GDPR Compliance

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that took effect on May 25, 2018, throughout the European Union (EU) and the European Economic Area (EEA). The GDPR establishes strict rules for how organizations collect, use, store, and protect personal data of EU/EEA residents, regardless of where the organization is located.

At MarketMorph AI, a product of ACA Tech Solutions, we are fully committed to GDPR compliance and protecting the privacy rights of all our EU/EEA users. This page outlines our GDPR compliance practices, your rights under the regulation, and how you can exercise those rights.

Our GDPR Commitment

We process all personal data in accordance with GDPR principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. We have implemented appropriate technical and organizational measures to ensure ongoing GDPR compliance and to protect your fundamental right to data protection.

1.1 Who Does GDPR Apply To?

GDPR applies to:

All individuals located in the European Union or European Economic Area, regardless of their nationality
EU/EEA citizens located anywhere in the world (with certain exceptions)
Any organization that offers goods or services to EU/EEA residents
Any organization that monitors the behavior of EU/EEA residents

1.2 Key GDPR Principles

Our data processing activities are guided by the following GDPR principles:

Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner
Purpose Limitation: We collect data for specified, explicit, and legitimate purposes only
Data Minimization: We collect only the data that is adequate, relevant, and necessary for our purposes
Accuracy: We take reasonable steps to ensure personal data is accurate and up-to-date
Storage Limitation: We keep personal data only as long as necessary for the purposes for which it was collected
Integrity and Confidentiality: We implement appropriate security measures to protect personal data
Accountability: We can demonstrate our compliance with all GDPR principles

2. Your Data Protection Rights

Under the GDPR, you have comprehensive rights regarding your personal data. We respect and facilitate the exercise of these rights, responding to requests within the legal timeframe (typically 30 days).

Right to Access

You have the right to request access to your personal data and obtain a copy of the information we hold about you.

Right to Rectification

You can request that we correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances.

Right to Restriction

You can request that we restrict the processing of your personal data in certain situations.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object

You can object to the processing of your personal data for direct marketing or based on legitimate interests.

Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal effects.

Right to Withdraw Consent

Where we process your data based on consent, you can withdraw that consent at any time.

3. Lawful Basis for Processing

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

3.1 Contract Performance

We process your personal data to perform our contract with you (our Terms of Service) and to provide you with the MarketMorph AI Services. This includes creating your account, processing payments, providing customer support, and delivering the features you've subscribed to.

3.2 Legitimate Interests

We process certain personal data based on our legitimate business interests, including:

Improving and developing our Services
Understanding how users interact with our platform
Detecting and preventing fraud and security threats
Analyzing platform performance and user behavior
Internal administrative purposes

We always balance our legitimate interests against your rights and freedoms, and you have the right to object to processing based on legitimate interests.

3.3 Legal Obligation

We process personal data when required to comply with legal obligations, such as:

Responding to law enforcement requests
Complying with court orders
Meeting tax and accounting requirements
Fulfilling regulatory obligations

3.4 Consent

For certain processing activities, we rely on your explicit consent, including:

Marketing communications (you can opt-out at any time)
Non-essential cookies and tracking technologies
Certain data sharing with third parties
Processing of special categories of personal data (if applicable)

You have the right to withdraw your consent at any time, which will not affect the lawfulness of processing based on consent before its withdrawal.

3.5 Vital Interests

In rare circumstances, we may process personal data to protect the vital interests of you or another person, such as in emergency situations.

4. Data We Collect

For detailed information about the personal data we collect, how we use it, and with whom we share it, please refer to our comprehensive Privacy Policy. Below is a summary of the categories of data we process:

4.1 Categories of Personal Data

Identity Data: Name, username, email address, phone number
Account Data: Password, authentication credentials, security questions
Business Data: Company name, industry, business size, marketing goals
Transaction Data: Payment information, billing address, purchase history
Technical Data: IP address, browser type, device information, operating system
Usage Data: How you use our Services, features accessed, time spent, navigation patterns
Marketing Data: Preferences regarding marketing communications, campaign engagement
Project Data: Website URLs, keywords, content created, marketing materials, analytics data

4.2 Special Categories of Data

We do not intentionally collect special categories of personal data (also known as sensitive personal data) such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation. If we become aware that we have inadvertently collected such data, we will delete it promptly.

4.3 Children's Data

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately so we can delete it.

5. International Data Transfers

MarketMorph AI is operated by ACA Tech Solutions, and your personal data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA), including the United States. These countries may have data protection laws that differ from those in your country.

5.1 Transfer Mechanisms

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place to protect your data, including:

Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission for transfers to third countries. These clauses impose obligations on both the data exporter and data importer to ensure adequate protection of personal data.

Adequacy Decisions: We may transfer data to countries that have been deemed by the European Commission to provide an adequate level of data protection, such as certain countries that have adequacy decisions in place.

Binding Corporate Rules: For transfers within our corporate group, we may rely on Binding Corporate Rules that have been approved by relevant data protection authorities.

5.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to evaluate the risks associated with international data transfers and ensure that appropriate supplementary measures are implemented where necessary to provide an adequate level of protection.

