GDPR Compliance

Last updated: June 4, 2026

Table of Contents

  1. 01Introduction
  2. 02Who We Are (Data Controller)
  3. 03Data Protection Officer (DPO)
  4. 04Scope of This GDPR Notice
  5. 05Personal Data We Collect
  6. 06Purposes and Legal Basis for Processing
  7. 07Legitimate Interests Assessment
  8. 08Consent Mechanisms
  9. 09Processing of Special Categories of Data
  10. 10Automated Decision-Making and Profiling
  11. 11Data Retention
  12. 12Data Subjects' Rights Under GDPR
  13. 13Exercising Your Rights
  14. 14Data Security Measures
  15. 15Data Breach Notification
  16. 16International Data Transfers
  17. 17Cookies and Tracking Technologies
  18. 18Data Protection Impact Assessments (DPIAs)
  19. 19Third-Party Processors
  20. 20Children's Data
  21. 21Complaints and Supervisory Authority
  22. 22Changes to This GDPR Notice

1. Introduction

1.1 Commitment to Data Protection

OUTGRAVE is committed to protecting the privacy and security of all individuals whose personal data we process. This GDPR Compliance Notice ("GDPR Notice") explains how we comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR"), including the Data Protection Act 2018.

This Notice applies to all individuals located in the European Economic Area (EEA) (including all 27 EU member states plus Iceland, Liechtenstein, and Norway), the United Kingdom (UK) , Switzerland, and any other jurisdiction where the GDPR applies.

1.2 What Is the GDPR?

The GDPR is a comprehensive data protection law that gives individuals greater control over their personal data and imposes strict obligations on organizations that collect, use, or process personal data. It applies to:

  • Controllers: Organizations that determine the purposes and means of processing personal data
  • Processors: Organizations that process personal data on behalf of controllers

Under the GDPR, OUTGRAVE acts as a Data Controller for most personal data we collect directly from users. In certain circumstances (such as when providing services to business clients), we may act as a Data Processor.

1.3 Our GDPR Principles

We adhere to the following data protection principles as required by Article 5 of the GDPR:

PrincipleDescriptionOur Compliance
Lawfulness, Fairness, and TransparencyProcessing must be lawful, fair, and transparent to the data subjectWe provide clear privacy notices, obtain valid consent where required, and process data only on established legal bases
Purpose LimitationData must be collected for specified, explicit, and legitimate purposesWe clearly define purposes at the point of collection and do not process data for incompatible purposes
Data MinimizationData must be adequate, relevant, and limited to what is necessaryWe collect only the minimum data required to achieve our purposes
AccuracyData must be accurate and kept up to dateWe provide mechanisms for you to update your data and correct inaccuracies
Storage LimitationData must be kept only as long as necessaryWe maintain defined retention schedules and securely delete data when no longer needed
Integrity and ConfidentialityData must be processed securelyWe implement appropriate technical and organizational security measures
AccountabilityThe controller is responsible for complianceWe maintain records of processing activities, conduct DPIAs, and have appointed a DPO

2. Who We Are (Data Controller)

2.1 Controller Information

OUTGRAVE acts as the Data Controller for the personal data we collect from individuals who use our Services, visit our websites, or interact with us directly.

Data Controller: OUTGRAVE Email: privacy@outgrave.com

2.2 Our Representatives in the EEA and UK

Under Article 27 of the GDPR, controllers not established in the EEA or UK must designate a representative. Our designated representatives are:

For the European Union: [Contact information for EU representative — to be appointed]

For the United Kingdom: [Contact information for UK representative — to be appointed]

Please direct all GDPR-related correspondence to our DPO at privacy@outgrave.com, and we will coordinate with our representatives as required.

2.3 Joint Controllership

We do not engage in joint controllership arrangements. However, we may share data with certain partners who act as independent controllers for their own purposes. In such cases, each controller is separately responsible for compliance with its own data processing activities.

3. Data Protection Officer (DPO)

3.1 Appointment

Pursuant to Articles 37-39 of the GDPR, OUTGRAVE has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy, ensuring GDPR compliance, and serving as the point of contact for data subjects and supervisory authorities.

3.2 DPO Contact Information

Data Protection Officer: OUTGRAVE DPO Email: dpo@outgrave.com Subject Line: Please include "GDPR" in the subject line for priority handling

3.3 DPO Responsibilities

Our DPO is responsible for:

  • Monitoring compliance with the GDPR and other applicable data protection laws
  • Informing and advising our organization of our data protection obligations
  • Providing advice regarding Data Protection Impact Assessments (DPIAs)
  • Cooperating with and serving as the contact point for supervisory authorities
  • Handling data subject requests and complaints
  • Conducting data protection training and awareness programs
  • Maintaining the Record of Processing Activities (ROPA)

3.4 Contacting the DPO

You may contact our DPO regarding any matter related to the processing of your personal data, including:

  • Questions about this GDPR Notice
  • Requests to exercise your data subject rights
  • Complaints about our data processing practices
  • Inquiries about data protection and privacy

All communications with our DPO will be treated confidentially and responded to within the timeframes required by the GDPR.

4. Scope of This GDPR Notice

4.1 Who This Notice Applies To

This GDPR Notice applies to:

  • Individuals located in the EEA, UK, and Switzerland
  • Individuals located in other jurisdictions where the GDPR applies by reason of treaty, agreement, or local law
  • Any individual whose personal data is processed by OUTGRAVE in connection with:
  • Visiting our websites or applications
  • Using our Services
  • Creating an account
  • Making a purchase or transaction
  • Subscribing to communications
  • Contacting our support team
  • Participating in surveys or promotions
  • Applying for employment
  • Any other interaction with OUTGRAVE

4.2 Relationship to Our Privacy Policy

This GDPR Notice supplements our main Privacy Policy and is specifically designed to address the requirements of the GDPR. In the event of any conflict between this GDPR Notice and our Privacy Policy, this GDPR Notice shall prevail for data subjects in the EEA, UK, and Switzerland.

4.3 Territorial Scope

The GDPR applies to the processing of personal data of data subjects who are in the EEA or UK, regardless of whether the processing takes place in the EEA or UK. This means that even if OUTGRAVE is established outside the EEA or UK, we comply with the GDPR when processing personal data of individuals located in those regions.

5. Personal Data We Collect

5.1 Categories of Data We Process

We collect and process the following categories of personal data from data subjects in the EEA and UK:

CategoryExamplesLawful Basis
Identity DataFull name, username, profile picture, date of birthContractual necessity, consent
Contact DataEmail address, phone number, billing address, shipping addressContractual necessity, legal obligation
Financial DataPayment card information (processed by third-party processors), transaction history, billing recordsContractual necessity, legal obligation
Technical DataIP address, browser type and version, operating system, device identifiers, cookiesLegitimate interests, consent
Usage DataPages viewed, features used, navigation paths, time spent, clickstream dataLegitimate interests, consent
Profile DataPreferences, interests, feedback, survey responsesConsent, legitimate interests
Marketing DataCommunication preferences, opt-in/opt-out status, campaign interactionsConsent
Communications DataSupport tickets, emails, chat transcripts, call recordingsContractual necessity, legitimate interests
User ContentReviews, comments, forum posts, uploaded contentConsent, contractual necessity

5.2 Sources of Data

We collect personal data from the following sources:

  • Directly from you: When you provide information through our Services, forms, communications, or interactions
  • Automatically: Through cookies, tracking technologies, server logs, and analytics tools
  • Third parties: From payment processors, social media platforms (when you connect accounts), analytics providers, advertising partners, and publicly available sources (as permitted by law)

5.3 Data Minimization

We adhere to the data minimization principle. We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We do not collect data on a speculative basis or "just in case."

6. Purposes and Legal Basis for Processing

6.1 Lawful Bases Relied Upon

Under the GDPR, we must have a lawful basis for processing your personal data. We rely on the following lawful bases as set out in Article 6 of the GDPR:

6.1.1 Consent (Article 6(1)(a))

We rely on your consent for the following processing activities:

  • Sending marketing communications, newsletters, and promotional offers
  • Placing non-essential cookies and using tracking technologies
  • Processing special categories of data (where you voluntarily provide them)
  • Participating in certain profiling and personalization activities
  • Sharing your data with third parties for their own marketing purposes
  • Processing data for purposes not otherwise covered by another lawful basis

Your Rights: You have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent, contact us at privacy@outgrave.com or use the unsubscribe link in our emails.

6.1.2 Contractual Necessity (Article 6(1)(b))

We process your data as necessary for the performance of a contract with you, including:

  • Creating and managing your account
  • Processing transactions, orders, and payments
  • Providing the Services you have requested or subscribed to
  • Delivering digital goods, software, and content
  • Providing customer support and technical assistance
  • Communicating about your account, orders, or service issues

Consequence: If you do not provide the data necessary for contractual performance, we may be unable to provide you with the requested Services.

6.1.3 Legal Obligation (Article 6(1)(c))

We process your data as necessary to comply with legal obligations, including:

  • Tax and accounting record-keeping (e.g., retaining transaction records for 7 years)
  • Responding to lawful requests from courts, law enforcement, or regulatory authorities
  • Complying with anti-money laundering and counter-terrorism financing regulations
  • Fulfilling data breach notification requirements
  • Complying with consumer protection and product safety laws

6.1.4 Legitimate Interests (Article 6(1)(f))

We process your data based on our legitimate interests, provided that such interests are not overridden by your interests, fundamental rights, and freedoms. Our legitimate interests include:

  • Service Improvement: Analyzing usage patterns to improve and optimize our Services, user experience, and functionality
  • Security: Protecting our systems, users, and data from fraud, abuse, unauthorized access, and security threats
  • Business Operations: Managing our business operations efficiently, including IT administration, network management, and business planning
  • Marketing: Promoting our products and services to existing customers through direct marketing (with opt-out rights)
  • Fraud Prevention: Detecting, preventing, and investigating fraudulent transactions and activities
  • Legal Compliance: Establishing, exercising, or defending legal claims

Your Rights: You have the right to object to processing based on legitimate interests at any time. See Section 12.6 for more information.

6.1.5 Vital Interests (Article 6(1)(d))

We may process your data where necessary to protect your vital interests or those of another natural person, such as in a medical emergency or life-threatening situation.

6.1.6 Public Interest (Article 6(1)(e))

We may process your data where necessary for the performance of a task carried out in the public interest, though this is not a basis we commonly rely on.

6.2 Purpose-Specific Legal Bases

Processing PurposeLawful BasisLegitimate Interest (if applicable)
Account creation and managementContractual necessityN/A
Order processing and fulfillmentContractual necessityN/A
Payment processingContractual necessity, legal obligationN/A
Customer supportContractual necessityService improvement
Service improvement and analyticsLegitimate interestsImproving user experience and Service quality
Marketing communicationsConsent (new customers), Legitimate interests (existing customers)Promoting products and services
Security and fraud preventionLegitimate interestsProtecting our systems and users
Legal complianceLegal obligationN/A
Cookie placement and trackingConsent (non-essential), Legitimate interests (essential)Service functionality

7. Legitimate Interests Assessment

7.1 Our Assessment Process

Where we rely on legitimate interests as a lawful basis for processing, we have conducted a Legitimate Interests Assessment (LIA) as required by the GDPR. Our LIA process evaluates:

  1. 01The Purpose Test: Is there a legitimate interest behind the processing?
  2. 02The Necessity Test: Is the processing necessary to achieve that interest?
  3. 03The Balancing Test: Are the interests, rights, and freedoms of the data subject overridden by our legitimate interests?

7.2 Balancing of Interests

We have balanced our legitimate interests against your rights and have implemented the following safeguards to protect your interests:

  • Providing clear notice of the processing
  • Offering easy opt-out mechanisms
  • Minimizing the data collected and retained
  • Implementing appropriate security measures
  • Conducting regular reviews of our processing activities
  • Ensuring transparency in our privacy communications

7.3 Your Right to Object

If you wish to object to any processing based on legitimate interests, please contact us at privacy@outgrave.com. We will review your objection and cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

8. Consent Mechanisms

8.1 Obtaining Consent

Where we rely on consent as a lawful basis, we obtain your consent through clear, affirmative actions, such as:

  • Checking a consent checkbox (not pre-ticked)
  • Clicking an "I Accept" or "I Consent" button
  • Toggling a setting to opt in
  • Verbally confirming consent (in recorded calls)
  • Signing a consent form

We never use pre-ticked boxes, implied consent, or silence as a means of obtaining consent.

8.2 Granularity of Consent

We obtain separate, granular consent for different processing purposes where appropriate. For example:

  • Marketing emails: Separate consent for promotional communications
  • Non-essential cookies: Separate consent for analytics and advertising cookies
  • Profiling: Separate consent for behavioral profiling and personalization
  • Third-party sharing: Separate consent for sharing data with third parties for their own purposes

8.3 Record of Consent

We maintain records of when and how consent was obtained, including:

  • The date and time of consent
  • The method used to obtain consent
  • The exact wording of the consent request
  • Whether consent was provided freely and unambiguously
  • Any subsequent withdrawal of consent

8.4 Withdrawal of Consent

You have the right to withdraw your consent at any time. Withdrawal is as easy as giving consent. You can withdraw consent by:

  • Clicking the "unsubscribe" link in any marketing email
  • Updating your privacy preferences in your account settings
  • Contacting us at privacy@outgrave.com
  • Adjusting your cookie preferences through our cookie consent banner

We will process your withdrawal request within 48 hours. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.5 Renewal of Consent

We periodically renew your consent (typically every 12 months) to ensure it remains valid, informed, and freely given. If you do not reconfirm your consent, we will cease the relevant processing activities.

9. Processing of Special Categories of Data

9.1 What Are Special Categories of Data?

Article 9 of the GDPR prohibits the processing of special categories of personal data unless specific conditions are met. Special categories include:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for unique identification)
  • Health data
  • Data concerning a person's sex life or sexual orientation

9.2 Our Processing of Special Categories

We do not intentionally or knowingly collect or process special categories of personal data. We have designed our Services to avoid requesting or requiring such data.

However, if you voluntarily provide special category data (for example, by including it in a support ticket, feedback form, or user-generated content), you explicitly consent to our processing of such data. We will use such data only for the specific purpose for which it was provided and will delete it as soon as reasonably practicable.

9.3 Safeguards

If we were to process special categories of data, we would:

  • Obtain your explicit consent for each specific purpose
  • Implement additional security measures to protect such data
  • Limit access to authorized personnel on a strict need-to-know basis
  • Retain such data only for the minimum period necessary
  • Delete or anonymize such data as soon as the purpose is fulfilled

10. Automated Decision-Making and Profiling

10.1 What We Do

We may engage in automated decision-making and profiling activities based on your personal data, as described in our Privacy Policy. These activities include:

  • Automated content recommendations: Suggesting products, services, or content based on your preferences and behavior
  • Fraud detection: Automatically assessing transaction risk and flagging potentially fraudulent activities
  • Segmentation: Grouping users based on shared characteristics for analytics and marketing purposes
  • Personalization: Tailoring your experience based on your usage patterns and preferences

10.2 No Solely Automated Decisions

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, unless we have obtained your explicit consent or the processing is necessary for entering into or performing a contract with you.

If we were to engage in such processing, we would:

  • Inform you that the processing is taking place
  • Provide meaningful information about the logic involved
  • Explain the significance and envisaged consequences
  • Offer you the right to obtain human intervention
  • Allow you to express your point of view
  • Provide the right to contest the decision

10.3 Safeguards

Any automated decision-making is subject to the following safeguards:

  • Regular testing and validation of algorithms
  • Human oversight and review processes
  • Mechanisms for you to challenge decisions
  • Transparency about the factors used in decision-making
  • Compliance with data minimization and accuracy principles

11. Data Retention

11.1 Retention Principles

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as described in this GDPR Notice and our Privacy Policy, or as required by applicable law.

11.2 Criteria for Determining Retention Periods

When determining the appropriate retention period, we consider:

  • The nature, scope, and purpose of the processing
  • The amount, nature, and sensitivity of the data
  • The potential risk of harm from unauthorized use or disclosure
  • Whether we can achieve the purposes through other means
  • Applicable legal, regulatory, tax, and accounting requirements
  • Industry standards and best practices
  • The existence of any ongoing legal or regulatory proceedings

11.3 Specific Retention Periods

Data CategoryRetention PeriodRationale
Account dataDuration of account + 36 months after closureContractual necessity, dispute resolution
Transaction data7 years from transaction dateLegal obligation (tax and accounting)
Marketing dataUntil consent withdrawal or 60 months of inactivityConsent management, legitimate interests
Support correspondence36 months from last communicationService improvement, dispute resolution
Analytics data24 months (raw); indefinitely (anonymized/aggregated)Legitimate interests
Log data24 monthsSecurity, fraud prevention
Cookie dataAs specified in cookie policyVaries by cookie type
Backup data90 days after source data deletionDisaster recovery
Legal hold dataDuration of hold + 30 daysLegal compliance

11.4 Data Deletion and Anonymization

When data is no longer needed, we:

  • Permanently delete the data from our active systems and databases
  • Anonymize the data so that it can no longer be associated with an identifiable individual
  • Aggregate the data where appropriate for statistical or analytical purposes

We use secure deletion methods, including cryptographic erasure, data overwriting, and physical destruction of storage media where applicable.

11.5 Periodic Review

We conduct periodic reviews of our data retention practices to ensure compliance with the GDPR and to verify that data is not retained longer than necessary.

12. Data Subjects' Rights Under GDPR

As a data subject located in the EEA, UK, or Switzerland, you have the following rights under the GDPR. We will respond to all legitimate requests within one month of receipt, extendable by up to two additional months for complex or high-volume requests.

12.1 Right to Be Informed (Articles 13, 14)

You have the right to be informed about the collection and use of your personal data. This GDPR Notice, together with our Privacy Policy, fulfills this obligation by providing you with:

  • The identity and contact details of the data controller and DPO
  • The purposes and legal basis for processing
  • The legitimate interests pursued (where applicable)
  • The categories of personal data collected
  • The recipients or categories of recipients
  • Details of international data transfers and safeguards
  • The retention period or criteria used
  • Your data subject rights
  • Your right to withdraw consent
  • Your right to lodge a complaint with a supervisory authority
  • Whether you are obliged to provide data and consequences of not providing it
  • The existence of automated decision-making and profiling

12.2 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with the following information:

  • The purposes of processing
  • The categories of personal data concerned
  • The recipients or categories of recipients to whom the data has been or will be disclosed
  • The envisaged retention period or criteria used to determine it
  • The existence of your rights (rectification, erasure, restriction, objection)
  • The right to lodge a complaint with a supervisory authority
  • Information about the source of the data (if not collected from you)
  • The existence of automated decision-making and profiling, including meaningful information about the logic involved
  • Appropriate safeguards relating to international data transfers

How to Exercise: Submit a request to privacy@outgrave.com. We may request proof of identity before fulfilling your request. We will provide the information in a commonly used electronic format (e.g., PDF, CSV).

Additional Copies: You may request additional copies of your data. We may charge a reasonable fee based on administrative costs for additional copies.

12.3 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data concerning you and to have incomplete personal data completed, including by providing a supplementary statement.

How to Exercise: Contact us at privacy@outgrave.com or update your data directly through your account settings.

Timeframe: We will respond to rectification requests within one month.

12.4 Right to Erasure ("Right to Be Forgotten") (Article 17)

You have the right to request deletion of your personal data where one of the following grounds applies:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw your consent and there is no other lawful basis for processing
  • You object to processing based on legitimate interests and there are no overriding legitimate grounds
  • You object to processing for direct marketing purposes
  • The data was unlawfully processed
  • Deletion is required to comply with a legal obligation
  • The data was collected in relation to the offer of information society services to a child

Exceptions: We may refuse deletion where processing is necessary for:

  • Exercising the right of freedom of expression and information
  • Compliance with a legal obligation
  • The performance of a task carried out in the public interest
  • Archiving purposes in the public interest
  • The establishment, exercise, or defense of legal claims

How to Exercise: Submit a deletion request to privacy@outgrave.com.

12.5 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing where one of the following applies:

  • You contest the accuracy of the data (for a period enabling us to verify accuracy)
  • Processing is unlawful and you oppose deletion and request restriction instead
  • We no longer need the data but you require it for the establishment, exercise, or defense of legal claims
  • You have objected to processing based on legitimate interests (pending verification of our compelling legitimate grounds)

Effect of Restriction: When processing is restricted, we may store the data but not further process it, except with your consent or for legal claims, protection of others, or important public interest reasons.

How to Exercise: Contact us at privacy@outgrave.com.

12.6 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as CSV, JSON, or XML) and to transmit that data to another controller without hindrance, where:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

This right applies only to data you have provided to us and only where technically feasible.

How to Exercise: Submit a portability request to privacy@outgrave.com. We will provide the data in a commonly used format within one month.

12.7 Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interests or public interest, including profiling based on those grounds.

Direct Marketing: Where we process your data for direct marketing purposes, you have an absolute right to object at any time, and we will cease processing for such purposes immediately.

Legitimate Interests: Where processing is based on legitimate interests, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

How to Exercise: Contact us at privacy@outgrave.com or use the unsubscribe link in marketing communications.

12.8 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. See Section 10 for more details on our practices.

12.9 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw your consent at any time. See Section 8.4 for details on how to withdraw consent.

12.10 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your local supervisory authority if you believe that our processing of your personal data violates the GDPR. See Section 21 for details.

12.11 Right to Compensation (Article 82)

You have the right to claim compensation from us for material or non-material damage suffered as a result of a breach of the GDPR.

13. Exercising Your Rights

13.1 How to Submit a Request

To exercise any of your GDPR rights, please contact us through any of the following channels:

Email: privacy@outgrave.com Subject Line: Please include the relevant right in the subject line (e.g., "Data Access Request," "Deletion Request," "Objection")

13.2 Information We May Need

We may need to request specific information from you to:

  • Verify your identity: We take the security of your data seriously and will only respond to requests from the data subject or an authorized representative
  • Locate your data: We may ask clarifying questions to help us locate the data you are requesting
  • Process your request: We may need additional details to understand the scope of your request

13.3 Identity Verification

We may require you to provide:

  • A copy of a government-issued identification document (passport, driver's license, national ID card)
  • Proof of address (utility bill, bank statement)
  • Confirmation of your email address or phone number
  • Additional information that matches our records

We will use the information you provide for verification purposes only and will delete it after processing your request.

13.4 Authorized Representatives

You may designate an authorized representative to exercise your rights on your behalf. We will require:

  • Written authorization signed by you
  • Proof of your identity
  • Proof of the representative's identity

13.5 Timeframes

Request TypeResponse TimeframeExtension Possible
Access request30 calendar daysYes (up to 60 additional days)
Rectification request30 calendar daysYes (up to 60 additional days)
Erasure request30 calendar daysYes (up to 60 additional days)
Restriction request30 calendar daysYes (up to 60 additional days)
Portability request30 calendar daysYes (up to 60 additional days)
Objection30 calendar daysYes (up to 60 additional days)
Consent withdrawal48 hoursNo

13.6 Fees

We will handle your first request in a 12-month period free of charge. For subsequent requests, we may charge a reasonable fee based on administrative costs. We may refuse to act on:

  • Manifestly unfounded or excessive requests
  • Repeated requests without reasonable justification
  • Requests that cannot reasonably be fulfilled

13.7 Refusal to Act

If we refuse to act on your request, we will inform you of:

  • The reasons for the refusal
  • Your right to lodge a complaint with a supervisory authority
  • Your right to seek a judicial remedy

14. Data Security Measures

14.1 Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. Our security measures include:

14.1.1 Technical Measures

  • Encryption: Transport Layer Security (TLS) 1.2+ for all data in transit; AES-256 encryption for data at rest
  • Pseudonymization: Where appropriate, we pseudonymize personal data to reduce the risk of identification
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege
  • Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection
  • Monitoring: 24/7 system monitoring, logging, and anomaly detection
  • Vulnerability Management: Regular vulnerability scanning, penetration testing, and patch management
  • Backup and Recovery: Regular encrypted backups, disaster recovery plans, business continuity procedures
  • Secure Development: Secure SDLC, code reviews, static and dynamic testing

14.1.2 Organizational Measures

  • Policies: Written data protection policies, information security policies, and incident response plans
  • Training: Mandatory GDPR and data protection training for all employees and contractors
  • Confidentiality: All personnel with access to personal data are bound by confidentiality agreements
  • Due Diligence: Security and privacy assessment of all third-party processors
  • Audits: Regular internal and external audits of our data protection practices
  • Records: Maintenance of Records of Processing Activities (ROPA)

14.2 Data Protection by Design and Default

We implement data protection by design and default (Article 25 GDPR) by:

  • Integrating data protection considerations into the design of new products, services, and processes
  • Implementing privacy-enhancing technologies where appropriate
  • Applying the data minimization principle by default
  • Ensuring that by default, personal data is not made accessible without the individual's intervention
  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities

14.3 Security Breach Response

We have implemented a comprehensive security incident response plan that includes procedures for:

  • Detecting, reporting, and investigating security incidents
  • Containing and mitigating breaches
  • Notifying affected data subjects without undue delay
  • Notifying supervisory authorities within 72 hours (where required)
  • Documenting all breaches and remedial actions taken

15. Data Breach Notification

15.1 Notification to Supervisory Authority

In the event of a personal data breach, we will notify the relevant supervisory authority (e.g., the ICO for the UK or the lead supervisory authority for the EEA) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons, as required by Article 33 of the GDPR.

Our notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of personal data records affected
  • The name and contact details of our DPO
  • The likely consequences of the breach
  • The measures we have taken or propose to take to address the breach
  • Recommendations for mitigating potential adverse effects

15.2 Notification to Data Subjects

Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 of the GDPR. Our notification will include:

  • A description of the nature of the breach
  • The name and contact details of our DPO
  • The likely consequences of the breach
  • The measures we have taken or propose to take to address the breach
  • Recommendations for mitigating potential adverse effects

15.3 Exceptions

Notification to data subjects is not required if:

  • We have implemented appropriate technical and organizational measures that render the data unintelligible (e.g., encryption)
  • We have taken subsequent measures that ensure the high risk is no longer likely to materialize
  • It would involve disproportionate effort (in which case we will issue a public communication)

15.4 Documentation

We will document all data breaches, including:

  • The facts relating to the breach
  • The effects of the breach
  • The remedial actions taken
  • Lessons learned and preventive measures implemented

16. International Data Transfers

16.1 Transfers Outside the EEA and UK

As described in our Privacy Policy, your personal data may be transferred to, stored, and processed in countries outside the EEA and UK, including the United States and other countries.

16.2 Adequacy Decisions

Where the European Commission or UK Government has determined that a country provides an adequate level of data protection (an "adequacy decision" under Article 45 of the GDPR), we may transfer data to that country without additional safeguards.

Adequacy decisions have been issued for: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom (for EEA transfers), Uruguay, and others as updated by the European Commission.

16.3 Appropriate Safeguards

Where we transfer data to countries without an adequacy decision, we implement appropriate safeguards as required by Article 46 of the GDPR, including:

16.3.1 Standard Contractual Clauses (SCCs)

We use the European Commission's Standard Contractual Clauses (2021 version) and the UK International Data Transfer Agreement (IDTA) to govern transfers of personal data from the EEA and UK to third countries. These clauses contractually obligate the data recipient to protect your data to GDPR standards.

16.3.2 Supplementary Measures

Where required, we implement supplementary measures to ensure an essentially equivalent level of protection, including:

  • Encryption of data in transit and at rest
  • Pseudonymization
  • Technical controls limiting access
  • Regular compliance audits
  • Data transfer impact assessments

16.4 Transfer Impact Assessments (TIAs)

We conduct Transfer Impact Assessments (TIAs) for all significant international data transfers to assess whether the legal framework in the destination country provides essentially equivalent protection to the GDPR, and to identify and implement any supplementary measures needed.

16.5 Your Consent to Transfers

By using our Services and providing us with your personal data, you explicitly consent to the transfer, storage, and processing of your personal data in countries outside the EEA and UK, including countries that may have different data protection standards. We will implement appropriate safeguards as described above.

16.6 Copies of Safeguards

Copies of the appropriate safeguards we use for international data transfers are available upon request by contacting us at privacy@outgrave.com. We may redact certain information for confidentiality reasons.

17. Cookies and Tracking Technologies

17.1 Cookie Consent

When you visit our website for the first time, we display a cookie consent banner that allows you to:

  • Accept all cookies
  • Reject all non-essential cookies
  • Customize your cookie preferences
  • Learn more about each category of cookies

17.2 Cookie Categories

We use the following categories of cookies:

CategoryDescriptionLegal BasisConsent Required
Strictly NecessaryRequired for basic website functionalityLegitimate interests (Article 6(1)(f))No (exempt from consent)
FunctionalityRemember preferences and settingsConsent (Article 6(1)(a))Yes
Performance/AnalyticsTrack usage and improve performanceConsent (Article 6(1)(a))Yes
Advertising/TargetingDeliver relevant ads and measure campaignsConsent (Article 6(1)(a))Yes
Social MediaEnable sharing and social featuresConsent (Article 6(1)(a))Yes

17.3 Withdrawal of Cookie Consent

You can withdraw or modify your cookie consent at any time through:

  • Our cookie preference center (accessible through the website footer)
  • Your browser settings
  • Our privacy preferences page in your account settings

17.4 Detailed Cookie Information

For a complete list of the specific cookies we use, their purposes, and their retention periods, please refer to Section 9 of our Privacy Policy or contact us at privacy@outgrave.com.

18. Data Protection Impact Assessments (DPIAs)

18.1 When We Conduct DPIAs

We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 of the GDPR when processing activities are likely to result in a high risk to the rights and freedoms of natural persons, including:

  • Using new technologies for processing
  • Systematic and extensive profiling with significant effects
  • Large-scale processing of special categories of data
  • Systematic monitoring of publicly accessible areas on a large scale
  • Any other processing that poses high risk

18.2 DPIA Process

Our DPIA process includes:

  1. 01Description of Processing: A systematic description of the processing operations, purposes, and legal basis
  2. 02Necessity and Proportionality Assessment: An assessment of whether the processing is necessary and proportionate
  3. 03Risk Assessment: An assessment of the risks to the rights and freedoms of data subjects
  4. 04Risk Mitigation: Measures to address the identified risks, including safeguards, security measures, and mechanisms to ensure data protection

18.3 Consultation with Supervisory Authority

Where a DPIA indicates that the processing would result in high risk that cannot be mitigated, we will consult with the relevant supervisory authority before proceeding with the processing, as required by Article 36 of the GDPR.

19. Third-Party Processors

19.1 Engagement of Processors

We engage third-party data processors to process personal data on our behalf. We only engage processors who provide sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR.

19.2 Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with all our processors, as required by Article 28 of the GDPR. Our DPAs include:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • The type of personal data and categories of data subjects
  • The obligations and rights of the controller
  • Confidentiality obligations on the processor's personnel
  • Security measures to be implemented
  • Restrictions on sub-processing
  • Assistance obligations (data subject rights, breach notification, DPIAs)
  • Data deletion or return obligations upon termination
  • Audit and inspection rights

19.3 List of Processors

We maintain an up-to-date list of our sub-processors. For a current list, please contact us at privacy@outgrave.com.

19.4 Sub-Processing

Where our processors engage sub-processors, we require:

  • Prior written authorization (specific or general)
  • Notification of any changes to sub-processors
  • The same data protection obligations imposed on the sub-processor as in the DPA

20. Children's Data

20.1 Age of Digital Consent

Under the GDPR, the age of digital consent for information society services varies by member state:

  • 13 years: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France (with parental authorization), Germany (under certain conditions), Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden
  • 14 years: Austria (certain cases), Italy (certain cases)
  • 15 years: Czech Republic (certain cases)
  • 16 years: Germany (under certain conditions), Switzerland, United Kingdom

20.2 Our Policy

Our Services are not directed at, intended for, or designed for children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children below the applicable age.

20.3 Parental Consent

If we become aware that we have collected personal data from a child below the applicable age of digital consent without verifiable parental consent, we will:

  1. 01Immediately delete the child's personal data from our systems
  2. 02Delete any associated account
  3. 03Notify the parent or guardian if contact information is available

20.4 How to Report

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at privacy@outgrave.com.

21. Complaints and Supervisory Authority

21.1 Right to Complain

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority. We encourage you to contact us first at privacy@outgrave.com so that we may attempt to resolve your concerns directly.

21.2 EEA Supervisory Authorities

You may lodge a complaint with:

  • Your local supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred
  • Our lead supervisory authority (if we have one designated in the EEA)

A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

21.3 UK Supervisory Authority

For data subjects in the United Kingdom:

Information Commissioner's Office (ICO) Website: https://ico.org.uk Phone: 0303 123 1113 Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

21.4 Swiss Supervisory Authority

For data subjects in Switzerland:

Federal Data Protection and Information Commissioner (FDPIC) Website: https://www.edoeb.admin.ch Address: Feldeggweg 1, CH-3003 Bern, Switzerland

21.5 No Retaliation

We will not retaliate against you for filing a complaint with a supervisory authority or for exercising any of your GDPR rights.

22. Changes to This GDPR Notice

22.1 Right to Modify

We reserve the right to update, modify, amend, or change this GDPR Notice at any time to reflect changes in our data processing practices, legal requirements, or regulatory guidance.

22.2 Notification of Material Changes

For material changes to this GDPR Notice, we will notify you through:

  • Email notification (if you have provided your email address)
  • Prominent notice on our website
  • In-app notification

Material changes include, but are not limited to:

  • Changes in the purposes or legal basis for processing
  • New processing activities that significantly affect your rights
  • Changes in our use of automated decision-making
  • Changes in international data transfer mechanisms

22.3 Date of Last Update

The "Last updated" date at the top of this GDPR Notice indicates when it was last revised. We encourage you to review this Notice periodically.

22.4 Previous Versions

Previous versions of this GDPR Notice are available upon request by contacting us at privacy@outgrave.com.

This GDPR Compliance Notice was last updated on June 4, 2026. Effective Date: June 4, 2026.

This Notice is provided pursuant to Articles 13, 14 of the General Data Protection Regulation (EU) 2016/679 and the UK General Data Protection Regulation.

Copyright © 2026 OUTGRAVE. All rights reserved.