← Back to Home

GDPR Compliance Statement

Last Updated: January 2025 | Effective Date: [INSERT_DATE]

1. Introduction

TraxinteL, Inc. ("Company") is committed to full compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and all associated data protection laws in the European Union, United Kingdom, European Economic Area, and other jurisdictions that adopt GDPR principles.

This statement supplements our Privacy Policy and Terms of Service and provides specific information for users in GDPR-regulated jurisdictions. In the event of conflict between this statement and our Privacy Policy, this GDPR statement shall take precedence for GDPR-protected users.

2. Legal Status & Data Controller Information

2.1 Organization Details

Name: TraxinteL, Inc.
Type: For-profit corporation
Jurisdiction: New York, United States
Legal Address: [INSERT_LEGAL_ADDRESS]
Telephone: [INSERT_PHONE]
Email: [email protected]

2.2 Data Controller Role (GDPR Article 4(7))

TraxinteL, Inc. is the "Data Controller" as defined in GDPR Article 4(7). This means we determine the purposes and means of processing personal data and are responsible for compliance with GDPR obligations.

2.3 Data Protection Officer (GDPR Article 37)

We have appointed a Data Protection Officer (DPO) responsible for monitoring our GDPR compliance and serving as your point of contact for data protection matters.

Contact Information:
Name: [INSERT_DPO_NAME]
Email: [INSERT_DPO_EMAIL]
Address: [INSERT_DPO_ADDRESS]
Telephone: [INSERT_DPO_PHONE]

You may contact the DPO with any GDPR concerns, data requests, or complaints without fear of retaliation.

2.4 Representatives in the EU/UK

TraxinteL, Inc. has appointed representatives in the European Union and United Kingdom in accordance with GDPR Articles 27 and 63.

EU Representative: [INSERT_EU_REP_NAME & ADDRESS]
UK Representative: [INSERT_UK_REP_NAME & ADDRESS]

3. Personal Data Processing Categories

3.1 Account & Identity Data

  • Full name, email address, password (hashed)
  • Phone number, mailing address (optional)
  • Date of birth (if provided)
  • Account creation date and profile information

3.2 Search & Investigation Data

  • Target's photograph and biometric data (if uploaded)
  • Target's name, username, email, phone number
  • Target's social media handles and URLs
  • Notes, clues, and contextual information about the Target
  • Supporting documents, screenshots, or evidence
  • Investigation results, findings, and match scores

3.3 Technical & Device Data

  • Internet Protocol (IP) address
  • Device identifier (User-Agent, browser fingerprinting)
  • Operating system and browser type
  • Session identifiers and cookies
  • Geolocation derived from IP address

3.4 Activity & Usage Data

  • Login timestamps and access frequency
  • Pages visited, searches performed, time on page
  • Clicks, navigation patterns, features used
  • Reports generated and export activities
  • Support inquiries and communication history

3.5 Payment & Billing Data

  • Billing name and address
  • Payment method type (card, bank account)
  • Tokenized payment reference (Stripe handles actual card data)
  • Invoice and transaction history
  • Refund and dispute records

3.6 Special Categories of Data (GDPR Article 9)

We generally do NOT process special category data (race, ethnicity, political views, religion, union membership, genetic data, biometric data, health, or sex life). However:

  • If you voluntarily upload photographs containing biometric data (facial features), this falls under GDPR Article 9 and is processed only with your explicit consent for security and investigation purposes.
  • We do not process health or genetic data unless explicitly provided by you for investigation purposes.

You can withdraw consent for special category data processing at any time, which will limit certain Service features.

4. Lawful Basis for Processing (GDPR Article 6)

We process personal data only under one or more of the following lawful bases:

4.1 Contractual Necessity (Article 6(1)(b))

Processing is necessary to perform our contract with you (providing the Service, generating reports, managing your subscription).

Examples: Account creation, processing searches, delivering reports, billing and payment processing.

4.2 Consent (Article 6(1)(a))

Where consent is the lawful basis, you have explicitly agreed to processing. You can withdraw consent at any time without penalty.

Examples: Uploading Target photos and personal information, subscribing to monitoring, opting into marketing communications.