5.3 US-Based Processing

Some of our servers and service providers are located in the United States. When transferring data to the US, we ensure that our US service providers are bound by Standard Contractual Clauses and implement appropriate supplementary measures to protect your data.

Transparency in Data Transfers

We believe in transparency about our data transfers. If you would like more information about the specific countries to which your data may be transferred or the safeguards we have implemented, please contact our Data Protection Officer.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, accounting, or reporting requirements.

6.1 Retention Periods

Our standard retention periods are as follows:

Account Information: Retained for the duration of your account plus 90 days after closure (to allow for account reactivation)
Project Data: Retained for the duration of your subscription plus 30 days for data export
Transaction Records: Retained for 7 years to comply with tax and accounting regulations
Marketing Data: Retained until you opt-out or for 3 years after your last interaction with us
Technical Logs: Retained for 12-24 months for security and debugging purposes
Support Communications: Retained for 3-5 years for customer service and quality assurance

6.2 Deletion Process

When the retention period expires or when you request deletion of your data, we follow a comprehensive deletion process:

Data is removed from production systems within 30 days
Backup systems are purged according to our backup retention schedule (typically within 90 days)
Any aggregated or anonymized data derived from your personal data may be retained indefinitely as it can no longer identify you
We may retain certain data as required by law or for legitimate legal purposes

6.3 Right to Erasure Exceptions

There are circumstances where we may not be able to delete your data immediately, such as when we need to:

Comply with a legal obligation
Establish, exercise, or defend legal claims
Fulfill contractual obligations that require data retention
Protect the rights and freedoms of others

7. Exercising Your Rights

We make it easy for you to exercise your GDPR rights. You can submit requests through multiple channels, and we will respond within 30 days (or inform you if we need more time, which cannot exceed 60 days total).

7.1 How to Submit a Request

You can exercise your rights by:

Account Settings: For many rights (access, rectification, deletion), you can manage your data directly through your account settings
Email: Contact our Data Protection Officer at [email protected]
Contact Form: Submit a request through our contact form
Mail: Write to us at the address provided in the Contact Information section

7.2 Identity Verification

To protect your privacy and security, we may need to verify your identity before processing your request. We may ask you to:

Provide identifying information (such as account email and username)
Answer security questions
Respond to a verification email sent to your registered email address
Provide additional proof of identity for sensitive requests

7.3 Processing Requests

When you submit a request:

We will acknowledge receipt of your request within 5 business days
We will provide a substantive response within 30 days
If we need more time, we will explain why and inform you of the extension (maximum 60 days total)
We will not charge a fee unless your request is manifestly unfounded or excessive
If we decline your request, we will explain our reasons and inform you of your right to complain to a supervisory authority

7.4 Data Portability Format

When you request data portability, we will provide your data in JSON format (machine-readable, structured, and commonly used). You can request your data in other formats, and we will accommodate if technically feasible.

8. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance and serve as a point of contact for data protection matters. Our DPO is responsible for:

Monitoring compliance with GDPR and other data protection laws
Advising on data protection impact assessments
Cooperating with supervisory authorities
Acting as the contact point for supervisory authorities and data subjects
Providing guidance on data protection best practices

8.1 Contact Our DPO

You can contact our Data Protection Officer at:

Email: [email protected]
Subject Line: "GDPR Inquiry" or "Data Protection Request"
Mail: Data Protection Officer, ACA Tech Solutions, 123 Innovation Drive, Suite 500, San Francisco, CA 94105, United States

8.2 EU Representative

For users in the European Union, we have appointed an EU representative who can be contacted at:

Email: [email protected]
Address: [EU Representative Address - To be provided]

9. Right to Lodge a Complaint

If you believe that we have violated your rights under GDPR or if you are dissatisfied with how we have handled your data protection request, you have the right to lodge a complaint with a supervisory authority.

9.1 Lead Supervisory Authority

Our lead supervisory authority is the data protection authority in the jurisdiction where our main establishment in the EU is located. However, you have the right to lodge a complaint with the supervisory authority in:

Your country of habitual residence
Your place of work
The place where the alleged infringement occurred

9.2 Contact Information for EU Supervisory Authorities

You can find contact information for all EU data protection authorities at the European Data Protection Board website.

9.3 Internal Resolution

While you have the right to complain to a supervisory authority at any time, we encourage you to contact us first so we can try to resolve your concerns directly. Many issues can be resolved more quickly through direct communication with our Data Protection Officer.

10. Contact Information

For questions, concerns, or requests related to GDPR compliance and your data protection rights, please contact us:

10.1 Data Controller

ACA Tech Solutions
MarketMorph AI Division
123 Innovation Drive, Suite 500
San Francisco, CA 94105
United States

10.2 Contact Methods

Data Protection Officer: [email protected]
GDPR Inquiries: [email protected]
Privacy Team: [email protected]
General Support: [email protected]
Phone: +1 (555) 123-4567
EU Representative: [email protected]

10.3 Related Documents

For comprehensive information about our data practices, please review:

Privacy Policy - Detailed information about data collection and use
Cookie Policy - Information about cookies and tracking technologies
Terms of Service - Your rights and obligations as a user

Table of Contents