This GDPR Compliance Policy and Data Processing Addendum ("DPA") applies to the processing of personal data of individuals located in the European Union (EU) and European Economic Area (EEA) by Cartanalytics, operating under the Cartlytics brand ("Cartlytics," "we," "our," or "us"), in connection with our data products, APIs, and related services.
This policy applies when Cartlytics acts as a Data Controller (determining the purposes and means of processing personal data of our own business contacts and website visitors) and when Cartlytics acts as a Data Processor (processing personal data on behalf of a client who is the Data Controller).
This policy supplements our Privacy Policy and is governed by Regulation (EU) 2016/679 ("GDPR").
When processing personal data for its own purposes, Cartlytics acts as the Data Controller:
Cartanalytics (Cartlytics)
Email: legal@cartlytics.ai
When Cartlytics processes personal data solely pursuant to and on behalf of a client's documented instructions, Cartlytics acts as Data Processor and the client is the Data Controller. A written Data Processing Agreement shall be executed between the parties in accordance with GDPR Article 28.
| Legal Basis | Article 6 Provision | Examples of Application |
|---|---|---|
| Consent | Art. 6(1)(a) | Marketing emails; non-essential cookies; analytics features requiring opt-in |
| Contractual Necessity | Art. 6(1)(b) | Account management; service provisioning; billing and payment processing |
| Legal Obligation | Art. 6(1)(c) | Tax recordkeeping; responding to law enforcement requests |
| Legitimate Interests | Art. 6(1)(f) | Security monitoring; fraud prevention; product analytics; B2B prospecting |
Cartlytics conducts documented Legitimate Interest Assessments (LIAs) for processing activities based on Article 6(1)(f). Cartlytics does not intentionally process special categories of personal data under Article 9 and implements safeguards to prevent inadvertent collection.
EU/EEA data subjects may exercise the following rights by submitting a written request to legal@cartlytics.ai.
Data subjects have the right to obtain confirmation of whether Cartlytics processes their personal data and, if so, to receive a copy along with information about processing purposes, categories, recipients, and retention periods.
Data subjects have the right to request correction of inaccurate or incomplete personal data without undue delay.
Data subjects may request erasure of their personal data where the data is no longer necessary for the purposes for which it was collected, consent is withdrawn, or data has been unlawfully processed, subject to applicable legal retention obligations and exemptions under GDPR Article 17(3).
Data subjects may request that Cartlytics restrict processing of their personal data in specified circumstances, including where accuracy is contested or processing is unlawful.
Where processing is based on consent or contractual necessity and carried out by automated means, data subjects have the right to receive their personal data in a structured, machine-readable format (e.g., JSON or CSV).
Data subjects have the right to object to processing based on legitimate interests. Data subjects have an absolute right to object to processing for direct marketing purposes.
Cartlytics' data products operate as tools that provide data and insights to human decision-makers. Cartlytics does not make final legal or similarly significant decisions about data subjects solely through automated means.
Submit a written request to legal@cartlytics.ai with your full name, sufficient information to verify your identity, and the specific right(s) you wish to exercise. Cartlytics will acknowledge receipt within five (5) business days and respond fully within thirty (30) calendar days, with an extension of up to sixty (60) additional days for complex requests.
Data subjects who are not satisfied with Cartlytics' response have the right to lodge a complaint with the competent Data Protection Authority in their member state of habitual residence or place of work.
Where Cartlytics transfers personal data of EU/EEA data subjects to recipients outside the EEA, Cartlytics relies on Standard Contractual Clauses (SCCs) adopted by the European Commission on June 4, 2021 (Commission Implementing Decision (EU) 2021/914), selecting the module appropriate to the transfer relationship. Cartlytics conducts Transfer Impact Assessments (TIAs) prior to relying on SCCs for transfers to third countries.
For transfers involving UK data subjects, Cartlytics implements the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner's Office (ICO), as appropriate.
When acting as Data Processor, Cartlytics enters into written Data Processing Agreements with clients covering the subject matter, duration, nature, and purpose of processing. Cartlytics engages sub-processors under data protection obligations no less protective than those in the main DPA Agreement, in accordance with GDPR Article 28(4). Cartlytics maintains a current list of sub-processors and provides advance notice to clients of material sub-processor changes.
In the event Cartlytics becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Cartlytics will notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach.
Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, Cartlytics will notify affected data subjects without undue delay in clear and plain language.
When acting as Data Processor, Cartlytics will notify the Data Controller without undue delay upon becoming aware of a personal data breach, targeting notification within twenty-four (24) to forty-eight (48) hours.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and contact information | Duration of relationship + 7 years | Legal obligation |
| Behavioral and enrichment data | Per client agreement; default 24 months | Contractual / legitimate interest |
| API request logs | 90 days | Security / legitimate interest |
| Marketing consent records | Until consent withdrawn + 3 years | Legal obligation / legitimate interest |
| Contract and correspondence records | 7 years post-termination | Legal obligation |
| Data subject request records | 5 years from resolution | Accountability (Art. 5(2)) |
Cartanalytics (Cartlytics)
Email: legal@cartlytics.ai — Subject: "GDPR Request" or "Data Subject Rights"
Data subjects who are not satisfied with Cartlytics' handling of their personal data may lodge a complaint with the Data Protection Authority in their EU/EEA member state of habitual residence. A directory of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.