GDPR Compliance Policy

Last updated: October 31, 2025

Introduction

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing the personal data of individuals in the European Union (EU) and European Economic Area (EEA). This policy outlines how Contro complies with GDPR and protects your rights as a data subject.

Our Role Under GDPR

Contro acts as both a Data Controller and Data Processor:

  • Data Controller: For your account information, preferences, and how we use your data to provide our services
  • Data Processor: For the content you create and publish, where you determine the purposes and means of processing

Legal Basis for Processing

We process your personal data under the following legal bases:

1. Consent

You provide explicit consent when you create an account, subscribe to notifications, or opt-in to marketing communications.

2. Contractual Necessity

Processing is necessary to fulfill our Terms of Service and provide you with Contro's content creation platform.

3. Legitimate Interests

We process data to improve our services, prevent fraud, ensure security, and communicate important service updates.

4. Legal Obligations

We may process data to comply with legal requirements, court orders, or regulatory obligations.

Your Rights Under GDPR

As a data subject, you have the following rights:

1. Right to Access

You have the right to request a copy of the personal data we hold about you. You can download your data from your account settings or contact us at privacy@contro.co.

2. Right to Rectification

You can update or correct inaccurate personal information directly in your account settings. For assistance, contact our support team.

3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data by deleting your account through settings or contacting us. We will erase your data within 30 days, subject to legal retention requirements.

4. Right to Restrict Processing

You can request that we limit how we use your data while a complaint or verification is being resolved.

5. Right to Data Portability

You can request your data in a structured, machine-readable format (JSON or CSV) to transfer to another service.

6. Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

7. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affects you. Contro does not currently use automated decision-making for user-impacting decisions.

8. Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Email us at privacy@contro.co with your request
  2. Include your account email and specify which right(s) you wish to exercise
  3. Provide verification of your identity (we may request additional information)
  4. We will respond within 30 days of receiving your verified request

There is no fee for exercising your rights unless your request is manifestly unfounded or excessive.

Data We Collect

We collect and process the following categories of personal data:

Identity Data

Name, username, email address, profile picture

Contact Data

Email address, social media links (if provided)

Content Data

Posts, articles, comments, media files, and other user-generated content

Technical Data

IP address, browser type, device information, operating system, session IDs

Usage Data

Page views, interactions, feature usage, analytics data

Marketing Data

Your preferences for receiving communications (if you opt-in)

Data Retention

We retain your personal data only as long as necessary:

  • Active accounts: Data retained while your account is active
  • Deleted accounts: Personal data deleted within 30 days, subject to legal requirements
  • Public content: May be retained longer if required by law or legitimate interests
  • Backup systems: Data in backups deleted within 90 days
  • Legal obligations: Some data may be retained longer to comply with tax, accounting, or legal requirements

Data Transfers

Your personal data may be transferred to and stored in countries outside the EEA. When we transfer data internationally, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions recognizing equivalent data protection standards
  • Other legally approved transfer mechanisms

Our service providers (such as Supabase) also comply with GDPR and maintain appropriate security measures.

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Access controls and authentication
  • Regular security audits and vulnerability assessments
  • Employee training on data protection
  • Incident response and breach notification procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

Children's Data

Contro is not intended for children under 16 years of age. We do not knowingly collect or process personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately so we can delete it.

Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. You can contact your local data protection authority or:

Irish Data Protection Commission
(if Contro is based in Ireland)
www.dataprotection.ie

However, we encourage you to contact us first at privacy@contro.co so we can address your concerns.

Data Protection Officer

For questions about our GDPR compliance or data protection practices, contact our Data Protection Officer at: dpo@contro.co

Updates to This Policy

We may update this GDPR Policy to reflect changes in our practices or legal requirements. We will notify you of material changes and update the "Last updated" date. Your continued use of Contro after changes constitutes acceptance.

Contact Information

General Privacy Inquiries: privacy@contro.co

Data Protection Officer: dpo@contro.co

GDPR Requests: gdpr@contro.co

Privacy PolicyTerms of ServiceCookies Policy