4.3 Legitimate Interests (Article 6(1)(f))

We process data where we have a legitimate interest and your rights do not override that interest. We conduct balancing tests to ensure proportionality.

Legitimate Interests:

  • Detecting and preventing fraud, unauthorized access, and abuse
  • Protecting the security and integrity of our systems
  • Improving the Service through analytics and testing
  • Enforcing our Terms of Service and legal rights
  • Complying with tax, accounting, and regulatory obligations

4.4 Legal Obligation (Article 6(1)(c))

We process data where required by law, including tax obligations, anti-money laundering regulations, and law enforcement requests.

4.5 Special Category Data (Article 9)

Processing of special categories (e.g., biometric data in photos) relies on:

  • Explicit Consent (Article 9(2)(a)): You have given clear, informed consent
  • Legitimate Activities (Article 9(2)(f)): Processing is necessary to establish, exercise, or defend legal claims

5. Automated Decision-Making & Profiling (GDPR Article 22)

5.1 Types of Automated Processing

FindThemOnline uses automated decision-making systems that may produce legal or similarly significant effects. These include:

  • Confidence Scoring: Machine learning algorithm assigns confidence percentages to potential Target matches based on data similarity.
  • Fraud Detection: Automated system flags suspicious account behavior, payment patterns, or search queries as potential fraud or abuse.
  • Result Ranking: ML-based algorithm prioritizes findings by relevance and confidence scores.
  • Account Risk Assessment: Automated detection of account takeover attempts, credential stuffing, or unauthorized access.

5.2 Your Rights in Automated Decision-Making (Article 22(3))

You have the right to NOT be subject to a decision based solely on automated processing that produces a legal or similarly significant effect, except where:

  • The decision is necessary for entering into or performing a contract with you, OR
  • The decision is authorized by law, OR
  • You have given explicit consent

5.3 Your Protections

You have the right to:

  • Request explanation of the logic, significance, and consequences of automated processing
  • Request human review of automated decisions affecting you
  • Express your point of view and obtain reconsideration of decisions
  • Opt-out of automated profiling where legally permitted

To request human review or explanation of automated decisions, contact: [email protected]

6. Data Retention & Deletion (GDPR Article 5(1)(e))

6.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. We apply the principle of "data minimization" and regularly review stored data for deletion eligibility.

6.2 Specific Retention Periods

  • Account Data: Retained while your account is active. Upon account deletion, retained for 90 days (to fulfill GDPR request obligations) then permanently deleted.
  • Deep Search Data: Search information, Target details, and investigation reports retained for 6 months from the date of search completion, then permanently deleted unless you request extension.
  • Continuous Monitoring Data: Target data and scanning records retained while your subscription is active, plus 30 days after cancellation, then permanently deleted.
  • Payment Records: Retained by Stripe for minimum 7 years per PCI-DSS and tax regulations. We retain billing invoices for 5 years for tax compliance.
  • Security & Access Logs: Retained for 90 days, then automatically deleted.
  • Backups & Disaster Recovery: Encrypted backups retained for up to 30 days, then securely destroyed.
  • Legal Hold: If you are subject to legal action or data protection investigation, relevant data is retained as required by law.

6.3 Deletion Methods

When data is deleted, we ensure:

  • Cryptographic erasure or secure overwriting with industry-standard methods
  • Complete removal from active databases and backups
  • Verification of deletion through independent audit

7. International Data Transfers (GDPR Articles 44-49)

7.1 Transfer Mechanism

FindThemOnline is based in the United States (New York). Your personal data will be transferred to, stored in, and processed in the United States, which the EU Commission has determined does NOT provide an adequate level of data protection equivalent to the GDPR.

7.2 Safeguards for International Transfers

We ensure appropriate safeguards for international transfers in compliance with GDPR Articles 44-49:

  • Standard Contractual Clauses (SCCs): All data transfers between FindThemOnline and its subprocessors are governed by GDPR-approved SCCs. A copy is available upon request.
  • Encryption & Data Minimization: All data is encrypted before transfer and during storage. We limit data transfer to what is strictly necessary.
  • Supplementary Technical Measures: We employ additional safeguards such as encrypted data transport, strict access controls, and audit logging.
  • Vendor Assessment: We perform due diligence on all subprocessors to ensure compliance with US data protection laws and SCCs.

