. 17 & CCPA Β§1798.105

(a) You may request deletion of personal data (with exceptions for legal compliance, fraud prevention)
(b) Exceptions: data needed for contract performance, legal obligations, [other legitimate reasons]
(c) Timeframe for deletion: [45 days] after request verification

6. YOUR PRIVACY RIGHTS

6.1 GDPR Rights (if you are in EU/EEA): Per GDPR Art. 15-22

βœ“ Right of Access (Art. 15): Request copy of your data (free, within 30 days)
βœ“ Right of Rectification (Art. 16): Correct inaccurate data
βœ“ Right of Erasure (Art. 17): Delete data ("Right to be Forgotten")
βœ“ Right to Restrict Processing (Art. 18): Limit how we use your data
βœ“ Right of Portability (Art. 20): Export data in machine-readable format (CSV/JSON)
βœ“ Right to Object (Art. 21): Opt-out of marketing communications, analytics tracking
βœ“ Right to Non-Automated Decision-Making (Art. 22): Reject purely algorithmic decisions with significant effects

6.2 CCPA Rights (if you are a California resident): Per CCPA Β§1798.100-1798.115

βœ“ Right to Know (Β§1798.100): What data we collect and how we use it
βœ“ Right to Delete (Β§1798.105): Request deletion of personal data (subject to exceptions)
βœ“ Right to Opt-Out (Β§1798.120): Opt-out of "sale" or "sharing" of data for marketing (California residents only)
βœ“ Right to Correct (Β§1798.112): Fix inaccurate data
βœ“ Right to Limit Use (Β§1798.121): Limit use of sensitive personal information

6.3 How to Exercise Rights:

Email: [privacy@company.com]
Form: [Link to online form]
Response Time: [45 days] (GDPR), [45 days] (CCPA)
We will NOT discriminate against you for exercising privacy rights.

7. DATA TRANSFERS & INTERNATIONAL

7.1 International Transfers: Per GDPR Art. 44-50 (International Transfers)

(a) If we transfer data outside EU/EEA, we ensure adequate safeguards:
- EU adequacy decision (if transfer to approved country), OR
- Standard Contractual Clauses (SCCs) per EU Decision 2021/914, OR
- Binding Corporate Rules (BCRs) for corporate group transfers
(b) We do NOT transfer data to countries without adequate protection (e.g., unilateral US data requests without SCC)

7.2 Your Consent to Transfer: By using the Service, you consent to processing in [jurisdictions where data is processed] per these safeguards.

8. SECURITY MEASURES

8.1 Technical & Organizational Measures: Per GDPR Art. 32

βœ“ End-to-end encryption for data in transit (TLS 1.2+)
βœ“ AES-256 encryption for data at rest
βœ“ Access controls (multi-factor authentication for admin accounts)
βœ“ Regular security audits & penetration testing
βœ“ Data breach notification within 72 hours per GDPR Art. 33
βœ“ Automatic backups with [X days] recovery testing
βœ— We cannot guarantee 100% security; you are responsible for password protection

9. SENSITIVE DATA & SPECIAL PROCESSING

9.1 Special Categories (GDPR Art. 9): We do NOT collect sensitive data (race, religion, biometric, health, sexual orientation) EXCEPT:

(a) Health data with explicit consent for customer support
(b) Biometric data (fingerprint/face ID) if user explicitly consents for device unlock only
(c) All sensitive data is encrypted end-to-end per GDPR Art. 32

9.2 Processing Restrictions: Sensitive data processed ONLY for stated purpose; never used for automated profiling per GDPR Art. 22 (Automated Decision-Making)

10. CCPA-SPECIFIC PROVISIONS (California Residents)

10.1 California Consumer Rights (CCPA Β§1798.100-1798.115): Per CCPA Β§1798.100 et seq.:

βœ“ Right to Know: Request categories/specific personal information collected
βœ“ Right to Delete: Request deletion (subject to exceptions for contractual obligations, fraud prevention)
βœ“ Right to Opt-Out: Opt-out of "sale" or "sharing" of data for targeted advertising/analytics
βœ“ Right to Correct: Request correction of inaccurate data
βœ“ Right to Non-Discrimination: Company will NOT discriminate (different pricing/service quality) for exercising CCPA rights

10.2 California Privacy Rights Act (CPRA): Per CPRA (effective 2023), expanded rights include: Right to Limit Use/Disclosure, Right to Correct, Sensitive Data Protection

11. CONTACT & COMPLAINTS

11.1 Privacy Inquiries: [privacy@company.com] | [+49 ... or +1 ...]

11.2 Data Protection Authority Complaint: You have the right to lodge a complaint with your national DPA:

πŸ‡©πŸ‡ͺ Germany: Bundesbeauftragte (Federal Data Protection Officer)
πŸ‡ͺπŸ‡Ί EU: EDPB (European Data Protection Board)
πŸ‡ΊπŸ‡Έ California: California Attorney General
CRITICAL COMPLIANCE NOTE: This Privacy Policy must be updated whenever data processing practices change. Non-compliance with GDPR/CCPA results in fines up to €20M or 4% annual revenue (GDPR) or up to $7,500 per CCPA violation. Regular audits and consent management are mandatory.

Last Updated: [Date] | Version: 1.0 | Next Review: [Date + 12 months]