🇪🇺 EU Data Protection Compliant

GDPR Compliance

CelebrationApp Pro is fully compliant with the General Data Protection Regulation (GDPR), ensuring the highest standards of data protection for EU citizens.

Last Updated: January 15, 2025 | Version: 2.0

Quick Access to Your Rights

⚖️
Your GDPR Rights
Access, rectify, delete, and port your data
🔄
Data Processing
How we process and protect your information
📜
Legal Basis
Lawful grounds for data processing
👤
Contact DPO
Reach our Data Protection Officer
🛡️

Our Commitment to GDPR

CelebrationApp Pro takes data protection seriously. As a data processor under GDPR, we are committed to protecting the personal data of EU citizens and ensuring compliance with all GDPR requirements.

🇪🇺 GDPR Compliance Status

CelebrationApp Pro is fully GDPR compliant. We have implemented technical and organizational measures to ensure the security of personal data and respect for data subjects' rights.

Key Compliance Measures

  • Privacy by Design and by Default
  • Data Protection Impact Assessments (DPIA)
  • Appointment of Data Protection Officer
  • Regular security audits and updates
  • Employee training on data protection
  • Incident response procedures
⚖️

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

1. Right to Access
Request a copy of your personal data and information about how we process it.
2. Right to Rectification
Request correction of inaccurate personal data or completion of incomplete data.
3. Right to Erasure
Request deletion of your personal data when it's no longer necessary.
4. Right to Restriction
Request limitation of processing your personal data in certain circumstances.
5. Right to Data Portability
Receive your data in a structured, machine-readable format.
6. Right to Object
Object to processing of your personal data for certain purposes.
7. Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
8. Right to Complain
Lodge a complaint with your supervisory authority.
How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer at dpo@celebrationapp.pro. We will respond to your request within 30 days as required by GDPR.

🔄

Data Processing Activities

Data Controller vs Data Processor

Shopify Merchants (You): Data Controller - determines the purposes and means of processing
CelebrationApp Pro (Us): Data Processor - processes data on behalf of the controller

Data Processing Flow

1

Data Collection

Anonymous analytics data collected from store visitors

2

Data Processing

Aggregation and analysis for celebration optimization

3

Data Storage

Secure storage in EU data centers with encryption

4

Data Deletion

Automatic deletion after retention period expires

Categories of Data Processed

Data Category Purpose Legal Basis Retention
Store Information Service provision Contract performance Account lifetime
Analytics Data Performance optimization Legitimate interest 26 months
Support Communications Customer service Contract performance 3 years
Billing Information Payment processing Legal obligation 7 years
📜

Legal Basis for Processing

We process personal data under the following legal bases:

1. Contract Performance (Article 6(1)(b) GDPR)

Processing necessary for the performance of our service contract with you:

  • Providing celebration features to your store
  • Managing your account and subscription
  • Providing customer support
  • Processing payments and billing

2. Legitimate Interests (Article 6(1)(f) GDPR)

Processing necessary for our legitimate interests:

  • Improving our services and developing new features
  • Ensuring network and information security
  • Preventing fraud and abuse
  • Analytics and business intelligence

3. Legal Obligations (Article 6(1)(c) GDPR)

Processing necessary to comply with legal obligations:

  • Tax and accounting requirements
  • Responding to legal requests
  • Data breach notifications

4. Consent (Article 6(1)(a) GDPR)

Processing based on your explicit consent:

  • Marketing communications (optional)
  • Beta feature participation
  • Customer testimonials and case studies
⚠️ Consent Withdrawal

Where processing is based on consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal.

🔐

Technical & Organizational Measures

We implement comprehensive security measures to protect personal data:

Technical Security Measures

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Control: Role-based access with MFA
  • Pseudonymization: Personal data pseudonymized where possible
  • Regular Testing: Penetration testing and vulnerability assessments
  • Backup & Recovery: Regular encrypted backups with tested recovery
  • Monitoring: 24/7 security monitoring and intrusion detection

Organizational Measures

  • Staff Training: Regular GDPR and security training
  • Confidentiality: All staff sign NDAs and confidentiality agreements
  • Access Policies: Principle of least privilege
  • Incident Response: Documented breach response procedures
  • Vendor Management: Due diligence on all sub-processors
  • DPIAs: Regular Data Protection Impact Assessments
🏆 Security Certifications

Our infrastructure providers maintain ISO 27001, SOC 2 Type II, and other industry-standard certifications. We are working toward our own SOC 2 certification.

🌍

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

Transfer Mechanisms

  • Standard Contractual Clauses (SCCs): EU Commission-approved clauses
  • Adequacy Decisions: Transfers to countries with adequate protection
  • Binding Corporate Rules: For intra-group transfers

Sub-Processors

Our approved sub-processors who may process personal data:

Sub-Processor Service Location Safeguards
Amazon Web Services Cloud Infrastructure EU (Frankfurt) Adequate
Google Cloud Analytics EU (Belgium) Adequate
Stripe Payment Processing EU/US SCCs
SendGrid Email Service EU/US SCCs
🍪

Cookie Policy

We use cookies in compliance with GDPR and ePrivacy Directive requirements:

Cookie Categories

  • Strictly Necessary: Required for app functionality (no consent needed)
  • Analytics: Help us understand usage patterns (consent required)
  • Performance: Monitor app performance (consent required)
  • Functional: Remember preferences (consent required)

Cookie Consent Implementation

🍪 Cookie Consent Example

We use cookies to enhance your experience. You can customize your preferences below:

Managing Cookies

Users can manage cookie preferences through:

  • Our cookie consent banner
  • Browser settings
  • Privacy settings in their account
  • Opt-out links in our emails
🚨

Data Breach Response

We have comprehensive procedures for handling potential data breaches:

Breach Response Timeline

0-24 Hours
Detection & Containment: Identify breach, contain threat, assess impact
24-48 Hours
Investigation: Determine scope, affected data, and root cause
48-72 Hours
Notification: Notify supervisory authority and affected data subjects
72+ Hours
Remediation: Implement fixes, update security, document lessons learned
📢 Breach Notification Commitment

We commit to notifying affected data controllers within 48 hours of becoming aware of a personal data breach, allowing you to meet your 72-hour GDPR notification requirement.

👤

Data Protection Officer

Our Data Protection Officer oversees GDPR compliance and serves as your point of contact for all data protection matters.

Contact Our DPO

Email: dpo@celebrationapp.pro
Response Time: Within 2 business days
Languages: English, German, French

Email DPO

DPO Responsibilities

  • Monitor GDPR compliance
  • Conduct privacy audits
  • Handle data subject requests
  • Liaise with supervisory authorities
  • Provide privacy training

GDPR Compliance Checklist

Requirement Status Details
Privacy by Design ✓ Compliant Data minimization, pseudonymization implemented
Data Processing Agreements ✓ Compliant DPAs with all sub-processors
Subject Rights Management ✓ Compliant Automated request handling system
Breach Notification ✓ Compliant 48-hour notification procedure
Data Protection Officer ✓ Compliant Appointed and accessible
Records of Processing ✓ Compliant Maintained and available on request
International Transfers ✓ Compliant SCCs implemented
Security Measures ✓ Compliant Technical and organizational measures in place

GDPR Support & Assistance

We're here to help with all your GDPR-related questions and requests

🔐 Data Requests

Exercise your GDPR rights

privacy@celebrationapp.pro

👤 DPO Contact

Data Protection Officer

dpo@celebrationapp.pro

📞 Support

General assistance

support@celebrationapp.pro
Submit GDPR Request Privacy Policy