GDPR Compliance Statement

1. Overview

PosterGen, operated by TekSpert LTD, is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This statement outlines how we comply with GDPR requirements and your rights as a data subject.

2. Data Controller Information

3. Legal Basis for Processing

We process personal data under the following legal bases:

3.1 Consent (Article 6(1)(a))

• Email marketing communications (where you have opted in)
• Optional cookies and tracking technologies
• Beta testing and feature feedback programs

3.2 Contract Performance (Article 6(1)(b))

• Account creation and user authentication
• Poster creation and storage services
• Payment processing and billing
• Customer support and service delivery

3.3 Legal Obligation (Article 6(1)(c))

• VAT records and financial reporting
• Anti-fraud and identity verification
• Compliance with data retention laws

3.4 Legitimate Interest (Article 6(1)(f))

• Security monitoring and fraud prevention
• Service improvement and analytics
• Technical support and troubleshooting
• Business communications

4. Personal Data We Process

4.1 Account Information

• Data: Name, email address, password hash
• Purpose: Account creation and authentication
• Retention: Until account deletion or 7 years after last login
• Legal Basis: Contract performance

4.2 Payment Information

• Data: Billing address, payment history, VAT information
• Purpose: Payment processing and tax compliance
• Retention: 7 years for tax purposes
• Legal Basis: Contract performance, legal obligation

4.3 User-Generated Content

• Data: Posters, uploaded images, TikTok usernames
• Purpose: Service provision and poster creation
• Retention: Until deletion by user or account closure
• Legal Basis: Contract performance

4.4 Technical Data

• Data: IP address, browser type, device information, session logs
• Purpose: Security, analytics, and service improvement
• Retention: 30 days for logs, 2 years for analytics
• Legal Basis: Legitimate interest

4.5 Communication Data

• Data: Support ticket content, email correspondence
• Purpose: Customer support and service improvement
• Retention: 3 years after resolution
• Legal Basis: Legitimate interest

5. Your GDPR Rights

5.1 Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, access to that data. This includes:

• The purposes of processing
• The categories of personal data
• The recipients or categories of recipients
• The retention period or criteria used
• Your other GDPR rights

5.2 Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data. You can update most information through your account settings.

5.3 Right to Erasure - "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis
• The data has been unlawfully processed
• Erasure is required for legal compliance

5.4 Right to Restrict Processing (Article 18)

You can request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful but you prefer restriction to erasure
• We no longer need the data but you need it for legal claims
• You object to processing pending verification of legitimate grounds

5.5 Right to Data Portability (Article 20)

You can receive your personal data in a structured, machine-readable format and transmit it to another controller when processing is based on consent or contract and carried out by automated means.

5.6 Right to Object (Article 21)

You can object to processing based on legitimate interests, including:

• Direct marketing (absolute right)
• Processing for legitimate interests (unless we demonstrate compelling grounds)
• Processing for scientific, historical, or statistical purposes

5.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated decision-making, including profiling. Currently, PosterGen does not engage in automated decision-making that produces legal or similarly significant effects.

6. How to Exercise Your Rights

6.1 Online Self-Service

• Account Settings: Update personal information and preferences
• Data Download: Export your posters and account data
• Account Deletion: Permanently delete your account and data
• Communication Preferences: Manage email subscriptions

6.2 Contact Us for Rights Requests

6.3 Required Information for Requests

To process your request efficiently, please include:

• Full name and email address associated with your account
• Specific right you wish to exercise
• Detailed description of your request
• Preferred format for data provision (if applicable)
• Identity verification documents (if requested)

7. Data Processing Safeguards

7.1 Data Minimization

We only collect and process personal data that is:

• Necessary for the specified, explicit, and legitimate purposes
• Adequate and relevant to those purposes
• Limited to what is necessary (data minimization principle)

7.2 Purpose Limitation

• Data is processed only for the purposes initially specified
• Any new purposes are compatible with original purposes or have separate legal basis
• We do not use personal data for automated decision-making without explicit consent

7.3 Accuracy and Data Quality

• Regular data quality checks and validation processes
• User-controlled data updates through account settings
• Prompt correction of inaccurate data when identified
• Deletion of unnecessary or outdated information