7.3 Your Rights Regarding Transfers

You have the right to:

  • Receive copies of SCCs and supplementary measures
  • Request information about transfer mechanisms and safeguards
  • Lodge a complaint with your Data Protection Authority if you believe transfers are unlawful

Contact [email protected] for copies of SCCs or transfer documentation.

8. Subprocessors & Data Processing Agreements (GDPR Article 28)

8.1 Subprocessor List

FindThemOnline has engaged the following subprocessors to process your personal data on our behalf. All subprocessors are subject to Data Processing Agreements (DPAs) that incorporate GDPR Article 28 requirements:

8.2 Cloud Infrastructure

Vendor: Amazon Web Services, Inc. (AWS)
Processing Location: United States (us-east-1 region)
Purpose: Cloud hosting, database storage, encrypted data processing, backups
DPA Status: AWS Data Processing Addendum signed
Certifications: ISO 27001, SOC 2 Type II

8.3 Payment Processing

Vendor: Stripe, Inc.
Processing Locations: United States, Europe (as per Stripe's data centers)
Purpose: Payment authorization, billing, fraud detection, PCI-DSS compliance
DPA Status: Stripe Data Processing Addendum (Controller Addendum) signed
Certifications: PCI-DSS Level 1, ISO 27001, SOC 2 Type II

8.4 Email Delivery

Vendor: Resend, Inc.
Processing Locations: United States
Purpose: Transactional email delivery (password resets, confirmations, notifications)
DPA Status: Data Processing Agreement signed
Data Retention: Not retained beyond delivery (24-48 hours)

8.5 Analytics

Vendor: Vercel Analytics
Processing Location: United States
Purpose: Aggregated, anonymized website analytics (no user identification)
DPA Status: Privacy terms compliant with GDPR
Privacy Features: No cookies, no user tracking, no third-party data sharing

8.6 Subprocessor Changes

We may add or replace subprocessors with 30 days' notice. You have the right to object to new subprocessors if you believe they present an unacceptable risk. In such cases, you may terminate your account without penalty.

We will publish updates to our Subprocessor List on this page. Subscribe to updates via [email protected].

9. Data Subject Rights (GDPR Articles 12-22)

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your data, and if so, to receive:

  • A copy of your personal data
  • Information about the purposes of processing
  • Categories of recipients of the data
  • Our retention period or criteria for determining retention
  • Your rights and remedies
  • Source of the data if not collected directly
  • Logic and significance of automated decision-making

You can download your data in structured, machine-readable format (JSON, CSV) via your account dashboard or by requesting a Subject Access Request (SAR).

9.2 Right to Correction (Article 16)

You have the right to correct inaccurate, incomplete, or misleading data. Most data can be updated directly in your account. For data requiring correction that you cannot access, submit a request to [email protected].

9.3 Right to Erasure (Article 17) - "Right to be Forgotten"

You have the right to request erasure of your personal data without undue delay in the following circumstances:

  • Data is no longer necessary for the original purpose
  • You withdraw consent and there is no other lawful basis
  • You object to processing and there is no compelling legitimate interest
  • Data has been processed unlawfully
  • Erasure is required by law

Exceptions: We may retain data if required by law, for legal claims, for public interest purposes, or for archival/statistical purposes.

9.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing of your data while you:

  • Contest the accuracy of the data (until accuracy is verified)
  • Object to processing on legitimate interest grounds
  • Await determination of our interest versus your rights

Upon restriction, we will only store (not actively process) the data unless you consent or we have a legal obligation.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON, XML) and to transmit it to another organization. You can request a data portability export via:

Your account dashboard → Settings → Data Export → Download my data

Or email: [email protected] with subject "Data Portability Request"

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing. You can:

  • Opt-out of marketing communications via email footer link
  • Object to analytics/cookies via privacy settings
  • Submit objection to processing via [email protected]

We will cease processing for the stated purpose unless we demonstrate compelling legitimate interests or legal obligations.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right to request human review of automated decisions that produce legal or similarly significant effects. You can request explanation, challenge, or reversal of automated decisions by contacting: [email protected]

9.8 Withdrawal of Consent (Article 7)

Where we rely on your consent for processing, you may withdraw consent at any time without penalty or impact on the lawfulness of past processing. Withdrawal may affect your ability to use certain features.

