Your Data, Your Rights

Document Version: 1.0
Last Updated: January 15, 2025
Effective Date: January 15, 2025

This document outlines Nosmai's compliance with the General Data Protection Regulation (GDPR) EU 2016/679. It provides detailed information about how we process personal data, the legal basis for processing, and the rights of data subjects.

Article 6(1)(a) - Consent

Marketing Communications:

• Email newsletters and product updates
• Promotional offers and special deals
• Survey participation requests
• Beta testing program participation

Non-Essential Cookies:

• Analytics and performance cookies
• Marketing and advertising cookies
• Social media integration cookies
• Preference and customization cookies

Article 6(1)(b) - Contract Performance

Service Provision:

• Account creation and management
• API key generation and authentication
• Filter downloads and access
• Subscription management and billing

Payment Processing:

• Credit card and payment method storage
• Invoice generation and delivery
• Refund and chargeback processing
• Tax calculation and reporting

Article 6(1)(f) - Legitimate Interest

Security and Fraud Prevention:

• Account security monitoring
• Fraud detection and prevention
• Abuse prevention and rate limiting
• Security incident investigation

Service Improvement:

• Usage analytics for service optimization
• Performance monitoring and improvement
• Bug detection and resolution
• Feature usage analysis

Identity Data

Direct Identifiers:

• Full name
• Email address
• Phone number (if provided)
• Username and display name

Account Information:

• Customer ID (UUID)
• Account creation date
• Account status and verification state
• Password hash (never stored in plain text)

Technical and Usage Data

System Information:

• IP addresses and geolocation
• Browser type and version
• Operating system information
• Device type and screen resolution

Usage Analytics:

• API call logs and patterns
• Feature usage statistics
• Session duration and frequency
• Error logs and performance metrics

Right of Access (Article 15)

Data Subject Access Requests:

• Complete copy of personal data
• Information about processing purposes
• Categories of data and recipients
• Retention periods and rights

Response Process:

• Verify identity before providing data
• Respond within one month (extendable to three)
• Provide data in commonly used format
• No charge for first request per year

Right to Rectification (Article 16)

Data Correction:

• Update incorrect personal information
• Complete incomplete data records
• Verify accuracy of corrections
• Notify third parties of changes

Right to Erasure (Article 17)

Deletion Scenarios:

• Data no longer necessary for purposes
• Withdrawal of consent (where consent is basis)
• Objection to processing (where applicable)
• Unlawful processing or legal obligation

Right to Data Portability (Article 20)

Portable Data:

• Account and profile information
• Usage history and preferences
• Subscription and billing records
• Filter licenses and purchases

Transfer Mechanisms

Adequacy Decisions:

• UK (during transition period)
• Switzerland
• Other adequacy countries as recognized

Standard Contractual Clauses (SCCs):

• EU Commission approved clauses
• Regular review and updates
• Supplementary measures where needed
• Documentation and compliance monitoring

Third-Party Processors

Stripe (Payment Processing):

• Location: Global (with EU processing)
• Safeguards: Adequacy + SCCs
• Purpose: Payment and billing
• Data: Financial and transaction data