GDPR - Comprehensive Data Protection Rights

1. Controller Information & Data Protection Officer

Data Controller (Responsible Party under GDPR Art. 4(7)):
Sascha Wohlert
TrustedBoosts
Grüner Weg 5
94133 Röhrnbach, Germany
Email: mail@trustedboosts.com
VAT ID: DE329290158

Data Protection Inquiries: For all data protection matters, GDPR rights exercise, or privacy concerns, contact us at mail@trustedboosts.com with "GDPR Request" in the subject line.

Response Commitment: We respond to all GDPR requests within 30 days (extendable to 60 days for complex requests with prior notification).

2. Your Comprehensive GDPR Rights (Articles 15-22)

Under the General Data Protection Regulation (GDPR), you have extensive rights regarding your personal data. These rights are fundamental and cannot be waived:

2.1 Right of Access (Art. 15 GDPR)

What this means: You have the right to obtain comprehensive information about your personal data processing.

You can request:

• Confirmation whether we process your personal data
• Complete copy of all personal data we hold about you
• Purposes of processing and legal basis for each purpose
• Categories of personal data concerned
• Recipients or categories of recipients of your data
• Retention periods or criteria used to determine retention
• Information about international transfers and safeguards
• Source of data if not collected directly from you
• Existence of automated decision-making or profiling
• Details of security measures implemented

2.2 Right to Rectification (Art. 16 GDPR)

What this means: You have the right to have inaccurate personal data corrected and incomplete data completed.

We will:

• Correct inaccurate personal data immediately upon request
• Complete incomplete data by providing supplementary statement
• Notify third parties (where possible) of corrections made
• Update backup systems within 90 days
• Provide confirmation of rectification completion

2.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

What this means: You have the right to have your personal data deleted in specific circumstances.

Grounds for erasure:

• Personal data no longer necessary for original purposes
• Withdrawal of consent where consent was the legal basis
• Objection to processing where no overriding legitimate grounds exist
• Personal data unlawfully processed
• Compliance with legal obligation requires erasure
• Data collected in relation to information society services for children

Exceptions (we may refuse erasure if processing is necessary for):

• Freedom of expression and information
• Compliance with legal obligations (e.g., tax records - 10 years)
• Public interest in public health
• Archiving, research, or statistical purposes
• Establishment, exercise, or defense of legal claims

2.4 Right to Restriction of Processing (Art. 18 GDPR)

What this means: You can request that we limit how we process your data in certain circumstances.

When restriction applies:

• You contest the accuracy of personal data (during verification period)
• Processing is unlawful but you prefer restriction over erasure
• We no longer need data but you need it for legal claims
• You object to processing pending verification of legitimate grounds

During restriction: We may only process your data for storage, with your consent, for legal claims, or for protection of others' rights.

2.5 Right to Data Portability (Art. 20 GDPR)

What this means: You can receive your personal data in a structured, commonly used, machine-readable format.

Conditions for portability:

• Processing based on consent or contract performance
• Processing carried out by automated means
• Does not adversely affect rights and freedoms of others

Available formats: JSON, CSV, XML, PDF (machine-readable), or other structured formats upon request.

2.6 Right to Object (Art. 21 GDPR)

What this means: You can object to processing based on legitimate interests or for direct marketing purposes.

Absolute right to object:

• Direct marketing (including profiling for marketing)
• Marketing communications and promotional content

Conditional right to object:

• Processing based on legitimate interests (we must demonstrate compelling legitimate grounds)
• Processing for scientific, historical research, or statistical purposes

2.7 Rights Related to Automated Decision-Making & Profiling (Art. 22 GDPR)

What this means: Protection from decisions based solely on automated processing.

Your rights:

• Not to be subject to solely automated decisions with legal/significant effects
• Human intervention in decision-making processes
• Express your point of view and contest automated decisions
• Request explanation of automated decision logic

Current status: We do not currently use automated decision-making or profiling that produces legal or similarly significant effects.

3. Review Management Specific Data Processing

3.1 Trustpilot & Platform Data Processing

Types of data processed for review management:

• Platform Credentials: API keys, access tokens, usernames (encrypted at rest)
• Business Profile Data: Company information, business details, contact information
• Review Content: Review texts, ratings, reviewer information, timestamps
• Response Data: Response drafts, published responses, response templates
• Analytics Data: Performance metrics, improvement tracking, competitive analysis
• Communication Records: Customer interactions, support tickets, strategy discussions

3.2 Legal Basis for Review Management Processing

Art. 6(1)(b) - Contract Performance:

• Service delivery and review management implementation
• Platform integration and API connectivity
• Response management and customer communication
• Performance reporting and analytics provision

Art. 6(1)(f) - Legitimate Interests:

• Service improvement and optimization
• Fraud prevention and security monitoring
• Quality assurance and training purposes
• Business analytics and performance assessment

4. How to Exercise Your GDPR Rights

4.1 Submitting GDPR Requests

Contact Method: Email mail@trustedboosts.com with "GDPR Request - [Right Name]" in subject line.

