Privacy Policy

Data Controller & Processing Purposes

Under GDPR, our company acts as data controller for personal data collected via DAM platform usage (IP addresses, user actions, uploaded asset metadata). Purpose includes system administration, analytics of feature usage, and legal obligations. Lawful basis: legitimate interest for network security, contract performance for user management.

Data Categories & Retention

• User account data (name, email, role): retained for duration of contract + 90 days post termination
• Asset metadata (creator, creation date): indefinite for archival references
• Usage logs (file access, modifications): 180 days for auditing

Third-Party Sharing & International Transfers

We share data with cloud service providers (AWS, Azure) under DPAs that meet Article 28 GDPR requirements. For transfers outside EEA, we rely on SCCs (2021 version) and TIA supplementary measures. If you are in California, CCPA rights apply: request deletion of your personal information (excluding assets metadata required for business operations).

Your Rights & Recourse

• Right to access: provide copy of all personal data within 30 days
• Right to rectification: correct inaccurate metadata
• Right to object: to processing for direct marketing (we do not) or profiling (we don’t)
• Supervisory authority: lodge complaint with your local DPA (e.g., ICO, CNIL). Contact our Data Protection Officer: [email protected]