GDPR Compliance Statement

Effective Date: December 1, 2024
Last Updated: December 1, 2024

1. Our Commitment to GDPR

ContactPull Technologies Inc. (Business Number: 604344909) is committed to protecting the privacy and personal data of individuals in the European Union in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

As a Canadian company serving EU customers, we have implemented comprehensive measures to ensure GDPR compliance across our entire platform and operations.

EU Representative

ContactPull EU Data Protection
Email: contact@contactpull.com
Phone: +44 (0) XXX-XXXX-XXXX

Data Protection Officer (DPO)
Email: contact@contactpull.com

2. Legal Basis for Processing

We process personal data under the following legal bases as defined in GDPR Article 6:

Article 6(1)(a) - Consent

When you explicitly agree to specific processing activities, such as marketing communications or optional features.

Article 6(1)(b) - Contract

To fulfill our contractual obligations to provide you with the ContactPull services you've requested.

Article 6(1)(c) - Legal Obligation

To comply with applicable laws and regulations that require us to process certain data.

Article 6(1)(f) - Legitimate Interests

For our legitimate business interests, such as improving services, preventing fraud, and ensuring security, always balanced against your rights and freedoms.

3. Your Rights Under GDPR

As an EU data subject, you have the following rights:

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and access to such data, including information about purposes, categories, recipients, retention periods, and your rights.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data and have incomplete data completed.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when it's no longer necessary, you withdraw consent, you object to processing, or it was unlawfully processed.

Right to Restrict Processing (Article 18)

You can request restriction of processing while we verify accuracy, investigate unlawful processing, or assess legitimate grounds for processing.

Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes at any time.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affects you.

4. How to Exercise Your Rights

Submit a Request

To exercise any of your GDPR rights, please contact us:

Email: contact@contactpull.com
Online Form: Available in your account settings
Post: ContactPull Technologies Inc., Attn: GDPR Request, British Columbia, Canada

What to Include

Your full name and contact information
Description of your request
Any relevant account information
Proof of identity (we may request this for security)

Response Timeline

We will acknowledge your request within 72 hours and provide a substantive response within 30 days. For complex requests, we may extend this by an additional 60 days with notice.

5. International Data Transfers

As a Canadian company, we transfer personal data from the EU to Canada. We ensure appropriate safeguards through:

Adequacy Decision: Canada has partial adequacy under GDPR for commercial organizations subject to PIPEDA
Standard Contractual Clauses (SCCs): We use EU-approved SCCs for any transfers not covered by adequacy
Technical Measures: Encryption, access controls, and security protocols
Supplementary Measures: Additional safeguards based on transfer impact assessments

6. Data Protection Measures

Technical and Organizational Measures

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Access controls and authentication (including MFA)
Regular security audits and penetration testing
Employee training on data protection
Data minimization and purpose limitation
Privacy by design and default principles

Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay when required under GDPR Article 33-34.

7. Data Retention

We retain personal data only as long as necessary for:

Fulfilling the purposes for which it was collected
Complying with legal obligations
Resolving disputes and enforcing agreements

Typical Retention Periods

Account data: Duration of service + 90 days
Transaction records: 7 years (tax requirements)
Marketing data: Until consent withdrawn
Log files: 12 months

8. Third-Party Processors

We use carefully selected third-party processors who are contractually bound to process data only on our instructions and in compliance with GDPR:

Cloud hosting providers (AWS, Google Cloud)
Payment processors (Stripe)
Email service providers
Analytics services (with appropriate safeguards)

9. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights under the GDPR have been violated.

Note: We encourage you to contact us first at contact@contactpull.com so we can address your concerns directly.

10. Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. We will notify you of material changes through our Service or via email.

11. Contact Information

Data Protection Inquiries

Data Protection Officer
ContactPull Technologies Inc.
Email: contact@contactpull.com

GDPR Specific Requests
Email: contact@contactpull.com

Company Information
ContactPull Technologies Inc.
Business Number: 604344909
British Columbia, Canada

This GDPR Compliance Statement supplements our Privacy Policy and Terms of Service.