GDPR Compliance

Your data protection rights under the General Data Protection Regulation

Your GDPR Rights

Under the General Data Protection Regulation (GDPR), you have specific rights regarding your personal data. We are committed to respecting these rights and making them easily accessible to you.

Right of Access

Request a copy of all personal data we hold about you

Within 30 days

Right to Rectification

Correct any inaccurate or incomplete personal data

Within 30 days

Right to Erasure

Request deletion of your personal data ('Right to be Forgotten')

Within 30 days

Right to Restrict Processing

Limit how we process your personal data

Within 30 days

Right to Data Portability

Receive your data in a structured, machine-readable format

Within 30 days

Right to Object

Object to processing of your personal data for specific purposes

Immediately

Submit a GDPR Request

Use this form to exercise your data protection rights

To protect your privacy, we may require additional verification for certain requests

Important Notice:

We will respond to your request within 30 days as required by GDPR. For identity verification, we may contact you using the information provided.

How We Process Your Data

Legal Basis for Processing

Contract Performance

Processing necessary to fulfill your orders and provide services

Legitimate Interest

Improving our services, fraud prevention, and business operations

Consent

Marketing communications and optional features (with your permission)

Legal Obligation

Compliance with tax, accounting, and other legal requirements

Data Protection Measures

Technical Safeguards

SSL encryption, secure servers, access controls, regular security audits

Organizational Measures

Staff training, data minimization, privacy by design principles

Third-Party Agreements

Data processing agreements with all service providers

Regular Reviews

Ongoing assessment of data protection practices and policies

International Data Transfers

Transfer Safeguards

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place to protect your data.

  • EU Adequacy Decisions for approved countries
  • Standard Contractual Clauses (SCCs) with service providers
  • Binding Corporate Rules for multinational companies

Service Providers

We work with trusted service providers who are contractually bound to protect your data:

Payment Processing

Stripe (Ireland), PayPal (Luxembourg) - EU-based processing

Email Services

EU-based email providers with GDPR compliance

Analytics

Google Analytics with IP anonymization and data retention limits

Data Retention Periods

Data TypeRetention PeriodLegal BasisDeletion Process
Account InformationActive account + 3 years after closureContract performanceAutomatic deletion
Order History7 years from purchase dateLegal obligation (tax law)Automatic deletion
Marketing DataUntil consent withdrawalConsentImmediate upon request
Website Analytics26 months (Google Analytics)Legitimate interestAutomatic deletion
Support Communications3 years from last contactLegitimate interestManual review and deletion

Data Breach Procedures

Our Commitment

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we are committed to:

  • • Notify supervisory authorities within 72 hours
  • • Inform affected individuals without undue delay
  • • Provide clear information about the breach
  • • Take immediate steps to contain and remedy the breach
  • • Implement additional safeguards to prevent future incidents

What We'll Tell You

If we need to notify you about a data breach, our communication will include:

  • • Nature of the breach and data involved
  • • Likely consequences of the breach
  • • Measures taken to address the breach
  • • Steps you can take to protect yourself
  • • Contact information for further questions

Your Right to Lodge a Complaint

Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection authority.

Italian Data Protection Authority

Garante per la protezione dei dati personali

Website: www.gpdp.it
Email: garante@gpdp.it
Phone: +39 06 69677 1

European Data Protection Board

For EU-wide coordination

Website: edpb.europa.eu
Find your local authority on their website

GDPR Questions or Concerns?

Our Data Protection Officer is here to help

Email

Direct line to our Data Protection Officer

dpo@newheras.com

Phone

Speak directly with our privacy team

+39 02 1234 5678

Postal Address

For formal written requests

Data Protection Officer
Newheras™ S.r.l.
Via Roma 123
20121 Milano, Italy

Response Guarantee

We guarantee to respond to all GDPR requests within 30 days as required by law. For complex requests, we may extend this period by an additional 60 days with proper notification.