7.4 Storage Limitation

• Data retained only as long as necessary for the purposes
• Clear retention periods defined for each data category
• Automatic deletion processes for expired data
• Regular reviews of data retention needs

8. Security Measures

8.1 Technical Safeguards

• End-to-end encryption for data in transit (TLS 1.3)
• AES-256 encryption for data at rest
• Secure password hashing with bcrypt
• Regular security audits and penetration testing
• Multi-factor authentication for admin accounts

8.2 Organizational Safeguards

• Role-based access controls with principle of least privilege
• Regular staff training on data protection and security
• Clear data handling procedures and protocols
• Incident response plan for data breaches
• Third-party vendor security assessments

8.3 Access Controls

• Restricted access to personal data on a need-to-know basis
• Regular access reviews and user privilege audits
• Secure authentication for all system access
• Logging and monitoring of data access activities

9. International Data Transfers

9.1 Data Location

Your personal data is primarily processed and stored in:

• United Kingdom (primary hosting)
• European Union (backup and redundancy)
• Third countries with adequate protection (where necessary)

9.2 Transfer Safeguards

When data is transferred outside the EU/UK, we ensure adequate protection through:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (where applicable)
• Specific derogations under Article 49

9.3 Third-Party Services

We use the following third-party services that may process your data:

• Stripe (Payment Processing): Adequate protection under Privacy Shield successor
• Email Service Providers: EU-based or adequacy decision countries
• Cloud Hosting: UK and EU data centers with GDPR compliance

10. Data Breach Procedures

10.1 Breach Detection and Assessment

• Continuous monitoring for security incidents
• Rapid incident detection and response procedures
• Risk assessment within 24 hours of detection
• Documentation of all security incidents

10.2 Regulatory Notification

We will notify the relevant supervisory authority:

• Within 72 hours of becoming aware of a qualifying breach
• Including nature of breach, data subjects affected, and measures taken
• Providing follow-up information as it becomes available

10.3 Individual Notification

We will notify affected data subjects when a breach:

• Is likely to result in a high risk to rights and freedoms
• Cannot be mitigated by appropriate technical and organizational measures
• Notification will be in clear, plain language explaining the nature and implications

11. Children's Data Protection

11.1 Age Restrictions

• PosterGen is not intended for children under 16 years old
• We do not knowingly collect data from children under 16
• Account creation requires age verification
• Parental consent required for users under 16 in applicable jurisdictions

11.2 Discovery of Child Data

If we discover we have collected data from a child under 16:

• We will delete the data immediately
• We will suspend the account pending age verification
• We will notify parents/guardians where legally required

12. Consent Management

12.1 Obtaining Consent

When we rely on consent for processing, we ensure it is:

• Freely given without coercion
• Specific to the purpose
• Informed with clear information
• Unambiguous through clear action
• Separate from other terms and conditions

12.2 Withdrawing Consent

• Withdrawal is as easy as giving consent
• Clear unsubscribe links in all marketing emails
• Account settings allow preference management
• Contact options for withdrawal requests
• No negative consequences for withdrawal

12.3 Consent Records

• We maintain records of when and how consent was obtained
• Documentation of the information provided at time of consent
• Tracking of consent withdrawals and preference changes
• Regular review of consent validity and freshness

13. Complaints and Supervisory Authority

13.1 Internal Complaints Process

If you have concerns about our data processing:

• Contact our Data Protection Officer at privacy@postergen.co.uk
• We will acknowledge receipt within 48 hours
• Investigation and response within 30 days
• Escalation procedures for unresolved issues

13.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

13.3 Judicial Remedies

You also have the right to:

• Seek judicial remedies against the supervisory authority decision
• Seek compensation for material or non-material damage
• Request interim measures pending resolution

14. Updates to This Statement

We review and update this GDPR compliance statement regularly to reflect:

• Changes in our data processing activities
• Updates to GDPR guidance and regulations
• Feedback from supervisory authorities
• Changes to our technical and organizational measures

14.1 Notification of Changes

• Material changes will be notified via email
• Updates posted on our website with version history
• 30-day notice period for significant changes affecting rights

15. Contact Information

15.1 Data Protection Queries

15.2 General Support