GDPR — KPIcons

01Roles: controller vs. processor

When you use KPIcons as a customer (e.g., your company provisions a tenant and uploads authorized-user data and Customer Content), your organization is the data controller and KPIcons is the data processor under GDPR Article 28.

When KPIcons markets to you or operates our website, KPIcons is the data controller for that processing.

For processor-role processing, our pre-signed Data Processing Agreement governs. For controller-role processing, our Privacy Policy governs.

02Lawful basis for processing

We process personal data only when we have a lawful basis under GDPR Article 6:

Contract (Article 6(1)(b)) — to deliver the Service you contracted for, provide support, and process billing.
Legitimate interests (Article 6(1)(f)) — product security, abuse prevention, service improvement, limited direct marketing to existing customers. Balancing test documented in our Record of Processing.
Consent (Article 6(1)(a)) — prospect marketing, non-essential cookies, AI model training on opt-in data.
Legal obligation (Article 6(1)(c)) — tax, financial, anti-money-laundering record-keeping.

We do not process special-category (Article 9) data unless a customer explicitly opts in and a specific exception applies.

03International transfers

When personal data of EU/EEA, UK, or Swiss data subjects leaves those jurisdictions, we rely on:

EU Standard Contractual Clauses (SCCs) 2021 — Module 2 (Controller to Processor) or Module 3 (Processor to Sub-processor), as applicable.
UK International Data Transfer Addendum to the SCCs, as issued by the UK ICO.
Swiss Federal Data Protection and Information Commissioner (FDPIC) Addendum, as applicable.
Adequacy decisions where they apply (e.g., UK).
Transfer Impact Assessments (TIAs) for each destination, with supplementary technical measures (encryption, pseudonymization) where warranted.

Customers can pin tenant data to EU-Central (Frankfurt) or EU-West (Dublin) — in which case all customer data at rest remains in the EU. Cross-border access for engineering support is logged and governed by SCCs.

04Data-subject rights

If the GDPR applies to your personal data, you have the following rights. We honor all of them — and we extend equivalent rights to everyone, regardless of location.

i

Right of access (Art. 15)

Know what data we hold about you and why.

ii

Right to rectification (Art. 16)

Correct inaccurate or incomplete personal data.

iii

Right to erasure (Art. 17)

"Right to be forgotten" — deletion subject to legal exceptions.

iv

Right to restrict (Art. 18)

Limit processing while a dispute is resolved.

v

Right to portability (Art. 20)

Receive your data in a machine-readable format (JSON/CSV).

vi

Right to object (Art. 21)

Object to processing based on legitimate interests; opt out of marketing anytime.

vii

Automated decisions (Art. 22)

Request human review of solely-automated decisions. AI nudges are decision-support, not decision-making.

viii

Withdraw consent

Anytime, without affecting prior lawful processing.

Authorized users of a customer tenant should submit rights requests through their organization first (the controller). If that's not possible, we'll honor the request directly.

05Data Protection Officer

We have appointed a Data Protection Officer who serves as the point of contact for data subjects and supervisory authorities in the EU:

Email: dpo@kpicons.com
Post: KPIcons Inc., Data Protection Officer, 15736 Howard Dr., Macomb Twp, MI 48042, USA
EU representative (Article 27): available to customers with EU operations — contact DPO for details.

06Documents & downloads

The following documents are pre-signed and ready to share. Enterprise customers receive them automatically at contract signing.

Data Processing Agreement (DPA)

ART. 28 · EU SCCs + UK IDTA ADDENDUM · ENGLISH

Download

Sub-processor List

CURRENT VENDORS · REGION · PURPOSE · UPDATED MONTHLY

View online

Record of Processing Activities (RoPA)

CONTROLLER-ROLE · ART. 30 · AVAILABLE UNDER NDA

Request

Transfer Impact Assessment Template

PRE-FILLED PER DESTINATION · CUSTOMIZE TO YOUR ASSESSMENT

Request

Data Breach Notification Protocol

72-HOUR CUSTOMER NOTIFICATION · DOCUMENTED INCIDENT RESPONSE

See Security

07How to submit a request

To exercise any data-subject right, complete one of the following:

Authorized users: contact your organization's admin first — they are the controller.
Anyone else: email dpo@kpicons.com with subject "DSR: [Access / Deletion / Rectification / …]". Include your full name, email, relevant organization (if applicable), and a description of the request.

Our SLA. We acknowledge requests within 5 business days and respond in full within 30 calendar days (extendable by 60 additional days for complex requests, with explanation — Article 12(3)).

Right to complain

If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a supervisory authority in your country of residence. You may also contact us directly first — we'll do everything we can to resolve it.

KPIcons & the GDPR.

01Roles: controller vs. processor

02Lawful basis for processing

03International transfers

04Data-subject rights

Right of access (Art. 15)

Right to rectification (Art. 16)

Right to erasure (Art. 17)

Right to restrict (Art. 18)

Right to portability (Art. 20)

Right to object (Art. 21)

Automated decisions (Art. 22)

Withdraw consent

05Data Protection Officer

06Documents & downloads

07How to submit a request

Right to complain

GDPR-ready, day one.