GDPR Article 30 register — last reviewed: 2026
The Company (the Service) is the data controller for the processing activities described below. Privacy / DSAR contact: support@example.com.
| Purpose | Data categories | Lawful basis | Retention | Recipients / processors |
|---|---|---|---|---|
| Account creation and authentication | Email address, name, hashed password (if applicable), OAuth provider identifiers | Art. 6(1)(b) — performance of contract | Active account + 30 days after deletion | Auth provider (SaaS Factory Auth, AWS Cognito, Microsoft Entra, Google, GitHub, or Okta — depending on configured providers) |
| Service operation (the product's core functionality) | Whatever data the user submits to the product, plus diagnostic logs | Art. 6(1)(b) — performance of contract | Active subscription + 30 days; logs 30 days | Vercel (hosting), Neon (database), Cloudflare (CDN) |
| Billing and payment processing | Name, email, billing address, payment method metadata (card last 4, brand) | Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — legal obligation (tax records) | 7 years (tax records) | Calmony Pay (payment processor) — full PAN never touches the controller's systems |
| Customer support and incident response | Email address, name, support ticket content (which may include screenshots) | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest in operating the service | 3 years from ticket close | Internal support team |
| Product improvement and analytics | Aggregated usage events (page views, feature usage), pseudonymous device identifier | Art. 6(1)(f) — legitimate interest in improving the service | 13 months | Internal analytics only — no third-party analytics processors |
| Security and fraud prevention | IP address, user agent, failed login attempts, suspicious activity flags | Art. 6(1)(f) — legitimate interest in service security | 12 months | Internal security team |
Hosting and processing infrastructure is primarily located within the European Economic Area (Vercel EU regions, Neon EU regions). Where data is transferred outside the EEA — typically to US-based sub-processors — those transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.
EU/UK residents have the right to access, rectify, erase, restrict, port, or object to processing of their personal data, and to withdraw consent for processing based on consent. Exercise these rights by emailing support@example.com; we respond within 30 days.
If we fail to address your concerns, you may lodge a complaint with your local supervisory authority. In the UK that is the ICO (ico.org.uk).