GDPR Article 30 register
The Company (the Service) is the data controller for the processing activities described below. Privacy / DSAR contact: support@example.com.
| Purpose | Data categories | Lawful basis | Retention | Recipients / processors |
|---|---|---|---|---|
| UK Bacs Direct Debit collection — register payer mandates via AUDDIS, submit collections through the Bacs cycle, and reconcile ARUDD / ADDACS reports. | Payer name, payer address, UK sort code, UK account number, mandate reference, collection amount and dates. | Contract (UK GDPR Art. 6(1)(b)) — performance of the agent's tenancy / service agreement with the payer; processor relationship with Modulr under UK GDPR Art. 28. | 6 years after final mandate activity, per Bacs scheme rules and the Limitation Act 1980. | Modulr Finance Limited (UK, FCA-authorised EMI, FRN 900573) under the Modulr Master Services Agreement, Schedule 4 (Data Processing). UK-only; no third-country transfer. See /docs/sub-processors.md for the DPA reference. |
| Data residency — all personal data is stored and processed in the UK or EU/EEA. No third-country transfer mechanism (SCCs, adequacy, BCRs) is engaged because no sub-processor stores CalmonyDD personal data outside the UK/EEA. | All categories listed above (payer PII, agent details, BACS reconciliation reports, audit logs, error reports). | UK GDPR Chapter V — no international transfer occurs. Region pinning is enforced at boot for the application database (DATABASE_URL must point at an EU/UK Neon region) and at the platform level for the hosting layer (Vercel regions pinned to lhr1 + cdg1 in vercel.json). | Residency posture is reviewed at least annually and on any change of sub-processor. Last reviewed: 2026-05-27. | Per-processor residency register published at docs/data-residency.md — Neon (EU/UK), Vercel (lhr1/cdg1), Modulr (UK), Temporal Cloud (EU), SaaS Factory central (EU), Twilio (ie1 — only when enabled). |
Hosting and processing infrastructure is primarily located within the European Economic Area (Vercel EU regions, Neon EU regions). Where data is transferred outside the EEA — typically to US-based sub-processors — those transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.
EU/UK residents have the right to access, rectify, erase, restrict, port, or object to processing of their personal data, and to withdraw consent for processing based on consent. Exercise these rights by emailing support@example.com; we respond within 30 days.
If we fail to address your concerns, you may lodge a complaint with your local supervisory authority. In the UK that is the ICO (ico.org.uk).