GDPR

Effective date: 17 August 2025

1. Scope & controller

cleanbitelist.com (the “Site”) is the data controller for personal data collected via the Site. This Addendum explains how we comply with the EU General Data Protection Regulation (GDPR) when processing personal data of data subjects in the EU/EEA.

2. Lawful bases for processing

We only process personal data where we have a valid lawful basis under GDPR — typically one of the following: (a) your consent (for newsletters, optional profiling/marketing), (b) contract (when you purchase or sign up for paid services), (c) legal obligation (records we must keep), or (d) our legitimate interests (website security, fraud prevention, improving content and analytics) where these interests are not overridden by your rights. GDPR

3. Data subject rights

Under GDPR you have the right to:
• be informed about how we use your data;
• access the personal data we hold about you;
• rectification of inaccurate data;
• erasure (‘right to be forgotten’) where legal grounds allow;
• restriction of processing;
• data portability;
• object to processing (including direct marketing and profiling); and
• withdraw consent at any time (where processing is based on consent).
We will honour and action verified requests in accordance with GDPR timeframes. GDPR

4. Exercising your rights

To exercise any of the rights above, contact: privacy@cleanbitelist.com (replace with your real email). We require a reasonable verification step for identity and may ask follow-up questions to fulfil the request. We will respond within the timelines required by GDPR and explain any lawful reason for refusing an action (if applicable).

5. Data Protection Officer (DPO)

You must appoint a DPO only where GDPR criteria are met (e.g., public authority, large-scale processing of special categories, or large-scale monitoring). If cleanbitelist.com is required to appoint a DPO, we will publish the DPO’s contact details here. If you believe a DPO is required for your operations and want help assessing this, I can provide a quick checklist. European Commission

6. International data transfers

If personal data is transferred outside the EEA (for example to cloud providers, analytics or email services hosted outside the EEA), we ensure appropriate safeguards such as an EU Commission adequacy decision or Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms, and we document those safeguards in our records. European Commission

7. Data breaches — notification

If we become aware of a personal data breach that is likely to result in a risk to people’s rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach; affected data subjects will also be notified when required. Our breach response plan documents roles, containment, assessment and notification procedures. GDPR

8. Records of processing & accountability

We maintain a Record of Processing Activities (RoPA) describing categories of data processed, purposes, recipients, retention periods, legal bases and technical/organisational measures — and we update it regularly to demonstrate GDPR accountability (Article 30). We also perform Data Protection Impact Assessments (DPIAs) where processing is likely to result in high risk to individuals (e.g., large-scale profiling).

9. Retention & minimisation

We retain personal data only as long as necessary for the purpose collected, or as required by law. We apply data minimisation principles: collect only what we need and store only what is necessary.

10. Security measures

We apply appropriate technical and organisational measures (encryption where appropriate, access controls, vulnerability management, regular backups and staff training) to protect personal data. Where processors (third-party vendors) process data on our behalf, we use written contracts (DPAs) requiring GDPR-level protections.

11. Supervisory authority & enforcement

If you are dissatisfied with our handling of a GDPR request you may lodge a complaint with your national supervisory authority in the EU/EEA. GDPR also provides strong enforcement powers to supervisory authorities, including fines for serious non-compliance. (Penalties can be significant depending on the infringement.)