GDPR Compliance

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a European Union regulation that protects the rights and freedoms of individuals regarding the processing of their personal data. Muypil is committed to full compliance with GDPR.

This document outlines how we comply with GDPR requirements and the rights available to you as a data subject.

2. Your GDPR Rights

2.1 Right of Access

You have the right to access your personal data that we process. You can request a copy of all data we hold about you at any time. We will provide this information within 30 days in a commonly used, machine-readable format.

2.2 Right to Rectification

You have the right to correct inaccurate personal data and to complete incomplete data. You can update your information through your account settings or by contacting us.

2.3 Right to Erasure (Right to Be Forgotten)

You have the right to request deletion of your personal data under certain circumstances, including when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent for processing
• You object to processing and there is no legal basis to continue
• The data has been processed unlawfully

We will delete your data within 30 days, except where legal obligations require retention.

2.4 Right to Restrict Processing

You can request that we restrict the processing of your personal data in certain situations, such as:

• While you contest the accuracy of your data
• When processing is unlawful but you prefer restriction to deletion
• When we no longer need the data but you require it for legal claims
• While you consider exercising your right to object

2.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit this data to another controller. This allows you to move, copy, or transfer your data between services easily.

2.6 Right to Object

You have the right to object to certain types of processing, including:

• Processing for direct marketing purposes (you can opt-out of marketing at any time)
• Processing based on legitimate interests where it conflicts with your rights

2.7 Rights Related to Automated Decision Making

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. You can request human review of automated decisions.

2.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection authority (DPA) in your country if you believe your data has been processed in violation of GDPR.

3. Legal Basis for Processing

We process personal data only on valid legal bases under GDPR, including:

• Consent: You have explicitly consented to processing
• Contract: Processing is necessary to provide our Services under a contract
• Legal Obligation: Processing is required to comply with legal obligations
• Vital Interests: Processing is necessary to protect vital interests
• Public Task: Processing is necessary for a public task
• Legitimate Interests: Processing is necessary for our legitimate business interests, balanced against your rights

4. Data Protection by Design and Default

Muypil implements data protection principles throughout all our processes:

• Privacy is considered in all system designs
• We minimize data collection to what is necessary
• We implement privacy controls by default
• We conduct privacy impact assessments for new processing
• We update security measures regularly

5. Data Processing Agreement (DPA)

5.1 Standard DPA

For customers in the EU/EEA, we provide a Data Processing Agreement that complies with GDPR Article 28. This agreement outlines:

• Our responsibilities as a data processor
• Appropriate technical and organizational measures
• Restrictions on subprocessing
• Data subject rights assistance
• Assistance with compliance obligations

5.2 Standard Contractual Clauses

Where data is transferred outside the EU/EEA, we utilize the European Commission's Standard Contractual Clauses (SCCs) to ensure appropriate protection.

6. International Data Transfers

If your personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

• We only transfer to countries deemed to have adequate protection by the European Commission
• For other countries, we use Standard Contractual Clauses or your explicit consent
• We implement appropriate technical and organizational measures
• We conduct Transfer Impact Assessments (TIA)

7. Data Retention

7.1 Retention Periods

We retain personal data only as long as necessary for the purpose it was collected:

• Account information: Retained for account duration + 2 years after deletion
• Transaction data: Retained for 7 years for legal/tax compliance
• Analytics data: Retained for 24 months
• Support communications: Retained for 3 years
• Marketing data: Retained until consent is withdrawn

7.2 Secure Deletion

When data is no longer needed, we securely delete or anonymize it using secure deletion methods that prevent recovery.

8. Children's Data Protection

Our Services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. Parents or guardians who believe we have collected data from a child should contact us immediately at privacy@muypil.com

9. Data Breaches and Notification

In the event of a data breach, we commit to:

• Notifying affected individuals within 72 hours (or as required by law)
• Notifying relevant data protection authorities
• Providing details of the breach and our response measures
• Offering guidance on protective measures

We maintain a breach log and conduct breach assessments to determine notification obligations.

10. Data Subject Rights Requests

10.1 How to Submit Requests

To exercise your data subject rights under GDPR, please submit your request to:

Email: privacy@muypil.com

Include:

• Your full name and account email
• Description of your request (access, deletion, rectification, etc.)
• Any supporting documentation

10.2 Response Timeframe

We will respond to data subject rights requests within 30 days. If a request is complex or we receive multiple requests, we may extend this period by an additional two months, with notification to you.

10.3 Fees

We generally process requests free of charge. However, if requests are manifestly unfounded or excessive, we may charge a reasonable fee or decline to respond.

11. Data Protection Impact Assessments

For high-risk processing, we conduct Data Protection Impact Assessments (DPIA) to identify and mitigate risks to data subjects. We make DPIAs available to supervisory authorities upon request.

12. Privacy Training and Awareness

Muypil employees receive regular training on GDPR requirements and privacy best practices. We maintain a privacy-conscious culture throughout our organization.

13. Data Protection Officer

Muypil has appointed a Data Protection Officer (DPO) responsible for monitoring GDPR compliance:

Data Protection Officer
Email: ads@muypil.com
Website: https://muypil.com

14. Supervisory Authorities

If you believe your rights under GDPR have been violated, you have the right to lodge a complaint with your national data protection authority:

• Austria: Austrian Data Protection Authority
• Belgium: Belgian Data Protection Authority
• Bulgaria: Commission for Personal Data Protection
• Germany: German Data Protection Authorities (BfDI)
• France: Commission Nationale de l'Informatique et des Libertés (CNIL)
• And others for each EU/EEA country

15. Updates to This Policy

This GDPR Compliance statement may be updated as our practices evolve or as GDPR requirements change. We will notify you of material changes and post updates on our website.

16. Contact Information

For GDPR compliance questions or to exercise your data subject rights:

Muypil
Email: ads@muypil.com
Website: https://muypil.com