Privacy Policy
Last updated: April 19, 2026 · Effective: April 19, 2026
1. Data Controller
GDPR Fix ("we", "us", "our") is the data controller responsible for your personal data.
Service: GDPR Fix — GDPR compliance scanning service
Website: https://gdprfix.eu
Contact email: [email protected]
2. What Data We Collect and Why
We collect only the data strictly necessary to provide our service. Below is a complete list of personal data we process, the purpose, and the legal basis under GDPR Article 6.
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Name, email, profile picture | Account creation & authentication | Art. 6(1)(b) — Contract performance | Until account deletion |
| URLs submitted for scanning | Performing the compliance scan | Art. 6(1)(b) — Contract performance | Until account deletion |
| Scan results & AI reports | Displaying reports, tracking history | Art. 6(1)(b) — Contract performance | Until account deletion |
| Subscription ID, plan status | Managing paid subscriptions | Art. 6(1)(b) — Contract performance | Until account deletion + 7 years (tax) |
| IP address, user agent | Security, abuse prevention, debugging | Art. 6(1)(f) — Legitimate interest | 30 days |
| Email address (transactional) | Sending scan results, billing receipts | Art. 6(1)(b) — Contract performance | Until account deletion |
We do not collect or process:
- Special category (sensitive) data
- Payment card numbers or bank details (handled by Creem.io)
- Browsing behavior, device fingerprints, or location data
- Data from minors under 16 years of age
3. Cookies
We practice what we preach. GDPR Fix uses only strictly necessary and user-requested preference cookies — zero analytics cookies, zero tracking pixels, zero marketing cookies, and zero third-party cookies.
Every cookie we set is named — with provider, purpose, and duration — in our dedicated Cookie Policy.
4. Third-Party Data Processors
We share personal data only with processors necessary to deliver the service. Each processor is bound by a Data Processing Agreement (DPA) as required by GDPR Article 28.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google OAuth | Authentication | OAuth token exchange only | US (SCCs in place) |
| Anthropic (Claude AI) | AI compliance analysis | Scan results only: detected cookies (names, domains, categories, security flags, durations), third-party scripts (names, domains and script URLs), consent-banner structure and behaviour, and the text of the scanned site's cookie/privacy policy page. No account details and no other page content are sent. Zero-retention API (inputs not stored after the response). | US (SCCs in place) |
| Creem.io | Payment processing | Email, subscription status | EU |
| Resend | Transactional email delivery | Email address, email content | US (SCCs in place) |
We do not sell, rent, or trade your personal data to any third party. No data is shared for advertising or marketing purposes.
5. International Data Transfers
Some of our processors are located in the United States. For all US-based processors, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR to ensure an adequate level of data protection.
Anthropic's Claude API operates on a zero-retention basis for API inputs — your scan data is processed in memory and not stored by Anthropic after the response is generated.
6. Data Retention
We retain your data only as long as necessary for the purposes described above:
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Account data (name, email, picture) | Until account deletion | User request or account deletion |
| Scan results & reports | Until account deletion | User request or account deletion |
| Server logs (IP, user agent) | 30 days | Automatic rotation |
| Payment/billing records | 7 years after last transaction | Legal obligation (tax law) |
| Transactional email logs | 90 days | Automatic rotation |
When you delete your account, all personal data is permanently removed within 30 days, except where retention is required by law (e.g., tax records).
7. Your Rights Under GDPR
Under Chapters III and IV of the General Data Protection Regulation, you have the following rights regarding your personal data:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you. We will provide it in a structured, machine-readable format within 30 days.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"). We will delete all data within 30 days unless retention is legally required.
Right to Restriction (Art. 18)
Request that we limit processing of your data while a dispute is resolved.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests (e.g., server logs). We will stop processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77)
Lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.
To exercise any of these rights, email [email protected]. We will respond within 30 days as required by GDPR Article 12(3). We will verify your identity before processing any request. No fee is charged for exercising your rights unless requests are manifestly unfounded or excessive.
8. Data Security
We implement appropriate technical and organisational measures as required by GDPR Article 32:
- Encryption in transit: All data is transmitted over HTTPS/TLS 1.3
- Encryption at rest: Database is encrypted with AES-256
- Access control: Principle of least privilege; access limited to authorized personnel
- Authentication security: OAuth 2.0 via Google; no passwords stored
- Infrastructure: VPS hosted in the EU with regular security updates
- Monitoring: Automated alerts for unauthorized access attempts
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected users without undue delay as required by Article 34 where the breach poses a high risk.
9. Children's Privacy
GDPR Fix is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that a child under 16 has provided us with personal data, we will delete it immediately. If you believe a child under 16 has provided data to us, please contact [email protected].
10. Automated Decision-Making
Our service uses AI (Anthropic Claude) to generate compliance reports and scores. This automated processing does not produce legal effects or similarly significantly affect you as defined by GDPR Article 22. Compliance scores are informational tools — not legal determinations. You are not subject to decisions based solely on automated processing.
11. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users by email for significant changes
- Provide at least 30 days' notice before changes take effect
Continued use of the service after changes take effect constitutes acceptance of the updated policy.
12. Contact & Supervisory Authority
For any questions, concerns, or requests regarding your personal data:
Email: [email protected]
Response time: Within 30 days (GDPR Art. 12(3))
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.