9.9 How to Exercise Your Rights

To exercise any GDPR right, submit a request to:

TraxinteL, Inc.
Privacy & Data Protection Team
Email: [email protected]
Subject: "GDPR Rights Request: [Type of Right]"

Include:

  • Your full name and email address
  • Account email if different
  • Specific right you are exercising
  • Detailed description of the request
  • Your signature or electronic confirmation
  • Proof of identity (copy of government-issued ID if requested)

9.10 Response Timeline & Procedures

We will:

  • Acknowledge receipt of your request within 24 hours
  • Respond fully within 30 days (extendable to 90 days for complex requests)
  • Provide free responses; excessive/repetitive requests may incur reasonable fees
  • Verify your identity before disclosing sensitive data
  • Inform you of any reasons for delay or refusal

10. Data Protection Impact Assessment (GDPR Article 35)

We have conducted Data Protection Impact Assessments (DPIA) for our high-risk processing activities, including:

  • Facial recognition and biometric matching (Target photos)
  • Automated fraud detection and account risk scoring
  • Large-scale profiling and investigation reports
  • International data transfers to the United States

Our DPIAs conclude that with appropriate safeguards (encryption, access controls, data minimization), processing risks are acceptable and mitigated. Copies are available upon request to Data Protection Authorities.

11. Data Breach Notification (GDPR Article 33)

11.1 Notification Procedure

In the event of a personal data breach (unauthorized access, disclosure, or loss), we will:

  • Within 24 hours: Assess the scope and severity of the breach
  • Within 72 hours: Notify the relevant Data Protection Authority (unless the breach poses low risk)
  • Within 72 hours: Notify affected users with breach details and recommended actions
  • Within 5 days: Complete breach investigation and provide incident report

11.2 Breach Notification Contents

We will inform you of:

  • Nature and scope of the breach
  • Categories and approximate number of affected individuals
  • Categories and approximate number of data records affected
  • Likely consequences of the breach
  • Measures we have taken to address the breach
  • Recommended actions you should take
  • Contact information for further inquiries

11.3 Breach Prevention

We maintain strict security controls to prevent breaches:

  • AES-256 encryption at rest and TLS 1.3+ in transit
  • Intrusion detection and incident response systems
  • Regular penetration testing and vulnerability assessments
  • Employee security training and background checks
  • Secure backup and disaster recovery procedures

12. Data Protection Authority Complaints (GDPR Article 77-78)

12.1 Right to Lodge a Complaint

If you believe our processing violates your GDPR rights, you have the right to lodge a complaint with your Data Protection Authority (DPA) without first contacting us. However, we encourage you to contact us first to attempt resolution:

[email protected]

12.2 EU & UK Data Protection Authorities

European Union: Each EU member state has a Data Protection Authority. Find yours at: https://edpb.ec.europa.eu/about-edpb/board/members_en

United Kingdom: Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Phone: +44 (0)303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK

EEA Countries: Contact your respective national DPA.

12.3 Legal Remedies

You also have the right to seek judicial remedy through national courts (GDPR Article 79).

13. Privacy by Design & Default (GDPR Article 25)

We incorporate privacy principles into our product design and operations:

  • Data Minimization: We collect only data necessary for Service delivery
  • Purpose Limitation: Data is used only for stated purposes
  • Pseudonymization: Search data is isolated from account identifiers where possible
  • Transparency: Clear, accessible privacy information and user controls
  • User Consent: Granular consent for optional processing (analytics, marketing)
  • Default Privacy: Most privacy-protective settings are defaults

14. Contact & Escalation

For any GDPR-related questions, concerns, or to exercise your rights:

TraxinteL, Inc.
Privacy & Data Protection Team
Email: [email protected]
Data Protection Officer: [INSERT_DPO_NAME & EMAIL]
[INSERT_PHYSICAL_ADDRESS]
[INSERT_PHONE_NUMBER]

We will respond to all inquiries within 24-48 hours.

15. Updates & Amendments

We may update this GDPR Compliance Statement to reflect legal changes, new processing activities, or improvements. Material updates will be posted with 30 days' notice. Your continued use indicates acceptance.