Privacy Policy

Effective Date: 27/02/2025

This Privacy Policy explains how DPOeye – Data Protection Management, LTD (“DPOeye,” “we,” or “us”) collects, uses, and discloses personal data in compliance with both the UK GDPR and the EU GDPR (collectively, “Data Protection Laws”). We are a company registered in the United Kingdom, offering services to individuals and organisations in the UK and the EU/EEA.

1. Identity & Contact of the Controller / Processor

Data Processor: For organisational data you upload or process within the Platform (e.g., ROPAs, DPIAs, data subject requests), DPOeye acts as a data processor on behalf of your organisation (the data controller).
Data Controller: For personal data related to your user account (e.g. name, email) needed to create and manage your account, DPOeye is the data controller.

Contact (UK):
Email: [email protected]
DPOeye – Data Protection Management, LTD
3rd Floor, 86-90, Paul Street,
London, England, EC2A 4NE

EU Representative:
Artigo 80 – Associação Portuguesa para a defesa do titular de dados pessoais
Avenida Calouste Gulbenkian, 1811, Loja 7,
4460-270 Senhora da Hora, Portugal
Email: [email protected]

2. Personal Data We Process

User Account Data: Name and email address for creating and managing your account, billing communications, and support.
Organisational Data: Any records you upload (e.g., ROPAs, DPIAs), which we process solely under your instructions as data processor.
Payment Information: Handled by our sub-processor (Stripe). We do not store your complete payment card details.

3. Data Storage & Transfers

We store data in Europe (Frankfurt) to ensure compliance with both UK GDPR and EU GDPR. If data transfers occur outside the UK or EEA, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) to protect personal data.

4. Purposes & Lawful Basis

User Account Data:

To provide our Platform and manage your account (Art. 6(1)(b) GDPR / UK GDPR)
To communicate important service or billing updates (Art. 6(1)(b))

Organisational Data:

Processed under your instructions and necessary to perform our service as data processor (Art. 28 GDPR / UK GDPR)

Payment Info:

Handled by Stripe for payment processing (Art. 6(1)(b)). Stripe complies with PCI-DSS and relevant standards.

5. Retention Period

If you do not proceed to a paid subscription after the trial, we retain your user account data for 6 months, after which it is securely erased. For subscribed users, we keep personal data as long as necessary for service provision or legal requirements.

Financial Records: In accordance with HMRC and related legal obligations, we retain financial records for 6 years plus the current year. This extended retention ensures we can handle any late claims or disputes that may arise within that period.

6. Data Subject Rights (UK & EEA)

Under both UK GDPR and EU GDPR, you have certain rights regarding your personal data:

Right of Access (Art. 15)
Right to Rectification (Art. 16)
Right to Erasure (“right to be forgotten,” Art. 17), where applicable
Right to Restrict Processing (Art. 18)
Right to Object (Art. 21), including to direct marketing
Right to Data Portability (Art. 20), if processing is based on consent or contract and carried out by automated means

To exercise these rights, email [email protected], or contact our EU Representative at [email protected]. We will respond within statutory timeframes (generally within one month).

You also have the right to lodge a complaint with the applicable supervisory authority in the UK or EU if you believe our processing infringes the GDPR/UK GDPR.

7. Security Measures

We implement technical and organisational measures to protect data from unauthorised access or disclosure. This includes secure data center facilities in Frankfurt, encryption in transit, and role-based access controls.

8. Sub-Processors & Disclosures

We may disclose personal data to:

Stripe for payment processing
Other sub-processors as needed to deliver the Platform, ensuring they comply with data protection requirements under valid processing agreements
Government or regulatory agencies when legally obliged, or to comply with a legal obligation (Art. 6(1)(c))

9. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in services or legal requirements. When we do, we will revise the “Effective Date” above. For significant changes, we may notify you by email or another prominent method.

If you have any questions, please contact our DPO at [email protected] or our EU Representative at [email protected].