GDPR Compliance Policy

Ectoprocta Technologies Limited ("Bryozoan", "we", "our", or "us") is committed to protecting personal data and ensuring compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. This GDPR Compliance Policy explains our approach to data protection and how we safeguard personal data processed through Bryozoan AI.

1. Our Role Under GDPR

• When providing our Services, the Customer is the Data Controller and determines the purposes and means of processing personal data.
• Bryozoan acts as the Data Processor, processing personal data only on behalf of and under the instructions of the Customer.
• For account, billing, and marketing data, Bryozoan acts as a Data Controller.

2. Lawful Bases for Processing

We ensure that all personal data is processed under one of the lawful bases defined in GDPR, including:

• Performance of a Contract – to deliver our Services.
• Consent – where users have given clear consent (e.g. marketing communications, cookies).
• Legitimate Interests – for business operations such as improving services and preventing fraud.
• Legal Obligation – to comply with applicable law.

3. Data Subject Rights

We assist our Customers in upholding the rights of Data Subjects, including:

• Right of access to personal data.
• Right to rectification of inaccurate data.
• Right to erasure ("right to be forgotten").
• Right to restrict processing.
• Right to object to processing.
• Right to data portability.
• Right to withdraw consent at any time.

Data Subjects can exercise these rights directly with the Customer (Data Controller) or by contacting us where Bryozoan is the Data Controller.

4. International Data Transfers

• Personal data may be transferred outside the UK or EU for service delivery (e.g. hosting, cloud infrastructure).
• Transfers are safeguarded using: • UK adequacy regulations, or • Standard Contractual Clauses (SCCs) and UK-specific transfer addenda.

5. Sub-Processors

• Bryozoan uses carefully selected Sub-Processors (e.g. cloud hosting providers, email delivery services).
• Each Sub-Processor is bound by data protection obligations equivalent to this GDPR Policy and our [Data Processing Agreement (DPA)].
• Customers will be notified of any new Sub-Processors.

6. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit and at rest.
• Secure access controls and authentication.
• Regular monitoring, penetration testing, and audits.
• Data minimisation and pseudonymisation where appropriate.

7. Data Breach Notification

• In the event of a data breach, Bryozoan will notify affected Customers without undue delay.
• We will provide sufficient details to enable Customers to meet their own regulatory obligations, including notification to supervisory authorities and Data Subjects if required.

8. Data Retention

• Personal data is retained only as long as necessary to fulfil contractual and legal obligations.
• Upon termination of Services, Customer Data is securely deleted or returned, unless retention is required by law.

9. Data Protection Officer (DPO)

Bryozoan has appointed a Data Protection Officer to oversee compliance. 📧 Contact:

10. Supervisory Authority

If you are based in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): 👉 https://www.ico.org.uk

11. Governing Law

This GDPR Policy, and any dispute arising in connection with it, shall be governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction.

12. Contact Us

If you have questions about this GDPR Policy or our data protection practices, please contact: Ectoprocta Technologies Limited