Required Information:

• Full name and email address associated with your account
• Specific GDPR right(s) you wish to exercise
• Detailed description of your request
• Account information or service details (if applicable)
• Preferred format for data portability requests
• Identity verification documents (copy of ID for security purposes)

4.2 Response Timeline & Process

• Standard Response: Within 30 days of request receipt
• Complex Requests: Up to 60 days (with advance notification and explanation)
• Identity Verification: May require 3-5 days for security verification
• Third-Party Notification: Additional time if third parties must be notified
• Technical Implementation: Complex technical requests may require additional processing time

4.3 Free Exercise of Rights

No Charge Policy: Exercising GDPR rights is generally free of charge.

Exceptions (Art. 12(5)):

• Manifestly unfounded requests
• Excessive requests (particularly repetitive)
• Additional copies of data beyond the first free copy

Fee Structure: When applicable, fees are based on administrative costs and will be communicated before processing.

5. Data Security & Protection Measures

5.1 Technical Safeguards (Art. 32 GDPR)

Encryption & Security:

• Data at Rest: AES-256 encryption for stored data
• Data in Transit: TLS 1.3 for all data transmissions
• Database Security: Encrypted MongoDB Atlas with access controls
• API Security: Encrypted API keys and secure authentication tokens
• Backup Security: Encrypted backups with geographical separation
• Network Security: Firewalls, intrusion detection, and monitoring

5.2 Organizational Measures

• Access Controls: Role-based access and principle of least privilege
• Staff Training: Regular GDPR and data protection training
• Data Processing Agreements: Binding agreements with all processors
• Regular Audits: Internal and external security assessments
• Incident Response: Comprehensive breach response procedures
• Documentation: Complete records of processing activities

6. International Data Transfers & Safeguards

6.1 Transfer Mechanisms (Chapter V GDPR)

EU Adequacy Decisions:

• Transfers to countries with EU adequacy decisions where applicable
• Regular monitoring of adequacy decision status

Standard Contractual Clauses (SCCs):

• EU Commission approved SCCs for controller-to-processor transfers
• Supplementary measures where required by local law
• Regular assessment of transfer risks and safeguards

6.2 Third-Party Processor Safeguards

• Vercel (Hosting): EU/US data processing with SCCs
• MongoDB Atlas: EU region deployment with encryption
• Stripe (Payments): PCI DSS compliant with EU operations
• Trustpilot: EU-based processing for review management
• Communication Providers: EU-based or adequacy decision countries

7. Data Retention & Deletion

7.1 Retention Principles (Art. 5(1)(e) GDPR)

Data Minimization: We retain personal data only as long as necessary for the original purposes, legal requirements, or legitimate business needs.

7.2 Specific Review Management Retention Periods

• Customer Account Data: Duration of relationship + 3 years (contractual claims limitation)
• Transaction & Billing Records: 10 years (German tax law - AO/HGB requirements)
• Review Management Data: Duration of service + 2 years (performance analysis and improvement)
• Platform Credentials: Duration of service + 30 days (security and transition)
• Communication Records: 3 years after last business contact
• Analytics & Performance Data: 2 years (business optimization)
• Technical Logs: 12 months (security monitoring and incident response)
• Marketing Data: Until consent withdrawal + 1 year (legitimate interests)
• Support & Help Data: 2 years after resolution

7.3 Secure Deletion Process

Deletion Methods:

• Cryptographic erasure for encrypted data
• Multi-pass overwriting for unencrypted data
• Physical destruction of storage media when necessary
• Database record purging with verification
• Backup system inclusion (completed within 90 days)
• Third-party processor notification and verification

8. Data Breach Notification (Art. 33-34 GDPR)

8.1 Breach Response Procedures

Immediate Response (within 72 hours):

• Breach containment and risk assessment
• Supervisory authority notification (Bayerische LDA)
• Internal incident documentation and investigation
• Risk assessment for individual rights and freedoms

Individual Notification (without undue delay if high risk):

• Clear and plain language explanation of breach
• Likely consequences and risks to individuals
• Measures taken or proposed to address breach
• Contact point for further information
• Practical steps individuals can take to protect themselves

9. Children's Data Protection (Art. 8 GDPR)

Age Restrictions: Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16.

If we discover child data:

• Immediate deletion of all personal data
• Service termination where applicable
• Parental notification if contact information available
• Review of collection practices to prevent recurrence

10. Supervisory Authority & Complaints

10.1 Your Right to Lodge Complaints (Art. 77 GDPR)

German Supervisory Authority:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de/

10.2 EU-Wide Supervisory Authorities

You may also lodge complaints with supervisory authorities in other EU member states where you have habitual residence, place of work, or where the alleged infringement occurred.

European Data Protection Board: https://edpb.europa.eu/

11. Contact & GDPR Assistance

For all GDPR-related inquiries, rights exercise, or data protection matters:

Sascha Wohlert
TrustedBoosts - Data Protection
Grüner Weg 5
94133 Röhrnbach, Germany

Email: mail@trustedboosts.com
Subject Line: "GDPR Request - [Specific Right or Inquiry]"

Response Commitment: We are committed to respecting your privacy rights and will respond to all legitimate requests within the timeframes specified by GDPR.