1. Introduction to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations processing personal data of individuals in the European Economic Area (EEA), regardless of the organization's location.
Systemify Automation is committed to complying with GDPR requirements and protecting the privacy rights of our users in the EEA. This page outlines our GDPR compliance measures and your rights under GDPR.
2. Our Role and Responsibilities
2.1 Data Controller
Systemify Automation acts as a Data Controller when we determine the purposes and means of processing personal data through our services.
Data Controller:
Systemify Automation
30 N Gould St Ste R, Sheridan, WY 82801, United States
2.2 Data Protection Officer (DPO)
We have appointed a Data Protection Officer to oversee our GDPR compliance efforts. You can contact our DPO regarding any data protection matters:
Email: dpo@systemifyautomation.com
Phone: +1 646-777-6492
2.3 Data Processor
When providing services to our clients, we may act as a Data Processor, processing personal data on behalf of our clients according to their instructions and our Data Processing Agreements (DPAs).
3. Legal Basis for Processing
We process personal data only when we have a legal basis to do so under GDPR Article 6:
3.1 Consent (Article 6(1)(a))
- Newsletter subscriptions and marketing communications
- Non-essential cookies and tracking
- Optional data collection for enhanced features
You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
3.2 Contract Performance (Article 6(1)(b))
- Providing automation services you've requested
- Managing your account and service delivery
- Processing payments and invoicing
- Customer support and communication
3.3 Legal Obligation (Article 6(1)(c))
- Tax and accounting compliance
- Responding to legal requests and court orders
- Regulatory reporting requirements
3.4 Legitimate Interests (Article 6(1)(f))
- Website analytics and service improvement
- Fraud prevention and security
- Direct marketing to existing customers
- Network and information security
We balance our legitimate interests against your rights and freedoms. You can object to processing based on legitimate interests.
3.5 Vital Interests (Article 6(1)(d))
Processing necessary to protect someone's life (rarely applicable to our services).
3.6 Public Interest (Article 6(1)(e))
Not typically applicable to our business operations.
4. Your GDPR Rights
Under GDPR, you have the following rights regarding your personal data:
4.1 Right to Be Informed (Article 13-14)
You have the right to clear, transparent information about how we collect and use your personal data. This is provided through our Privacy Policy and this GDPR page.
4.2 Right of Access (Article 15)
You have the right to:
- Obtain confirmation that we process your personal data
- Access your personal data
- Receive information about how we process your data
We will provide a copy of your data free of charge. Additional copies may incur a reasonable administrative fee.
4.3 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete data completed. We will notify relevant third parties of corrections unless impossible or disproportionate.
4.4 Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your personal data when:
- The data is no longer necessary for the purposes it was collected
- You withdraw consent and there's no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Deletion is required to comply with a legal obligation
We may retain certain data if required by law or for legitimate purposes (e.g., legal claims, contractual obligations).
4.5 Right to Restriction of Processing (Article 18)
You can request restriction of processing when:
- You contest the accuracy of data (during verification)
- Processing is unlawful but you don't want data deleted
- We no longer need the data but you need it for legal claims
- You've objected to processing (pending verification of legitimate grounds)
4.6 Right to Data Portability (Article 20)
You can receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and transmit it to another controller when:
- Processing is based on consent or contract
- Processing is carried out by automated means
4.7 Right to Object (Article 21)
You can object to processing based on:
- Legitimate Interests: We must stop unless we demonstrate compelling legitimate grounds
- Direct Marketing: We must stop immediately upon your objection
- Profiling: Object to automated decision-making with legal or significant effects
4.8 Rights Related to Automated Decision-Making and Profiling (Article 22)
You have the right not to be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects, unless:
- Necessary for entering into or performing a contract
- Authorized by law with suitable safeguards
- Based on your explicit consent
Currently, we do not engage in automated decision-making that produces legal or similarly significant effects without human intervention.
5. How to Exercise Your Rights
5.1 Making a Request
To exercise any of your GDPR rights, please:
- Email us at yassir@systemifyautomation.com or dpo@systemifyautomation.com
- Clearly state which right you wish to exercise
- Provide sufficient information to verify your identity
- Specify the scope of your request
5.2 Verification
To protect your privacy, we may require proof of identity before fulfilling your request. Acceptable forms of identification include:
- Government-issued ID (passport, driver's license)
- Verification through your registered account
- Confirmation of account details
5.3 Response Time
- We will respond to your request within 30 days
- Complex requests may require up to 60 additional days (with explanation)
- We will inform you if we need to extend the response time
- Urgent requests will be prioritized when possible
5.4 No Charge
We will not charge a fee for most requests. However, we may charge a reasonable fee for:
- Manifestly unfounded or excessive requests
- Repeated requests for the same information
- Additional copies of data beyond the first free copy
6. Data Protection Principles
We adhere to GDPR's six data protection principles (Article 5):
6.1 Lawfulness, Fairness, and Transparency
We process data lawfully, fairly, and transparently. We clearly communicate our data practices through our Privacy Policy and this GDPR page.
