GDPR Compliance Policy

RocketSavvy IT&T Incorporated

EU General Data Protection Regulation (EU) 2016/679

We Are 100% GDPR Compliant

Effective Date: January 8, 2024 | Last Updated: June 22, 2025

1. Controller Information

RocketSavvy IT&T Incorporated ("we," "us," or "our") acts as the data controller for personal data processed in connection with our services. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR).

Data Controller: RocketSavvy IT&T Incorporated

Registration: Canadian Corporation

Address: 21 Sprint Street, Toronto, ON M5V 3A8, Canada

EU Representative: P.O Box 123, Station D, Palaio Faliro Attikis, Greece

Email: gdpr[@]rocketsavvy.com

Data Protection Officer (DPO):

Contact: dpo[@]rocketsavvy.com

Role: Monitoring GDPR compliance and serving as contact point for data subjects and supervisory authorities

2. Legal Basis for Processing

We process personal data based on the following legal grounds under Article 6 of the GDPR:

Article 6(1)(a) - Consent

  • Marketing communications
  • Non-essential cookies
  • Optional data collection for service enhancement

Article 6(1)(b) - Contract Performance

  • Service delivery and project management
  • Account management and billing
  • Customer support and technical assistance

Article 6(1)(c) - Legal Obligation

  • Tax and accounting requirements
  • Regulatory compliance
  • Anti-money laundering obligations

Article 6(1)(f) - Legitimate Interest

  • Security monitoring and fraud prevention
  • Service improvement and analytics
  • Business development and market research

3. Categories of Personal Data

3.1 Identity Data

  • First name and last name
  • Professional title and company affiliation
  • Identification documents (when required)

3.2 Contact Data

  • Email addresses
  • Telephone numbers
  • Postal addresses
  • Social media handles

3.3 Financial Data

  • Bank account details
  • Payment card information
  • Transaction history
  • Billing addresses

3.4 Technical Data

  • IP addresses and location data
  • Browser and device information
  • Usage data and website analytics
  • Cookies and tracking technologies

3.5 Communication Data

  • Email correspondence
  • VoIP call recordings (with consent)
  • Support tickets and chat logs
  • Project documentation and requirements

4. Your Rights Under GDPR

Article 15 - Right of Access

You have the right to obtain confirmation that your personal data is being processed and access to that data, along with supplementary information.

Article 16 - Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete personal data completed.

Article 17 - Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data under certain circumstances, including when it's no longer necessary for the original purpose.

Article 18 - Right to Restriction of Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

Article 20 - Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.

Article 21 - Right to Object

You have the right to object to processing based on legitimate interests, direct marketing, or processing for research purposes.

Article 7(3) - Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time.

Article 77 - Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

5. Data Transfers Outside the EU

5.1 Transfer Mechanisms

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

Adequacy Decisions: Transfers to countries deemed adequate by the European Commission (Canada for commercial organizations)

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (BCRs) where applicable
  • Certification schemes recognized under GDPR
  • Explicit consent for specific transfers

5.2 Third Country Transfers

Our primary data processing occurs in:

  • Canada: Adequate protection under GDPR Article 45
  • United States: Protected by Standard Contractual Clauses
  • Other jurisdictions: Only with appropriate safeguards

6. Data Retention Periods

6.1 General Retention Policy

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Customer Data: Duration of contract plus 7 years for legal compliance
  • Financial Records: 7 years from transaction date
  • Marketing Data: Until consent is withdrawn or 3 years of inactivity
  • Technical Logs: 12 months unless required for security investigations
  • Communication Records: 3 years from last interaction

6.2 Automated Deletion

We have implemented automated systems to ensure data is deleted according to our retention schedule, unless legal holds or ongoing investigations require extended retention.

7. Data Security Measures

7.1 Technical Safeguards

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication for all administrative access
  • Regular penetration testing and vulnerability assessments
  • Network segmentation and access controls

7.2 Organizational Measures

  • Regular GDPR training for all staff
  • Data protection impact assessments (DPIAs)
  • Incident response and breach notification procedures
  • Privacy by design and default principles
  • Regular audits and compliance reviews

8. Data Breach Notification

8.1 Supervisory Authority Notification

We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to rights and freedoms.

8.2 Data Subject Notification

We will notify affected individuals without undue delay when a breach is likely to result in a high risk to their rights and freedoms.

Breach Response Team: security[@]rocketsavvy.com

24/7 Incident Hotline: Available through our EU representative

9. Automated Decision-Making and Profiling

9.1 Automated Systems

We may use automated decision-making for:

  • Fraud detection and prevention
  • Service optimization and recommendations
  • Marketing campaign targeting (with consent)

9.2 Your Rights

You have the right to:

  • Not be subject to automated decision-making with legal or significant effects
  • Request human intervention in automated decisions
  • Express your point of view regarding automated decisions
  • Contest automated decisions

10. Exercising Your Rights

10.1 How to Contact Us

To exercise any of your rights under GDPR, please contact us using the following methods:

GDPR Requests: gdpr[@]rocketsavvy.com

Data Protection Officer: dpo[@]rocketsavvy.com

EU Representative: P.O Box 123, Station D, Palaio Faliro Attikis, Greece

Phone (EU hours): Available upon request

10.2 Response Timeframes

  • Standard Requests: Within 1 month of receipt
  • Complex Requests: Up to 3 months with notification
  • Urgent Security Matters: Within 72 hours

10.3 Identity Verification

We may request additional information to verify your identity before processing requests involving personal data access or modification.

11. Supervisory Authority

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the relevant supervisory authority:

Lead Supervisory Authority: Hellenic Data Protection Authority (Greece)

Address: Kifisias Av. 1-3, PC 11523, Ampelokipi Athens

Website: www.dpa.gr

Email: [email protected]

← Back to Home