GDPR Compliance Statement

1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

At Toolify, we are committed to complying with the GDPR and protecting the privacy and personal data of our users. This document outlines our approach to GDPR compliance and the rights of our users under this regulation.

Key GDPR Principles:

2. Our Commitment to GDPR Compliance

Toolify is committed to:

• Ensuring that personal data is processed lawfully, fairly, and transparently
• Collecting personal data only for specified, explicit, and legitimate purposes
• Ensuring that personal data is adequate, relevant, and limited to what is necessary
• Keeping personal data accurate and up to date
• Storing personal data only for as long as necessary
• Ensuring appropriate security, integrity, and confidentiality of personal data

3. Lawful Basis for Processing

Under GDPR, we must have a lawful basis for processing personal data. For Toolify users, our lawful bases include:

• Consent: Where you have given clear consent for us to process your personal data for a specific purpose
• Contract: Where processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
• Legal Obligation: Where processing is necessary for us to comply with the law
• Legitimate Interests: Where processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests

For each type of data processing we conduct, we have documented the lawful basis. This documentation is regularly reviewed and updated as necessary.

4. Your Rights Under GDPR

As an EU citizen, you have specific rights under the GDPR:

5. Data Protection Officer

Toolify has appointed a Data Protection Officer (DPO) to oversee our data protection strategy and GDPR compliance. Our DPO is responsible for:

• Informing and advising us about our GDPR obligations
• Monitoring compliance with the GDPR and other data protection laws
• Providing advice where requested regarding Data Protection Impact Assessments
• Acting as a contact point for data subjects and the supervisory authority

6. Data Processing Agreements

We have Data Processing Agreements (DPAs) in place with all third-party service providers who process personal data on our behalf. These agreements ensure that these providers:

• Only process personal data according to our instructions
• Implement appropriate technical and organizational security measures
• Assist us in complying with GDPR obligations
• Notify us of any data breaches
• Delete or return personal data at the end of the contract

Our key data processors include:

• Cloud Service Providers: Amazon Web Services, Google Cloud Platform
• Analytics Providers: Google Analytics, Hotjar
• Email Service Providers: SendGrid, Mailchimp
• Payment Processors: Stripe, PayPal
• Customer Support: Zendesk, Intercom

7. International Data Transfers

Toolify is based in the United States, which means your personal data may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal data under European Union law.

To ensure that your personal data receives an adequate level of protection, we have put in place appropriate safeguards, including:

• Standard Contractual Clauses: We use EU Commission-approved Standard Contractual Clauses for transfers to third countries
• Privacy Shield: Where applicable, we ensure our US-based vendors are Privacy Shield certified
• Binding Corporate Rules: For intra-group transfers, we implement Binding Corporate Rules
• Derogations: In specific cases, we may rely on GDPR derogations for specific situations

All international data transfers are documented and regularly reviewed for compliance with GDPR requirements.

8. Data Breach Notification

In the event of a personal data breach, we will notify the appropriate supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected individuals without undue delay.

Our Data Breach Response Plan Includes:

• Immediate containment of the breach
• Assessment of the risk to individuals
• Notification to supervisory authorities (where required)
• Communication with affected individuals (where required)
• Documentation of the breach and response
• Review and improvement of security measures

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to individuals' rights and freedoms. This includes systematic and extensive evaluation of personal aspects based on automated processing, large-scale processing of special categories of data, or systematic monitoring of publicly accessible areas on a large scale.

When we conduct DPIAs:

• Before implementing new processing technologies
• When processing special categories of data on a large scale
• When conducting systematic monitoring of public areas
• When using new profiling or automated decision-making processes
• When processing data in a way that involves tracking individuals' behavior

10. Privacy by Design and by Default

We implement Privacy by Design and by Default principles in all our products and services:

• Data Minimization: We only collect data necessary for specific purposes
• Purpose Limitation: We clearly define and communicate the purpose of data collection
• Storage Limitation: We implement automatic data deletion policies
• Security by Default: We implement security measures from the start of product development
• Transparency: We provide clear information about data processing
• User Control: We provide tools for users to manage their data

11. Exercising Your GDPR Rights

To exercise any of your GDPR rights, please contact our Data Protection Officer at dpo@toolify.com. We will respond to your request within one month of receipt.

We may need to verify your identity before processing your request. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

How to Submit a Request:

• Email: dpo@toolify.com
• Online Form: Available in your account settings
• Post: Toolify Data Protection Officer, 123 Tech Street, Suite 456, San Francisco, CA 94107, USA

Information Required: When making a request, please provide:

• Your full name and contact information
• Description of the right you wish to exercise
• Details of the personal data in question
• Any relevant account information (username, email address)

12. Updates to Our GDPR Compliance

We regularly review and update our GDPR compliance measures to ensure they remain effective and up-to-date with regulatory changes. This includes:

• Annual review of data protection policies and procedures
• Regular staff training on data protection
• Continuous monitoring of regulatory developments
• Regular security assessments and audits
• Periodic review of data processing activities

Any significant changes to our GDPR compliance practices will be communicated through updates to this document and, where appropriate, direct communication with users.

13. Contact Information

For questions about our GDPR compliance or to exercise your data protection rights, please contact: