CentralAuth logo

    GDPR Compliance

    1. Introduction
      CentralAuth ("Company," "we," "us," or "our") is committed to compliance with the General Data Protection Regulation (GDPR) and protecting the privacy rights of all individuals whose personal data we process. This document outlines how we comply with GDPR requirements and your rights as a data subject.
    2. Legal Basis for Processing
      1. Legitimate Interest – We process authentication data to provide secure access to third-party services and maintain service security.
      2. Consent – Where required, we obtain explicit consent for processing personal data, particularly for non-essential features.
      3. Contractual Performance – Processing necessary to perform our authentication services as outlined in our Terms of Use.
      4. Legal Obligation – Processing required to comply with applicable laws and regulations.
    3. Data Subject Rights Under GDPR
      1. Right of Access (Article 15) – You have the right to obtain confirmation of whether we process your personal data and access to such data.
      2. Right to Rectification (Article 16) – You can request correction of inaccurate or incomplete personal data.
      3. Right to Erasure (Article 17) – You may request deletion of your personal data under certain circumstances.
      4. Right to Restrict Processing (Article 18) – You can request limitation of processing under specific conditions.
      5. Right to Data Portability (Article 20) – You have the right to receive your personal data in a structured, commonly used format.
      6. Right to Object (Article 21) – You may object to processing based on legitimate interests or for direct marketing purposes.
      7. Rights Related to Automated Decision-Making (Article 22) – You have rights regarding automated processing and profiling, where applicable.
    4. Data Processing Activities
      1. Authentication Data – Email addresses, device identifiers, and authentication tokens processed for identity verification.
      2. Security Logs – Login attempts, device information, and access patterns processed for security monitoring.
      3. Usage Analytics – Aggregated and pseudonymized data for service improvement and security analysis.
      4. Communication Data – Support inquiries and correspondence processed for customer service.
    5. Data Retention Periods
      1. Active Account Data – Retained while your account is active and for 30 days after account deletion.
      2. Security Logs – Retainedn for up to 6 months for security monitoring and incident response.
      3. Support Communications – Retained for 2 years to maintain support history and service quality.
      4. Legal Compliance Data – Retained as required by applicable laws and regulations.
    6. Data Protection Measures
      1. Technical Safeguards – Encryption in transit and at rest, access controls, and regular security assessments.
      2. Organizational Measures – Staff training, data protection policies, and privacy by design principles.
      3. Data Minimization – We collect and process only the minimum personal data necessary for our services.
      4. Pseudonymization – Where possible, we use pseudonymization techniques to reduce privacy risks.
    7. International Data Transfers
      1. Transfer Mechanisms – When transferring data outside the EU/EEA, we use appropriate safeguards such as Standard Contractual Clauses (SCCs).
      2. Third-Party Processors – Our service providers are contractually bound to GDPR compliance requirements.
      3. Adequacy Decisions – We prioritize transfers to countries with EU adequacy decisions where possible.
    8. Consent Management
      1. Clear Consent – We obtain clear, specific, and informed consent where required.
      2. Withdrawal Rights – You can withdraw consent at any time through your account settings.
      3. Consent Records – We maintain records of consent given and withdrawn for compliance purposes.
    9. Data Breach Notification
      1. Supervisory Authority Notification – We will notify relevant supervisory authorities within 72 hours of becoming aware of a breach likely to result in high risk.
      2. Individual Notification – Affected individuals will be notified without undue delay when a breach is likely to result in high risk to their rights and freedoms.
      3. Breach Response – We maintain an incident response plan to contain, assess, and remediate data breaches.
    10. Third-Party Data Sharing
      1. Service Integration – Authentication data is shared with third-party services you choose to access, subject to their privacy policies.
      2. Processor Agreements – Third-party processors are bound by data processing agreements ensuring GDPR compliance.
      3. No Marketing Sharing – We never share personal data for third-party marketing purposes.
    11. Data Protection Officer
      1. Contact Information – For data protection inquiries, contact us via the contact form.
      2. Responsibilities – Our DPO monitors compliance, conducts impact assessments, and serves as the point of contact for supervisory authorities.
    12. Exercising Your Rights
      1. Request Process – Submit data subject requests via the contact form.
      2. Identity Verification – We may require identity verification to process your requests securely.
      3. Response Timeline – We respond to requests within 30 days, with possible extensions for complex requests.
      4. No Cost – Exercising your rights is generally free, unless requests are manifestly unfounded or excessive.
    13. Supervisory Authority
      1. Right to Lodge Complaint – You have the right to lodge a complaint with your local data protection supervisory authority.
      2. Lead Authority – Our lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
    14. Updates to GDPR Compliance
      1. Regular Reviews – We regularly review and update our GDPR compliance measures.
      2. Notification of Changes – Significant changes to our data processing activities will be communicated as required by law.
      3. Documentation – We maintain comprehensive records of our processing activities as required by Article 30 GDPR.
    15. Contact Information
      For GDPR-related inquiries, data subject requests, or to contact our Data Protection Officer, please use the contact form. You can also reference our Privacy Policy for additional information about our data practices.