GDPR Compliance

1. GDPR Overview 2. Our Commitment 3. Your GDPR Rights 4. Lawful Basis for Processing 5. Data Processing Activities 6. International Data Transfers 7. Data Protection Officer 8. Breach Notification 9. DPIAs 10. Compliance Measures 11. Contact & Complaints

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations processing personal data of individuals in the European Economic Area (EEA), regardless of where the organization is located.

AutoReach is fully committed to GDPR compliance and protecting the privacy rights of all our users, including those in the EU/EEA.

2. Our Commitment

AutoReach has implemented comprehensive technical and organizational measures to ensure GDPR compliance:

Privacy by Design: Data protection integrated into our platform architecture
Data Minimization: We only collect and process necessary personal data
Transparency: Clear communication about how we use your data
Security: Enterprise-grade encryption and access controls
Accountability: Documented compliance and regular audits

3. Your GDPR Rights

Under GDPR, EU/EEA residents have the following rights:

Right to Access

Request a copy of your personal data we process

Right to Rectification

Correct inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data ("Right to be Forgotten")

Right to Restrict

Limit how we process your data

Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to processing based on legitimate interests

Automated Decision-Making

Right not to be subject to solely automated decisions

Withdraw Consent

Withdraw previously given consent at any time

4. Lawful Basis for Processing

We process personal data under the following GDPR lawful bases:

Contractual Necessity (Art. 6(1)(b)): To provide our services as agreed in our Terms
Legitimate Interests (Art. 6(1)(f)): For security, fraud prevention, and service improvement
Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies
Legal Obligation (Art. 6(1)(c)): To comply with applicable laws and regulations

5. Data Processing Activities

Processing Activity	Categories of Data	Purpose	Retention
Account Management	Name, email, company, billing info	Service provision, authentication	Account lifetime + 30 days
Content Distribution	Social media content, scheduling data	Publishing to connected platforms	Account lifetime
Analytics & AI	Usage data, engagement metrics	Service improvement, recommendations	24 months (anonymized)
Payment Processing	Transaction data, payment method	Subscription billing	7 years (legal requirement)
Customer Support	Communication history, tickets	Support provision	3 years

6. International Data Transfers

AutoReach is headquartered in the United States. When we transfer personal data from the EEA to countries outside the EEA, we ensure appropriate safeguards are in place:

EU-US Data Privacy Framework: AutoReach is certified under the DPF
Standard Contractual Clauses (SCCs): EU-approved contractual clauses with all processors
Adequacy Decisions: For transfers to countries with adequate protection (UK, Switzerland, etc.)
Binding Corporate Rules: For intra-group transfers

All subprocessors are vetted for GDPR compliance and bound by data processing agreements.

7. Data Protection Officer

AutoReach has appointed a Data Protection Officer (DPO) to oversee GDPR compliance:

Dr. Elena Voss

dpo@autoreach.ai

+1 (888) 555-AUTO (Ext. 4)

101 Cyber Tower, San Francisco, CA 94105

EU Representative: DataRep, The Black Church, St. Mary's Place, Dublin 7, Ireland

8. Breach Notification

In accordance with GDPR Articles 33 and 34, AutoReach will:

Notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach
Communicate high-risk breaches to affected data subjects without undue delay
Maintain a detailed breach register documenting all incidents and remediation actions

9. Data Protection Impact Assessments

AutoReach conducts Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:

AI-powered content analysis and recommendations
Large-scale social media data aggregation
Automated decision-making in content approval workflows
Integration with third-party social platforms

DPIAs are reviewed annually and updated when significant changes occur.

10. Compliance Measures

Our GDPR compliance framework includes:

Data Processing Agreements: Signed with all vendors and subprocessors
Records of Processing Activities (ROPA): Maintained per Article 30 requirements
Staff Training: Regular GDPR awareness and data protection training
Technical Measures: Encryption at rest (AES-256), TLS 1.3 in transit, MFA, access logging
Organizational Measures: Data protection policies, incident response plan, access control policies
Regular Audits: Annual third-party GDPR compliance audits

11. Contact & Complaints

To exercise your GDPR rights or for any privacy-related inquiries:

privacy@autoreach.ai

DPO: dpo@autoreach.ai

EU Representative: DataRep, Dublin, Ireland • eurep@autoreach.ai

You have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at EDPB website.

We will respond to all legitimate requests within 30 days, as required by GDPR.

GDPR Compliant

EU-US DPF Certified

UK GDPR Compliant

Last compliance review: April 2026 • Next review: October 2026

Contents