GDPR Compliance

Last Updated: January 20, 2025

1. Introduction

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, in the European Union. This document explains how ThoughtTap complies with GDPR requirements and protects the rights of EU residents.

ThoughtTap is committed to protecting your personal data and respecting your privacy rights. This page provides specific information about your rights under GDPR and how we fulfill our obligations.

2. Data Controller Information

For the purposes of GDPR, ThoughtTap acts as the data controller for personal data we collect and process. You can contact us regarding GDPR matters at:

• Email: support@thoughttap.com
• Subject: GDPR Data Request

3. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

3.1 Right to Information (Article 13-14)

You have the right to know what personal data we collect, how we use it, and who we share it with. This information is provided in our Privacy Policy.

3.2 Right of Access (Article 15)

You have the right to obtain confirmation that we are processing your personal data and access to that data. You can request:

• A copy of your personal data we hold
• Information about how we use your data
• Information about who we share your data with
• How long we keep your data

3.3 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data. You can update most information through your account settings or contact us for assistance.

3.4 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis for processing
• The data has been unlawfully processed
• You object to processing and there are no overriding legitimate grounds

3.5 Right to Restrict Processing (Article 18)

You have the right to restrict the processing of your personal data in certain situations:

• You contest the accuracy of the data
• The processing is unlawful but you prefer restriction to erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

3.6 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another service provider.

3.7 Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests, including profiling and direct marketing.

3.8 Rights Related to Automated Decision Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significant effects. ThoughtTap does not engage in automated decision-making that affects your legal rights.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

4.1 Consent (Article 6(1)(a))

• Marketing communications (with your explicit consent)
• Non-essential cookies and analytics
• Optional features that require additional data

4.2 Contract Performance (Article 6(1)(b))

• Creating and managing your account
• Processing subscription payments
• Providing customer support
• Delivering the ThoughtTap service

4.3 Legitimate Interests (Article 6(1)(f))

• Improving our services and user experience
• Security and fraud prevention
• Analytics for business optimization
• Technical support and troubleshooting

4.4 Legal Obligation (Article 6(1)(c))

• Tax and accounting requirements
• Responding to legal requests
• Compliance with applicable laws

5. Data Processing Principles

ThoughtTap adheres to the GDPR data processing principles:

5.1 Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and transparently. We clearly explain our data practices in our Privacy Policy.

5.2 Purpose Limitation

We collect data for specific, explicit, and legitimate purposes and do not process it for incompatible purposes.

5.3 Data Minimization

We collect only the minimum amount of data necessary to provide our services and achieve our stated purposes.

5.4 Accuracy

We take reasonable steps to ensure personal data is accurate and up-to-date, and we provide tools for you to update your information.

5.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law.

5.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure the security of personal data.

5.7 Accountability

We are responsible for and can demonstrate compliance with the data protection principles.

6. Data Protection Measures

6.1 Technical Measures

• Encryption: Data in transit and at rest is encrypted using industry standards
• Access Controls: Strict authentication and authorization controls
• Secure Infrastructure: Cloud providers with SOC 2 Type II compliance
• Regular Security Audits: Periodic security assessments and penetration testing

6.2 Organizational Measures

• Staff Training: Regular privacy and security training for all personnel
• Data Protection Policies: Clear internal policies and procedures
• Incident Response Plan: Procedures for handling data breaches
• Privacy by Design: Privacy considerations integrated into system design

7. International Data Transfers

ThoughtTap may transfer personal data outside the European Economic Area (EEA) in the following circumstances:

7.1 Adequacy Decisions

Transfers to countries that the European Commission has determined provide an adequate level of data protection.

7.2 Appropriate Safeguards

For transfers to countries without adequacy decisions, we implement appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules for intra-group transfers
• Certification schemes and codes of conduct

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify Authorities: Report high-risk breaches to supervisory authorities within 72 hours
• Notify Individuals: Inform affected individuals without undue delay when required
• Document Breaches: Maintain records of all data breaches
• Take Remedial Action: Implement measures to address the breach and prevent recurrence

9. How to Exercise Your Rights

9.1 Making a Request

To exercise your GDPR rights, please contact us at:

• Email: support@thoughttap.com
• Subject Line: GDPR Data Request - [Type of Request]

9.2 Request Requirements

When making a request, please provide:

• Your full name and email address associated with your account
• Specific details about your request
• Proof of identity (if required for security purposes)

9.3 Response Timeline

• Initial Response: We will acknowledge your request within 1 business day
• Full Response: We will provide a complete response within 30 days
• Complex Requests: May require up to 60 days with explanation

9.4 Verification Process

To protect your privacy, we may need to verify your identity before fulfilling requests. This may involve:

• Confirming information associated with your account
• Requesting additional identification documents
• Using our account verification process

10. Children's Privacy

ThoughtTap does not knowingly collect personal data from children under 16 years of age. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.

11. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority. You can find contact information for EU supervisory authorities at:

European Data Protection Board - Supervisory Authorities

12. Updates to GDPR Compliance

We may update this GDPR compliance information from time to time to reflect changes in our practices or applicable regulations. We will notify you of material changes and post the updated information on this page.

13. Contact Information

For any questions about GDPR compliance or to exercise your rights, please contact us:

• Email: support@thoughttap.com
• Subject: GDPR Inquiry
• Response Time: Within 1 business day for acknowledgment, 30 days for full response