GDPR Compliance

This GDPR Addendum applies to users in the European Economic Area (EEA), United Kingdom (UK), and Switzerland ("European Users"). It supplements our Privacy Policy and explains GDPR compliance. If conflict exists, this Addendum prevails for European Users.

Data Controller: BrandPawa, Address: Port Harcourt, Nigeria, Email: privacy@brandpawa.com. For European Users, BrandPawa acts as Data Controller for personal data processed through our Services.

We process data based on: Contractual Necessity (providing Services), Legitimate Interests (business operations), Consent (marketing, non-essential cookies), Legal Obligation (compliance), and Vital Interests (safety protection).

Identity Data (name, business), Contact Data (email, phone), Account Data (login, preferences), Brand/Business Data (industry, test responses), Financial Data (payment info), Technical Data (IP, device), Usage Data (pages visited, features used), Marketing Data (preferences, engagement). We do not intentionally collect special categories of data.

European Users have rights to: Access, Rectification, Erasure ("Right to be Forgotten"), Restriction of Processing, Data Portability, Object to Processing, Withdraw Consent, Lodge Complaint with supervisory authority. No solely automated decisions with legal effects.

We respond within 1 month (extendable to 2 months for complex requests). First request free; fees may apply for manifestly unfounded/excessive requests. Verification required to protect privacy. We consider third-party rights.

Based in Nigeria, we transfer data from EEA using Standard Contractual Clauses (SCCs) with service providers, adequacy decisions (when applicable), and supplementary measures (encryption, access controls). Third-party processors comply with GDPR.

We retain data only as necessary: Account Information (account duration + 30 days), Test Results (account duration + 30 days), Payment Records (7 years after last transaction), Marketing Data (until consent withdrawn + 30 days), Usage Analytics (26 months), Security Logs (12 months).

Technical measures: Encryption (TLS/SSL, AES-256), Access Controls (role-based, MFA), Firewalls, Regular Updates, Vulnerability Scanning, Secure Development. Organizational measures: Staff Training, Confidentiality Agreements, Access Policies, Incident Response, Vendor Management, Regular Audits.

For European Users, we obtain consent before non-essential cookies. Categories: Strictly Necessary (no consent, essential), Performance (consent, analytics), Functional (consent, preferences), Targeting/Advertising (consent, marketing). Manage via consent banner, account settings, or browser.

We do not knowingly process personal data of children under 16 (or applicable age of digital consent). If discovered, we delete data immediately, terminate account, and notify parent/guardian if identifiable.

We use algorithms for brand diagnostics, recommendations, matching. All automated outputs are advisory, supplemented with human-created content, subject to user discretion, reviewed by experts. No automated decisions with legal/significant effects.

We implement: Data Minimization (collect only necessary), Privacy by Default (highest privacy settings default), Pseudonymization (separate identifying info, use unique identifiers).

We work with sub-processors for hosting, payments, email, analytics. Current list available. We notify of new/replacement sub-processors; you have 30 days to object. If objection cannot be accommodated, you may terminate account.

BrandPawa is not currently required to appoint an EU representative under Article 27 GDPR.

We maintain internal records per Article 30 GDPR, including purposes, categories, recipients, transfers, retention, security. Available to supervisory authorities upon request.

We conduct DPIAs for high-risk processing, particularly: brand diagnostic algorithm, user profiling/recommendation systems, third-party data sharing. DPIAs identify/mitigate risks to rights/freedoms.

GDPR inquiries: privacy@brandpawa.com. Data Protection Officer: dpo@brandpawa.com. Complaint procedure: Contact us first, internal review within required timeframes, then supervisory authority if unsatisfied.

We may update to reflect legal changes, new processing, supervisory feedback, Service changes. Material changes notified via email, in-app, website notice. Continued use after changes constitutes acceptance.

Personal Data: Information relating to identifiable person. Processing: Operations on personal data. Data Controller: Determines purposes/means. Data Processor: Processes on behalf. Data Subject: Individual data relates to. Consent: Freely given agreement. Supervisory Authority: Independent public authority. Third Country: Outside EEA/UK/Switzerland.