Get Free Quote

GDPR compliance document

1. Introduction

This document outlines how Loyalleads Limited ("we," "our," or "the Company") complies with the General Data Protection Regulation (GDPR) in relation to our AI Customer Service Chatbot service.

2. Data Controller Information

Loyalleads Limited

  • Email: loyalleadsltd@gmail.com
  • Address: International House 10 Churchill Way Cardiff CF102HE
  • Phone: 0747194804
  • Data Protection Officer: Sherif Butt (CTO)

3. Legal Basis for Processing

We process personal data under the following legal bases:

3.1 Consent

  • User registration and account creation
  • Marketing communications
  • Cookie usage
  • Third-party integrations

3.2 Contractual Necessity

  • Service provision
  • Account management
  • Payment processing
  • Customer support

3.3 Legitimate Interests

  • Service improvement
  • Security measures
  • Analytics
  • Fraud prevention

4. Data Processing Activities

4.1 Types of Personal Data Collected

  • Identity information (name)
  • Contact information (email)
  • Technical data (IP address, device information)
  • Usage data (interaction patterns)
  • Communication data (chat history)

4.2 Processing Purposes

  • User authentication
  • Service provision
  • Customer support
  • Technical maintenance
  • Security monitoring
  • Analytics and improvement

4.3 Data Retention Periods

  • Account data: Until user unsubscribes
  • Communication records: Until user unsubscribes
  • Technical logs: 12 months
  • Payment information: As required by law

5. Data Subject Rights

We ensure all GDPR data subject rights:

5.1 Right to Access

  • Request copies of personal data
  • Receive information about processing
  • Response within 30 days
  • No fee for standard requests

5.2 Right to Rectification

  • Correct inaccurate data
  • Complete incomplete data
  • Updates processed promptly
  • Third parties notified of changes

5.3 Right to Erasure

  • Request data deletion
  • Conditions for deletion
  • Technical implementation
  • Third-party notification

5.4 Right to Restrict Processing

  • Request processing limitation
  • Storage without processing
  • Notify of restriction lifting
  • Impact on service usage

5.5 Right to Data Portability

  • Receive data in structured format
  • Transfer data to other controllers
  • Direct transfer where feasible
  • Technical specifications

5.6 Right to Object

  • Object to processing
  • Marketing objections
  • Legitimate interest processing
  • Automated decision-making

6. Data Security Measures

6.1 Technical Measures

  • End-to-end encryption
  • Two-factor authentication
  • Access logging and monitoring
  • Regular security updates
  • Intrusion detection systems
  • Backup encryption
  • Firewall protection

6.2 Organizational Measures

  • Staff training
  • Access control policies
  • Data protection policies
  • Security audits
  • Incident response plans
  • Confidentiality agreements
  • Regular policy reviews

7. International Data Transfers

7.1 Data Storage Location

  • Primary storage: UK (Hetzner)
  • Backup storage: UK
  • Third-party processors: Within UK/EEA

7.2 Transfer Safeguards

  • Standard contractual clauses
  • Adequacy decisions
  • Data transfer agreements
  • Security assessments

8. Third-Party Processors

8.1 Payment Processors

  • Stripe, PayPal (UK-based processing)
  • GDPR-compliant data processing
  • Payment data security

8.2 Cloud Services

  • Hetzner (hosting)
  • Google Cloud (analytics)
  • SendGrid (email)

8.3 Authentication

  • Google
  • Meta
  • OAuth compliance

9. Data Protection Impact Assessment

9.1 Risk Assessment

  • Regular assessments conducted
  • Risk mitigation measures
  • Impact on data subjects
  • Technical safeguards

9.2 Monitoring and Review

  • Annual DPIA reviews
  • Change-triggered assessments
  • Stakeholder consultation
  • Documentation maintenance

10. Data Breach Procedures

10.1 Detection and Response

  • 72-hour notification requirement
  • Internal reporting procedures
  • Authority notification process
  • Subject notification criteria

10.2 Documentation

  • Breach register maintenance
  • Impact assessment
  • Remedial actions
  • Prevention measures

11. Data Protection Training

11.1 Staff Training

  • Annual GDPR training
  • Role-specific training
  • Security awareness
  • Policy updates

11.2 Documentation

  • Training records
  • Competency assessment
  • Refresher schedules
  • Policy acknowledgments

12. Compliance Documentation

12.1 Required Records

  • Processing activities
  • Consent records
  • Data transfers
  • Security measures
  • DPIA reports
  • Breach reports

12.2 Review Schedule

  • Annual policy review
  • Quarterly security review
  • Monthly access review
  • Continuous monitoring

13. Subject Access Request Procedure

13.1 Request Handling

  1. Request receipt confirmation
  2. Identity verification
  3. Information gathering
  4. Response preparation
  5. Quality check
  6. Response delivery

13.2 Response Times

  • Standard response: 30 days
  • Complex cases: Up to 90 days
  • Extension notification
  • Progress updates

14. Contact Information

For GDPR-related queries or to exercise your rights:

Loyalleads Limited

  • Data Protection Officer: Sherif Butt
  • Email: loyalleadsltd@gmail.com
  • Address: International House 10 Churchill Way Cardiff CF102HE
  • Phone: 0747194804

15. Document Control

15.1 Version History

  • Version: 1.0
  • Last Updated: January 22, 2025
  • Next Review: January 22, 2026

15.2 Approval

  • Approved by: Sherif Butt
  • Position: CTO
  • Date: January 22, 2025