Last updated: 01 January 2025
This page explains how Ownlate meets its obligations under the EU General Data Protection Regulation (Regulation 2016/679).
1. Data Controller
Ownlate is operated by Individual Entrepreneur [Full Name], registered in Serbia. For EU/EEA users, the operator acts as the data controller — the entity that determines the purposes and means of processing your personal data.
Contact: privacy@globalart.dev
2. Legal Bases (Art. 6 GDPR)
We only process personal data when we have a lawful basis to do so:
| Processing activity | Legal basis |
|---|---|
| Creating and maintaining your account | Performance of a contract (Art. 6(1)(b)) |
| Delivering the Ownlate service | Performance of a contract (Art. 6(1)(b)) |
| Sending service notifications | Legitimate interests (Art. 6(1)(f)) |
| Analytics and product improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Tax and accounting records | Legal obligation (Art. 6(1)(c)) |
3. Data Minimisation
We collect only the data necessary for the stated purpose. We do not collect special categories of personal data (Art. 9 GDPR) such as health data, racial or ethnic origin, political opinions, or biometric data.
4. Data Retention
Personal data is kept only as long as necessary:
| Data | Retention |
|---|---|
| Account data | Until deletion + 30 days |
| Billing records | 5 years (legal obligation) |
| Support correspondence | 3 years |
| Server logs | 90 days |
5. International Transfers (Chapter V GDPR)
Ownlate is hosted on infrastructure outside the EEA. Transfers are protected by:
- Standard Contractual Clauses (SCCs) — European Commission-approved clauses included in our data processing agreements with sub-processors.
- Adequacy decisions — where the destination country has been recognised by the European Commission as providing adequate protection.
A list of sub-processors and their locations is available on request at privacy@globalart.dev.
6. Sub-processors
We use a limited number of third-party sub-processors, each bound by a Data Processing Agreement (DPA):
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Hosting, storage | EU / adequacy country |
| Transactional email provider | Notifications | EU / SCC-protected |
| Payment processor | Billing | EU / SCC-protected |
| Analytics provider | Aggregate usage statistics | Anonymised data only |
7. Your Rights (Arts. 15–22 GDPR)
As an EU/EEA resident you have the following rights:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") |
| Restriction (Art. 18) | Ask us to pause processing in certain circumstances |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time without affecting prior processing |
To exercise any right, email privacy@globalart.dev with subject line "GDPR Request". We will respond within 30 days. Complex requests may be extended by a further 60 days with notice (Art. 12(3)).
8. Data Breach Notification (Art. 33–34 GDPR)
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the competent supervisory authority within 72 hours of becoming aware.
- If the breach is likely to result in a high risk, we will notify affected individuals without undue delay.
9. Data Protection by Design and Default (Art. 25 GDPR)
We implement privacy by design across the service:
- Minimum data collection at every step.
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls — staff access only what their role requires.
- Regular security assessments and internal reviews.
10. EU Representative (Art. 27 GDPR)
If you are located in the EU/EEA and wish to exercise your rights or raise a concern, you may contact our EU Representative:
[EU Representative name] [EU Representative address] [EU Representative email]
(Required if Ownlate processes EU residents' data on a non-occasional basis. Appoint a representative or remove this section if not applicable.)
11. Right to Lodge a Complaint (Art. 77 GDPR)
You have the right to lodge a complaint with your local supervisory authority. You can find your national DPA at: edpb.europa.eu/about-edpb/about-edpb/members_en
12. Contact
Data controller contact for GDPR matters: 📧 privacy@globalart.dev
Subject: "GDPR Request"