1. Introduction

This General Data Protection Regulation (GDPR) Compliance Policy outlines our commitment to safeguarding the personal data of individuals within the European Union (EU). We comply with the principles of the GDPR and ensure that all personal data is processed lawfully, fairly, and transparently.

Our processing of personal data is always based on a valid legal basis under Article 6 of the GDPR, including but not limited to:

  • Consent (when you provide explicit agreement).

  • Contractual necessity (when processing is required to fulfill our contract with you).

  • Legal obligation (when processing is necessary to comply with the law).

  • Legitimate interests (when processing is essential for our business operations, balanced with your rights).

2. Scope

This policy applies to all personal data collected, processed, and stored by [Your Company Name], regardless of where the processing takes place, when it relates to individuals located in the EU. It also applies to non-EU entities when offering goods or services to EU residents or monitoring their behavior.

3. Data Collection and Processing

We only collect and process personal data that is relevant, adequate, and not excessive for the intended purposes. Categories of personal data we may collect include:

  • Identification data (e.g., name, email address, phone number).

  • Transactional data (e.g., payment information, purchase records).

  • Communication data (e.g., correspondence, inquiries).

  • Technical data (e.g., IP address, cookies, browsing history).

We process personal data for the following legitimate purposes:

  • Providing and improving our services.

  • Communicating with you regarding inquiries, transactions, and updates.

  • Complying with legal and regulatory obligations.

  • Conducting business analysis and service enhancements.

We do not use personal data for automated decision-making or profiling without your explicit consent.

4. Data Subjects’ Rights

Under GDPR, you have the following rights:

  • Right of Access – Request details of the personal data we hold about you.

  • Right to Rectification – Request corrections of inaccurate or incomplete data.

  • Right to Erasure (“Right to be Forgotten”) – Request deletion of your data under certain conditions.

  • Right to Restrict Processing – Request limits on how we process your data.

  • Right to Data Portability – Request a copy of your data in a structured, machine-readable format.

  • Right to Object – Object to processing based on legitimate interests or direct marketing.

  • Right to Withdraw Consent – Withdraw consent at any time if processing is based on consent.

  • Right to Lodge a Complaint – File a complaint with your local supervisory authority if you believe we have not handled your data lawfully.

We respond to rights requests within one month, extendable by two months where requests are complex.

5. Data Security

We have implemented appropriate technical and organizational measures in compliance with Article 32 GDPR to ensure the confidentiality, integrity, and availability of personal data. These include:

  • Data encryption and secure storage.

  • Role-based access controls.

  • Regular security assessments and penetration testing.

  • Staff training on data protection best practices.

  • Incident response and breach notification protocols.

If a personal data breach occurs, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected individuals.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, or contractual obligations. Specific retention periods may include:

  • Customer account data: up to 7 years after account closure.

  • Transactional/payment records: retained for 7 years for tax and audit purposes.

  • Marketing data: retained until you withdraw consent or opt out.

Once retention periods expire, data will be securely deleted or anonymized.

7. International Data Transfers

When personal data is transferred outside the EU, we ensure compliance with Articles 44–46 GDPR by implementing appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • Binding Corporate Rules (BCRs), where applicable.

  • Data transfer risk assessments in line with the Schrems II ruling.

8. Updates to this Policy

We regularly review and update this GDPR Compliance Policy to reflect changes in legal requirements, industry best practices, and our internal procedures. The latest version will always be available on our website.

Updated: 18 Aug 2025

9. Contact Information

For questions, concerns, or to exercise your rights under GDPR, please contact:

ARZPAK
Data Controller
Email: contact@arzpak.com