GDPR Compliance

1. Our Role Under GDPR

BUILD YOUR SALES GROUP PTE. LTD. acts in two capacities under GDPR:

As a Data Controller (Article 4(7)): For your account information, payment details, and usage data that we collect to provide our services. We determine the purposes and means of processing this data.

As a Data Processor (Article 4(8)): When you use our enrichment services, we process B2B contact data on your behalf. In this capacity, you are the Data Controller and we act as your Data Processor, processing data only according to your instructions.

2. Legal Basis for Processing (Article 6)

We process personal data under the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services to you and fulfill our contractual obligations
• Legitimate Interests (Art. 6(1)(f)): For fraud prevention, security, service improvement, and direct marketing to existing customers (with opt-out available)
• Legal Obligation (Art. 6(1)(c)): When required by law to retain or disclose data (e.g., tax records, court orders)
• Consent (Art. 6(1)(a)): For marketing communications to non-customers (withdrawable at any time)

3. Data Processing Agreements (Article 28)

We maintain Data Processing Agreements (DPAs) compliant with Article 28 GDPR with:

• All our data providers and sub-processors
• Enterprise customers who require formal DPAs
• Cloud infrastructure providers (Supabase, Vercel)
• Payment processors (Stripe)

Our DPAs include Standard Contractual Clauses (SCCs) for international data transfers. To request a DPA, contact legal@buildyourdata.com.

4. GDPR Principles Compliance

We adhere to all GDPR principles (Article 5):

• Lawfulness, Fairness, Transparency: Clear legal basis for all processing; transparent privacy notices
• Purpose Limitation: Data collected for specified, explicit purposes only
• Data Minimization: We collect only data necessary for our services; B2B enrichment data is processed in real-time and not stored permanently
• Accuracy: We take reasonable steps to ensure data accuracy and provide correction mechanisms
• Storage Limitation: Data retained only as long as necessary (see retention schedule)
• Integrity & Confidentiality: Appropriate security measures implemented
• Accountability: We maintain records of processing activities and can demonstrate compliance

5. Your GDPR Rights (Articles 15-22)

Under GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of your personal data and information about how it is processed
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") where applicable
• Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@buildyourdata.com. We will respond within 30 days as required by Article 12(3).

6. Technical & Organizational Measures (Article 32)

We implement appropriate technical and organizational measures to ensure security:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Pseudonymization: Where applicable, data is pseudonymized to reduce risk
• Access Controls: Role-based access with multi-factor authentication; principle of least privilege
• Infrastructure: Hosted on SOC2-compliant providers with servers in the European Union (Supabase Frankfurt)
• Regular Testing: Security assessments, vulnerability scanning, and penetration testing
• Staff Training: All staff trained on data protection and security practices
• Incident Response: Documented procedures for data breach notification within 72 hours (Article 33)

7. International Data Transfers (Chapter V)

While BUILD YOUR SALES GROUP PTE. LTD. is based in Singapore, we ensure GDPR compliance for EU data:

• EU Infrastructure: Primary database hosted in the EU (Supabase, Frankfurt region)
• Standard Contractual Clauses: We use EU Commission-approved SCCs (2021/914) for transfers outside the EU
• Transfer Impact Assessments: We assess data protection laws of recipient countries
• Singapore Adequacy: Singapore maintains high data protection standards recognized internationally
• Supplementary Measures: Additional technical measures (encryption, access controls) where required

8. Sub-Processors (Article 28(2))

We use the following categories of sub-processors, all under appropriate DPAs:

• Cloud Infrastructure: Supabase (EU - Frankfurt), Vercel (US with SCCs)
• Payment Processing: Stripe (US with SCCs, PCI-DSS compliant)
• Analytics: Privacy-focused analytics (no personal data transferred)
• Data Providers: Various B2B data providers (under strict DPAs with SCCs)
• Email Services: Transactional email providers (with DPAs)

A complete list of sub-processors with their locations and purposes is available upon request. We will notify you of any intended changes to sub-processors, giving you the opportunity to object.

9. Data Retention Schedule

We retain data only as long as necessary:

• Account Data: Duration of account plus 30 days after deletion request
• Enrichment Data: Processed in real-time, not stored permanently
• Transaction Records: 7 years (legal/tax requirements)
• Security Logs: 90 days for security and debugging
• Marketing Consent Records: Duration of consent plus 3 years
• DSAR Records: 3 years from request completion

10. Data Breach Notification (Articles 33-34)

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware (Article 33)
• If the breach is likely to result in high risk to individuals, we will notify affected data subjects without undue delay (Article 34)
• We maintain a breach register documenting all incidents
• For customers using us as a processor, we will notify you immediately upon discovering a breach affecting your data

11. Opt-Out for Data Subjects

If your professional information appears in B2B data sources accessed through our Service:

• Visit our Opt-Out page at buildyourdata.com/opt-out
• Email us at optout@buildyourdata.com with your details
• We will process your request within 30 days
• We will propagate your opt-out to our data providers where possible

12. Data Protection Officer & Contact

For GDPR-related inquiries, data subject requests, or complaints:

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your EU member state of residence, place of work, or place of alleged infringement (Article 77).

13. Records of Processing Activities (Article 30)

We maintain comprehensive records of processing activities as required by Article 30, including:

• Categories of data subjects and personal data
• Purposes of processing
• Categories of recipients
• International transfers and safeguards
• Retention periods
• Technical and organizational security measures

These records are available to supervisory authorities upon request.