6.2 Purpose Limitation
We collect data for specified, explicit, and legitimate purposes. We don't further process data in a manner incompatible with those purposes.
6.3 Data Minimization
We collect only data that is adequate, relevant, and limited to what's necessary for our purposes.
6.4 Accuracy
We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.
6.5 Storage Limitation
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
6.6 Integrity and Confidentiality
We implement appropriate security measures to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.
7. Data Security Measures
We implement technical and organizational measures to ensure appropriate data security:
7.1 Technical Measures
- Encryption: SSL/TLS for data in transit, AES-256 for data at rest
- Access Controls: Role-based access control (RBAC) and multi-factor authentication
- Network Security: Firewalls, intrusion detection/prevention systems
- Regular Updates: Security patches and software updates
- Secure Development: Security-by-design and security testing
- Data Backup: Encrypted, geographically distributed backups
7.2 Organizational Measures
- Staff Training: Regular GDPR and security awareness training
- Access Policies: Strict need-to-know access principles
- Confidentiality Agreements: All staff sign NDAs and confidentiality agreements
- Security Audits: Regular internal and external security assessments
- Incident Response: Documented procedures for data breach response
- Vendor Management: Due diligence on third-party processors
8. Data Breach Notification
8.1 Supervisory Authority Notification
In case of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in risk.
8.2 Individual Notification
If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, including:
- Nature of the personal data breach
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for more information
8.3 Breach Response
Our breach response plan includes:
- Immediate containment and assessment
- Investigation and documentation
- Notification to affected parties and authorities
- Remediation and prevention measures
- Post-incident review and improvements
9. International Data Transfers
When transferring personal data outside the EEA, we ensure appropriate safeguards are in place:
9.1 Transfer Mechanisms
- Adequacy Decisions: Transfers to countries with adequate protection as determined by the European Commission
- Standard Contractual Clauses (SCCs): EU-approved contracts ensuring GDPR-level protection
- Binding Corporate Rules (BCRs): Internal data protection policies for multinational organizations
- Explicit Consent: Informed consent after being made aware of potential risks
9.2 Data Storage Locations
Our primary data storage is located in the United States with appropriate safeguards. We use cloud service providers that comply with GDPR requirements and have implemented SCCs.
10. Third-Party Processors
We work with third-party service providers who process personal data on our behalf. We ensure:
- Data Processing Agreements (DPAs) are in place with all processors
- Processors provide sufficient guarantees of GDPR compliance
- Only authorized processors access personal data
- Sub-processors are subject to the same data protection obligations
10.1 Categories of Processors
- Cloud hosting and infrastructure providers
- Email and communication services
- Analytics and monitoring tools
- Payment processors
- CRM and marketing platforms
11. Data Protection Impact Assessments (DPIAs)
We conduct Data Protection Impact Assessments for processing activities that are likely to result in high risk to individuals' rights and freedoms, particularly when:
- Using new technologies
- Processing sensitive data at scale
- Systematic monitoring of publicly accessible areas
- Automated decision-making with legal or significant effects
12. Children's Data
Our services are not directed at children under 16 years of age. We do not knowingly collect or process personal data from children without parental consent.
If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.
13. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.
13.1 Contact Supervisory Authorities
Find your local data protection authority:
13.2 Our Preference
While you have the right to complain to a supervisory authority, we encourage you to contact us first at dpo@systemifyautomation.com so we can address your concerns directly.
14. Data Retention
We retain personal data for different periods depending on the purpose and legal requirements:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of relationship + 1 year | Service provision and legal claims |
| Financial records | 7 years | Tax and accounting requirements |
| Contract documents | 7 years after termination | Legal obligations and claims |
| Marketing data | 3 years from last engagement | Legitimate interest / until consent withdrawn |
| Support tickets | 3 years | Service improvement and dispute resolution |
| Analytics data | 26 months (anonymized after 14 months) | Service improvement |
| Cookies | Varies (see Cookie Policy) | Functionality and analytics |
15. Updates to GDPR Compliance
We regularly review and update our GDPR compliance measures to reflect:
- Changes in GDPR interpretation and guidance
- New technologies and processing activities
- Feedback from supervisory authorities
- Changes in our business practices
Material changes will be communicated through our website and, where appropriate, by email.
16. Contact Information
For GDPR-related questions, concerns, or to exercise your rights:
Data Controller:
Systemify Automation
30 N Gould St Ste R, Sheridan, WY 82801, United States
Email: yassir@systemifyautomation.com
Phone: +1 646-777-6492
Data Protection Officer:
Email: dpo@systemifyautomation.com
17. Additional Resources
For more information about GDPR and data protection: