GDPR Compliance

1. Introduction

The General Data Protection Regulation (GDPR) is a European regulation that came into effect on May 25, 2018, designed to strengthen the protection of personal data for citizens of the European Union.

NEETOO Software LLC, operating under the trade name 42SAFE, complies with GDPR for all EU users. We believe privacy is a fundamental right and apply the highest data protection standards globally.

This page details our GDPR compliance approach and the measures we implement to protect your rights and data.

2. Data Controller Information

2.1 Data Controller

• Company: NEETOO Software LLC
• Trade Name: 42SAFE
• Address: 30 N Gould St, STE R, Sheridan, WY 82801, USA
• Email: [email protected]

2.2 GDPR Contact (Data Protection Officer equivalent)

• Email: [email protected]
• Response Time: 30 calendar days

Our GDPR contact is responsible for:

• Ensuring GDPR compliance within 42SAFE
• Advising on data protection obligations
• Serving as point of contact with data protection authorities (CNIL, ICO, etc.)
• Processing your data subject rights requests

3. Legal Bases for Processing

In accordance with GDPR Article 6, we process personal data only when we have a valid legal basis:

3.1 Contract Performance (Article 6(1)(b))

Processing necessary for the performance of our service agreement:

• Creating and managing your user account
• Providing cybersecurity services (breach monitoring, DNS protection)
• Processing payments and managing subscriptions
• Customer support and technical assistance

3.2 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations:

• Tax and accounting record retention
• Responding to lawful requests from authorities
• Data breach notification to authorities (within 72 hours)

3.3 Legitimate Interest (Article 6(1)(f))

Processing for our legitimate interests, balanced against your rights:

• System security and fraud prevention
• Service improvement (using anonymized data)
• Defending legal claims

3.4 Consent (Article 6(1)(a))

Processing based on your explicit, freely given consent:

• Marketing communications and newsletters
• Non-essential cookies (analytics, functional)
• Breach monitoring for data you explicitly provide

You can withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

4. Your GDPR Rights

GDPR grants you the following rights. See our Privacy Policy for full details on how to exercise them.

4.1 Right of Access (Article 15)

You have the right to obtain:

• Confirmation that we process your personal data
• A copy of your personal data
• Information about processing purposes, data categories, recipients, and retention periods

How to exercise: Account Settings → Privacy → "Download my data" or contact [email protected]

4.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data.

How to exercise: Update directly in account settings or contact our GDPR team.

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your data when:

• Data is no longer necessary for the original purpose
• You withdraw consent and no other legal basis exists
• You object to processing and no overriding legitimate grounds exist
• Data has been unlawfully processed
• Deletion is required by law

Exceptions: We may retain data required for legal obligations (e.g., billing records).

How to exercise: Account Settings → "Delete my account" or email [email protected]

4.4 Right to Restriction (Article 18)

You can request temporary suspension of processing when:

• You contest data accuracy (during verification)
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification)

4.5 Right to Data Portability (Article 20)

You have the right to receive your data in a structured, commonly used, machine-readable format (JSON, CSV) and transmit it to another controller.

Scope: Data you provided where processing is based on consent or contract and performed by automated means.

How to exercise: Account Settings → Privacy → "Export my data"

4.6 Right to Object (Article 21)

You can object at any time to processing based on legitimate interest for reasons relating to your particular situation.

Absolute right for marketing: You can object to direct marketing without justification. Unsubscribe links are in every email.

4.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you.

What's Automated at 42SAFE

• Threat detection alerts: Informational only, no restriction on your account
• Rate limiting: Technical protection, not personal decision-making
• Breach matching: Automated detection, human-reviewed before notification

What Requires Human Review

• Account suspension or termination
• Access restrictions
• Legal actions or data requests
• Any decision with legal or significant effects

Your Rights

You can request human review of any decision by contacting [email protected]. We respond within 30 calendar days.

4.8 Response Times

We respond to data subject requests within 30 calendar days. For complex requests, we may extend this by up to two months with notification.

5. Data Protection Principles

In accordance with GDPR Article 5, we adhere to the following principles:

5.1 Lawfulness, Fairness, and Transparency

• We collect data lawfully and transparently
• We clearly inform you of all processing activities
• We never collect data through deceptive means

5.2 Purpose Limitation

• Data is collected for specified, explicit, and legitimate purposes
• We do not process data in ways incompatible with those purposes
• Each processing activity has a clearly defined purpose in our Privacy Policy

5.3 Data Minimization

• We collect only data strictly necessary for our purposes
• We do not collect data "just in case" it might be useful
• Regular reviews eliminate unnecessary data collection
• For EU users: We display limited breach data (city only, birth year only, masked phone numbers)

5.4 Accuracy

• We strive to keep data accurate and up-to-date
• You can correct your data at any time in account settings
• Inaccurate data reported to us is promptly corrected or deleted

5.5 Storage Limitation

• Data is retained only as long as necessary for its purposes
• Maximum retention: 30 days for most data
• Automatic deletion or anonymization upon expiration

5.6 Integrity and Confidentiality

• Appropriate technical and organizational security measures
• Protection against unauthorized or unlawful processing
• Protection against accidental loss, destruction, or damage

5.7 Accountability

• We can demonstrate GDPR compliance
• Complete documentation of processing activities and security measures
• Maintained Records of Processing Activities (ROPA)
• Data Protection Impact Assessments (DPIA/AIPD) for high-risk processing

6. Technical and Organizational Security

6.1 Technical Measures

Encryption

• In transit: TLS 1.3 for all communications
• At rest: AES-256 for all sensitive data
• Database: Column-level encryption for critical data
• Backups: Encrypted and stored in geographically separate locations

Access Control

• Least privilege principle
• Two-factor authentication (2FA) required for all staff
• Immediate access revocation for departing employees
• Complete access logs and regular audits

Infrastructure

• Primary hosting in European Union (AWS Frankfurt) for B2C (Supabase) and B2B (Neon)
• Firewalls, intrusion detection systems (IDS/IPS)
• 24/7 monitoring with real-time alerts
• Regular security assessments and penetration testing

6.2 Organizational Measures

Security Policy

• Documented information security policy
• Security incident management procedures
• Business continuity and disaster recovery plans
• Annual policy review and updates

Training and Awareness

• Mandatory GDPR training for all employees
• Ongoing security and privacy awareness programs
• Phishing simulations and security exercises
• Regular updates on new threats and regulations

Data Breach Management

• Documented breach response procedures
• Incident response team
• Notification to authorities within 72 hours if risk to rights
• Notification to affected individuals without undue delay if high risk
• Maintained breach register

7. International Data Transfers

7.1 Primary Storage: European Union

42SAFE stores all personal data primarily in the European Union, ensuring the highest level of GDPR protection.

• Main servers: EU-hosted in AWS Frankfurt (Supabase for B2C, Neon for B2B)
• Backups: Replicated in EU datacenters
• Data processing: Performed exclusively in the EU

7.2 Limited Transfers to Third Countries

Some sub-processors may transfer limited data outside the EU:

Firebase (Google) - USA

• Purpose: Push notifications only
• Data: Device identifiers, notification tokens (no sensitive personal data)
• Safeguards: Standard Contractual Clauses (SCCs)

Stripe - USA

• Purpose: Payment processing
• Data: Payment details (name, email, amount)
• Safeguards: Standard Contractual Clauses (SCCs)

RevenueCat - USA

• Purpose: Mobile subscription management
• Data: Subscription identifiers and status
• Safeguards: Standard Contractual Clauses

7.3 Transfer Safeguards

All transfers outside the EU are protected by at least one of:

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses
• Adequacy decisions: For countries recognized as providing adequate protection
• Binding Corporate Rules (BCRs): For international groups

7.4 Transfer Impact Assessment (Schrems II)

Following the Schrems II ruling (C-311/18), we have conducted Transfer Impact Assessments (TIAs) for all non-EU data transfers. Our supplementary measures include:

Technical Measures

• All data encrypted with AES-256 (encryption keys held exclusively by 42SAFE)
• Transport encryption (TLS 1.3) for all data in transit
• No access to decrypted data by US sub-processors where technically feasible

Contractual Measures

• Standard Contractual Clauses (2021 version) with all US sub-processors
• Sub-processors contractually prohibited from onward transfers
• Contractual obligation to notify us of any government access requests
• Commitment to challenge disproportionate requests

Organizational Measures

• TIAs documented for: Stripe, Firebase, RevenueCat
• Regular review of US legal framework developments
• Contingency plans to migrate data processing if necessary

Risk Assessment Conclusion

Based on our TIAs, the risk of US government access to EU personal data is low given: (1) data categories transferred are limited, (2) encryption renders most data unintelligible, and (3) our business model is not of interest to intelligence services.

8. Privacy by Design and Default (Article 25)

8.1 Privacy by Design

• Privacy Impact Assessment (PIA) for every new feature
• Data minimization built into design from the start
• Technology choices that favor data protection (encryption by default)
• Pseudonymization and anonymization integrated into processes

8.2 Privacy by Default

• Most protective privacy settings as the default
• Minimal data collection by default (opt-in for non-essential data)
• Shortest necessary retention periods by default
• Data sharing disabled by default

8.3 Example: Regional Data Handling

Our breach monitoring system is designed with privacy by design:

• EU users: Automatically receive minimized data (city only, birth year only, masked phone)
• Non-EU users: Can see enhanced data for better protection
• This differentiation is automatic based on detected location
• No user action required - privacy is built in

9. Data Protection Impact Assessments (DPIA/AIPD)

9.1 When We Conduct DPIAs

In accordance with GDPR Article 35, we conduct DPIAs for processing likely to result in high risk to individuals' rights and freedoms:

• Dark web monitoring at scale
• Processing of potentially sensitive breach data
• Automated profiling for threat detection
• Processing of minors' data (family protection)

9.2 DPIA Content

• Detailed description of processing and purposes
• Assessment of necessity and proportionality
• Risk analysis for rights and freedoms
• Measures to mitigate identified risks
• Consultation with GDPR contact and, where appropriate, affected individuals

9.3 AIPD Documentation

We maintain an AIPD (Analyse d'Impact relative à la Protection des Données) documenting how we process and store user data. This document is available to data protection authorities upon request.

10. Sub-Processor Management (Article 28)

10.1 Sub-Processor Obligations

All our sub-processors are contractually required to:

• Process data only on documented instructions from 42SAFE
• Ensure confidentiality of authorized personnel
• Implement appropriate security measures
• Not engage further sub-processors without authorization
• Assist with data subject rights requests
• Assist with GDPR compliance obligations
• Delete or return data at contract end
• Provide information for audits

10.2 Data Processing Agreements

Each sub-processor signs a Data Processing Agreement (DPA) compliant with Article 28, covering all required elements.

10.3 Sub-Processor List

• Supabase: Database hosting for B2C (EU - AWS Frankfurt)
• Neon: Database hosting for B2B (EU - AWS Frankfurt)
• Stripe: Payment processing (USA, with SCCs)
• RevenueCat: Mobile subscriptions (USA, with SCCs)
• Firebase (Google): Push notifications (USA, with SCCs)
• Resend: Transactional emails

11. Supervisory Authority and Complaints

11.1 Lead Supervisory Authority

As a US company serving EU customers, we cooperate with all EU data protection authorities. For French users, the competent authority is:

CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07
France

• Website: www.cnil.fr
• Phone: +33 1 53 73 22 22

11.2 Right to Complain

If you believe your data protection rights are not being respected, you have the right to lodge a complaint with your local data protection authority.

11.3 Complaint Procedure

Before contacting a supervisory authority, we encourage you to contact us directly at [email protected] to resolve the issue.

If the issue persists, you can file a complaint with your local DPA:

• Online: Via your DPA's website
• By mail: To the address above

11.4 Cooperation with Authorities

42SAFE commits to fully cooperate with data protection authorities during any investigation and to implement corrective measures within required timeframes.

12. Contact Data Protection Authorities

Data protection authorities from any country (CNIL, ICO, AEPD, etc.) can contact us directly at:

• Email: [email protected]
• Mail: NEETOO Software LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA
• Response time: 30 calendar days

We are committed to transparent cooperation with all regulatory bodies.

13. Updates to This Page

This GDPR compliance page is updated regularly to reflect:

• Changes in our data processing practices
• Updates to GDPR regulations and guidance
• Recommendations from CNIL, EDPB, and other authorities
• Feedback from compliance audits

Last updated: December 19, 2025

14. Contact Us

For any questions about our GDPR compliance or to exercise your rights:

• GDPR Contact: [email protected]
• General Support: [email protected]
• Mail: NEETOO Software LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA

We respond to all inquiries within 30 calendar days and are committed to helping you exercise your rights.