General Data Protection Regulation

    GDPR Compliance Statement

    Codextroop Technologies is committed to protecting the privacy and security of personal data in accordance with the EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018.

    GDPR Core Principles

    Our data protection practices align with all six GDPR principles to ensure lawful and ethical processing.

    Lawfulness, Fairness & Transparency

    We process personal data only with explicit consent or legitimate business interest, and we clearly communicate how data is used.

    Purpose Limitation

    Data is collected for specific, explicit purposes and not further processed in ways incompatible with those purposes.

    Data Minimization

    We collect only the minimum personal data necessary to fulfill our contractual obligations and service delivery.

    Accuracy

    We maintain accurate and up-to-date records, and provide mechanisms for data subjects to correct inaccuracies.

    Storage Limitation

    Personal data is retained only as long as necessary for the purposes for which it was collected.

    Integrity & Confidentiality

    We implement technical and organizational measures to ensure data security, including encryption and access controls.

    Our GDPR Compliance Framework

    1. Data Collection & Processing

    We collect and process personal data only when necessary to deliver contracted services, including software development, consulting, and support. Data types we may process include:

    • Contact information (name, email, phone number, job title)
    • Company and billing information
    • Project requirements and communications
    • Technical access credentials (encrypted and role-limited)
    • Usage analytics for our services (anonymized where possible)

    2. Legal Basis for Processing

    We process personal data under the following lawful bases:

    • Contractual Necessity: To perform obligations under service agreements
    • Legitimate Interest: For business development, quality assurance, and fraud prevention
    • Consent: For marketing communications (opt-in only, easily revocable)
    • Legal Obligation: To comply with tax, accounting, and regulatory requirements

    3. Data Subject Rights

    We respect and facilitate the following rights for data subjects in the EU and UK:

    Right to Access

    Obtain confirmation of data processing and receive a copy of personal data

    Right to Rectification

    Correct inaccurate or incomplete data

    Right to Erasure

    Request deletion of personal data (subject to legal obligations)

    Right to Restriction

    Limit processing under certain circumstances

    Right to Portability

    Receive data in a structured, commonly used format

    Right to Object

    Object to processing based on legitimate interest or direct marketing

    To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days as required by GDPR.

    4. Data Security Measures

    We implement industry-standard technical and organizational safeguards:

    • End-to-end encryption for data in transit (TLS 1.3)
    • AES-256 encryption for data at rest
    • Multi-factor authentication (MFA) for system access
    • Role-based access controls (RBAC) and principle of least privilege
    • Regular security audits and penetration testing
    • Employee training on data protection and confidentiality
    • Incident response plan with breach notification procedures

    5. Data Transfers

    When transferring personal data outside the EU/UK, we ensure adequate protection through:

    • Standard Contractual Clauses (SCCs) approved by the European Commission
    • Adequacy decisions for countries with equivalent data protection
    • Binding Corporate Rules where applicable
    • Explicit consent for specific transfers when required

    6. Data Retention

    We retain personal data only as long as necessary:

    • Active project data: Duration of engagement plus 90 days
    • Financial records: 7 years (statutory requirement)
    • Marketing consents: Until consent is withdrawn
    • Support tickets: 3 years for quality assurance

    Upon expiration of retention periods, data is securely deleted or anonymized.

    7. Third-Party Processors

    We engage carefully vetted third-party service providers (sub-processors) who are contractually bound to GDPR standards. These include:

    • Cloud infrastructure providers (AWS, Azure, GCP) with EU data residency
    • Communication platforms (email, project management tools)
    • Analytics providers (with data processing agreements)

    A full list of sub-processors is available upon request.

    8. Data Breach Procedures

    In the event of a personal data breach, we will:

    • Notify the relevant supervisory authority within 72 hours if the breach poses a risk to rights and freedoms
    • Inform affected data subjects without undue delay if there is a high risk
    • Document all breaches and remediation actions
    • Conduct post-incident reviews to prevent recurrence

    9. Privacy by Design & Default

    We embed data protection principles into all systems we develop for clients. Our development methodology includes privacy impact assessments, data minimization, pseudonymization where appropriate, and user-centric privacy controls.

    10. Contact & Complaints

    For GDPR-related inquiries, to exercise your rights, or to file a complaint:

    Data Protection Officer

    Email: [email protected]
    Address: Codextroop Technologies Pvt. Ltd., Lucknow, India
    Response Time: Within 30 days

    You also have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, or your national data protection authority in the EU).

    Last Updated: January 2025
    This GDPR Compliance Statement is reviewed annually and updated as necessary to reflect changes in our practices or regulations.