Company: RapidFoundry Ltd
Registered Address: Isiodou Gardens Central 13, Unit 401, 3031 Limassol, Cyprus
This page explains how RapidFoundry Ltd ("RapidFoundry", "Company", "we", "us", or "our") complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") across all software, platforms, applications, websites, and services operated or provided by us (collectively, "Services"). It supplements, and should be read together with, our Privacy Policy and Terms of Service. In the event of any conflict regarding the processing of personal data, our Privacy Policy and any applicable Data Processing Agreement prevail.
1. Our Commitment to the GDPR
RapidFoundry is committed to protecting personal data and processing it lawfully, fairly, and transparently. We apply the GDPR's core principles to all of our Services: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. We design our Services to uphold these principles regardless of which product you use.
2. Scope
This GDPR statement applies to all personal data we process about visitors, registered users, customers, and prospective customers of our Services, as well as to personal data that business customers process through our Services. It applies wherever the GDPR is applicable, including where we offer Services to individuals in the European Union/European Economic Area (EEA) or monitor their behaviour within the EEA.
3. Controller and Processor Roles
3.1 Where We Are the Controller
For personal data we collect to operate our business and provide the Services directly to you — such as account, billing, usage, and support data — RapidFoundry acts as the data controller and determines the purposes and means of processing. This processing is described in our Privacy Policy.
3.2 Where We Are the Processor
Where you use our Services as a business customer and upload or process personal data relating to your own end users, you act as the data controller and RapidFoundry acts as your data processor. In that role, we process such personal data only on your documented instructions and in accordance with a Data Processing Agreement (see Section 7).
4. Legal Bases for Processing
We process personal data only where we have a lawful basis under Article 6 of the GDPR:
- Performance of a contract — to provide the Services, manage your account, and process payments;
- Legitimate interests — to secure, maintain, and improve our Services, prevent fraud and abuse, and communicate with existing customers, balanced against your rights and freedoms;
- Consent — for non-essential cookies and certain marketing, which you may withdraw at any time;
- Legal obligation — to comply with tax, accounting, and other regulatory requirements.
Where we process special categories of personal data (Article 9), we do so only with your explicit consent or where another lawful condition applies.
5. Your Rights as a Data Subject
Subject to the conditions and exceptions in the GDPR, you have the right to:
- Be informed about how your personal data is processed (Articles 13–14);
- Access your personal data and obtain a copy (Article 15);
- Rectification of inaccurate or incomplete data (Article 16);
- Erasure ("right to be forgotten") in certain circumstances (Article 17);
- Restriction of processing in certain circumstances (Article 18);
- Data portability — to receive your data in a structured, commonly used, machine-readable format (Article 20);
- Object to processing based on legitimate interests and to direct marketing (Article 21);
- Withdraw consent at any time, without affecting the lawfulness of prior processing (Article 7);
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22);
- Lodge a complaint with a supervisory authority (Article 77; see Section 12).
6. How to Exercise Your Rights
You can exercise any of your rights by contacting us through our contact form. We may need to verify your identity before fulfilling a request. We will respond within one (1) month of receipt, as required by Article 12(3); this period may be extended by up to two further months for complex or numerous requests, in which case we will inform you of the extension and the reasons for it. Requests are handled free of charge unless they are manifestly unfounded or excessive.
If you use our Services as the end user of a business customer (i.e. where that customer is the controller), please direct your request to that customer; we will assist them in responding as their processor.
7. Data Processing Agreement (DPA)
For business customers who use our Services to process personal data of their own end users, we make available a Data Processing Agreement that meets the requirements of Article 28 of the GDPR. The DPA governs the subject matter, duration, nature, and purpose of processing, the types of personal data and categories of data subjects, and our obligations as processor, including confidentiality, security, sub-processing, assistance, and deletion or return of data. Business and enterprise customers may request our DPA via our contact form.
8. Sub-processors
We engage carefully selected third-party service providers ("sub-processors") to help deliver our Services — for example, cloud hosting and infrastructure, payment processing, email delivery, and error monitoring. Each sub-processor is bound by a written agreement requiring it to provide an adequate level of data protection and to process personal data only as necessary to perform its services. Where we act as processor for a business customer, we will inform affected customers of intended changes to sub-processors so that they may object where they have a legitimate basis to do so. A current list of sub-processors is available to business customers on request.
9. International Data Transfers
We primarily store and process personal data within the EU/EEA. Where personal data is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, we put in place appropriate safeguards as required by Chapter V of the GDPR — most commonly the European Commission's Standard Contractual Clauses, supplemented by additional technical and organizational measures where necessary — to ensure your data remains protected.
10. Data Protection by Design and by Default
In line with Article 25, we take data protection into account when designing and operating our Services. We apply data minimization, restrict access on a need-to-know basis, and configure default settings to be privacy-protective. We periodically review our processing activities and, where a type of processing is likely to result in a high risk to individuals, we carry out a Data Protection Impact Assessment (Article 35).
11. Data Security
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32. These include encryption of data in transit, access controls and authentication, segregation of environments, logging and monitoring, and regular review of our security practices. No system can be guaranteed to be completely secure, but we work continuously to protect personal data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access.
12. Personal Data Breach Notification
We maintain procedures to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33. Where the breach is likely to result in a high risk to individuals, we will also inform affected data subjects without undue delay (Article 34). Where we act as a processor, we will notify the relevant controller without undue delay after becoming aware of a breach.
13. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to provide the Services, comply with legal obligations (such as tax and accounting requirements), resolve disputes, and enforce our agreements. When personal data is no longer required, we delete or anonymize it. Further detail is provided in our Privacy Policy.
14. Records of Processing
In accordance with Article 30, we maintain records of our processing activities, describing the purposes of processing, the categories of data and data subjects, recipients, international transfers, retention periods, and the security measures in place.
15. Data Protection Contact
Questions about our GDPR compliance, requests to exercise your rights, or requests for our Data Processing Agreement can be sent through our contact form. Please indicate the nature of your request so we can route it appropriately. For urgent matters relating to a suspected data breach, please indicate the urgency in your subject line.
16. Supervisory Authority
RapidFoundry Ltd is established in Cyprus, and our lead supervisory authority is the Office of the Commissioner for Personal Data Protection (Cyprus), www.dataprotection.gov.cy. If you are located in another EU/EEA country, you also have the right to lodge a complaint with your local supervisory authority. We would appreciate the chance to address your concerns directly before you do so.
17. Changes to This GDPR Statement
We may update this GDPR statement from time to time to reflect changes in our practices or legal requirements. We will post the updated version on our website and update the "Last Updated" date. Material changes will be communicated where practicable, and your continued use of the Services after the effective date constitutes acknowledgment of the updated statement.