Skip to content

Privacy Policy

Last updated: April 19, 2026 · Effective: April 19, 2026

1. Data Controller

GDPR Fix ("we", "us", "our") is the data controller responsible for your personal data.

Service: GDPR Fix — GDPR compliance scanning service

Website: https://gdprfix.eu

Contact email: [email protected]

2. What Data We Collect and Why

We collect only the data strictly necessary to provide our service. Below is a complete list of personal data we process, the purpose, and the legal basis under GDPR Article 6.

DataPurposeLegal BasisRetention
Name, email, profile pictureAccount creation & authenticationArt. 6(1)(b) — Contract performanceUntil account deletion
URLs submitted for scanningPerforming the compliance scanArt. 6(1)(b) — Contract performanceUntil account deletion
Scan results & AI reportsDisplaying reports, tracking historyArt. 6(1)(b) — Contract performanceUntil account deletion
Subscription ID, plan statusManaging paid subscriptionsArt. 6(1)(b) — Contract performanceUntil account deletion + 7 years (tax)
IP address, user agentSecurity, abuse prevention, debuggingArt. 6(1)(f) — Legitimate interest30 days
Email address (transactional)Sending scan results, billing receiptsArt. 6(1)(b) — Contract performanceUntil account deletion

We do not collect or process:

  • Special category (sensitive) data
  • Payment card numbers or bank details (handled by Creem.io)
  • Browsing behavior, device fingerprints, or location data
  • Data from minors under 16 years of age

3. Cookies

We practice what we preach. GDPR Fix uses only strictly necessary and user-requested preference cookies — zero analytics cookies, zero tracking pixels, zero marketing cookies, and zero third-party cookies.

Every cookie we set is named — with provider, purpose, and duration — in our dedicated Cookie Policy.

4. Third-Party Data Processors

We share personal data only with processors necessary to deliver the service. Each processor is bound by a Data Processing Agreement (DPA) as required by GDPR Article 28.

ProcessorPurposeData SharedLocation
Google OAuthAuthenticationOAuth token exchange onlyUS (SCCs in place)
Anthropic (Claude AI)AI compliance analysisScan results only: detected cookies (names, domains, categories, security flags, durations), third-party scripts (names, domains and script URLs), consent-banner structure and behaviour, and the text of the scanned site's cookie/privacy policy page. No account details and no other page content are sent. Zero-retention API (inputs not stored after the response).US (SCCs in place)
Creem.ioPayment processingEmail, subscription statusEU
ResendTransactional email deliveryEmail address, email contentUS (SCCs in place)

We do not sell, rent, or trade your personal data to any third party. No data is shared for advertising or marketing purposes.

5. International Data Transfers

Some of our processors are located in the United States. For all US-based processors, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR to ensure an adequate level of data protection.

Anthropic's Claude API operates on a zero-retention basis for API inputs — your scan data is processed in memory and not stored by Anthropic after the response is generated.

6. Data Retention

We retain your data only as long as necessary for the purposes described above:

Data TypeRetention PeriodDeletion Trigger
Account data (name, email, picture)Until account deletionUser request or account deletion
Scan results & reportsUntil account deletionUser request or account deletion
Server logs (IP, user agent)30 daysAutomatic rotation
Payment/billing records7 years after last transactionLegal obligation (tax law)
Transactional email logs90 daysAutomatic rotation

When you delete your account, all personal data is permanently removed within 30 days, except where retention is required by law (e.g., tax records).

7. Your Rights Under GDPR

Under Chapters III and IV of the General Data Protection Regulation, you have the following rights regarding your personal data:

Right of Access (Art. 15)

Request a copy of all personal data we hold about you. We will provide it in a structured, machine-readable format within 30 days.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten"). We will delete all data within 30 days unless retention is legally required.

Right to Restriction (Art. 18)

Request that we limit processing of your data while a dispute is resolved.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests (e.g., server logs). We will stop processing unless we demonstrate compelling legitimate grounds.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint (Art. 77)

Lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

To exercise any of these rights, email [email protected]. We will respond within 30 days as required by GDPR Article 12(3). We will verify your identity before processing any request. No fee is charged for exercising your rights unless requests are manifestly unfounded or excessive.

8. Data Security

We implement appropriate technical and organisational measures as required by GDPR Article 32:

  • Encryption in transit: All data is transmitted over HTTPS/TLS 1.3
  • Encryption at rest: Database is encrypted with AES-256
  • Access control: Principle of least privilege; access limited to authorized personnel
  • Authentication security: OAuth 2.0 via Google; no passwords stored
  • Infrastructure: VPS hosted in the EU with regular security updates
  • Monitoring: Automated alerts for unauthorized access attempts

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected users without undue delay as required by Article 34 where the breach poses a high risk.

9. Children's Privacy

GDPR Fix is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that a child under 16 has provided us with personal data, we will delete it immediately. If you believe a child under 16 has provided data to us, please contact [email protected].

10. Automated Decision-Making

Our service uses AI (Anthropic Claude) to generate compliance reports and scores. This automated processing does not produce legal effects or similarly significantly affect you as defined by GDPR Article 22. Compliance scores are informational tools — not legal determinations. You are not subject to decisions based solely on automated processing.

11. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users by email for significant changes
  • Provide at least 30 days' notice before changes take effect

Continued use of the service after changes take effect constitutes acceptance of the updated policy.

12. Contact & Supervisory Authority

For any questions, concerns, or requests regarding your personal data:

Email: [email protected]

Response time: Within 30 days (GDPR Art. 12(3))

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.