GDPR Compliance

How IdeaDunes protects your data under the EU General Data Protection Regulation

Last updated: March 2026 Applies to all users in the European Economic Area Also applies to UK GDPR and Swiss DPA

1. Our Commitment to GDPR

IdeaDunes is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We have implemented comprehensive technical and organizational measures to protect personal data and uphold the rights of data subjects.

This page explains how we comply with each core principle and what rights you have under the GDPR.

2. Data Controller and Data Processor Roles

IdeaDunes operates in two capacities:

  • Data Controller: For personal data we collect directly from users (account information, usage data, cookies). IdeaDunes determines the purposes and means of processing this data.
  • Data Processor: For business data that our customers store within the platform (CRM contacts, project data, invoices). Our customers are the data controllers for this data, and IdeaDunes processes it on their behalf under a Data Processing Agreement (DPA).

3. Lawful Bases for Processing

We process personal data only where we have a lawful basis under Article 6 of the GDPR:

Processing Activity Lawful Basis GDPR Article
Account creation and service delivery Performance of a contract Art. 6(1)(b)
Security monitoring and fraud prevention Legitimate interest Art. 6(1)(f)
Marketing communications Consent Art. 6(1)(a)
Analytics and service improvement Legitimate interest Art. 6(1)(f)
Legal and regulatory compliance Legal obligation Art. 6(1)(c)
Customer support and communication Performance of a contract Art. 6(1)(b)

4. Your Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data. We respond to all Data Subject Access Requests (DSARs) within 30 days.

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including how and why we process it.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data when it is no longer necessary for the purpose it was collected.

Right to Restrict Processing (Art. 18)

Request that we limit the processing of your data in certain circumstances.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, machine-readable format (CSV, JSON) and transfer it to another service.

Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling and direct marketing.

Automated Decision-Making (Art. 22)

Right not to be subject to decisions based solely on automated processing that produce legal or significant effects.

Right to Withdraw Consent (Art. 7)

Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.

To exercise any of these rights, contact us at privacy@ideadunes.com or use the data management tools in your account settings.

5. Data Processing Agreement (DPA)

For customers who use IdeaDunes to process personal data of their own clients or contacts, we provide a Data Processing Agreement that complies with Article 28 of the GDPR. The DPA covers:

  • Subject matter, duration, nature, and purpose of data processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the data controller
  • Sub-processor management and approval procedures
  • Security measures and breach notification procedures
  • Data deletion or return upon termination
  • Audit and inspection rights

To request a signed DPA, contact legal@ideadunes.com.

6. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms for data transfers to third countries.
  • Adequacy Decisions: Transfers to countries with an EU adequacy decision (e.g., UK, Japan, South Korea, Canada).
  • Supplementary Measures: Additional technical safeguards including encryption, pseudonymization, and access controls where required by Transfer Impact Assessments.

7. Technical and Organizational Measures

We implement the following measures to protect personal data (Article 32):

Technical Measures

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Two-factor authentication (2FA)
  • Role-based access controls (RBAC)
  • Session management with automatic timeouts
  • Regular penetration testing and vulnerability scanning
  • Automated backup with encrypted storage
  • Intrusion detection and monitoring

Organizational Measures

  • Staff training on data protection
  • Confidentiality agreements for all personnel
  • Data Protection Impact Assessments (DPIAs)
  • Documented incident response procedures
  • Regular policy reviews and updates
  • Vendor assessment and due diligence
  • Records of processing activities (Article 30)
  • Privacy by design and by default principles

8. Data Breach Notification

In the event of a personal data breach, IdeaDunes will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33).
  • Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Article 34).
  • Notify our data controller customers without undue delay when acting as a data processor.
  • Document all breaches, including facts, effects, and remedial actions taken.

9. Data Protection Officer

For questions or concerns regarding our GDPR compliance, data processing practices, or to exercise your data subject rights, contact:

Data Protection Officer
IdeaDunes
Email: dpo@ideadunes.com
Response time: Within 30 days for DSARs

10. Supervisory Authority

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available on the European Data Protection Board website.

11. Cookie Compliance

IdeaDunes uses cookies in compliance with the ePrivacy Directive. For detailed information about the cookies we use and how to manage your preferences, see our Cookie Policy.

12. CCPA Compliance (California)

For users in California, we also comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). California residents have additional rights including:

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information held by businesses
  • Right to opt-out of the sale or sharing of personal information
  • Right to non-discrimination for exercising privacy rights
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information

IdeaDunes does not sell personal information. To exercise your CCPA rights, contact privacy@ideadunes.com.

13. Changes to This Page

We review and update this GDPR compliance page periodically to reflect changes in our practices, technology, legal requirements, and regulatory guidance. Material changes will be communicated via email to account holders.

Questions about data protection?

Our Data Protection Officer is available to answer questions about how we handle your data.

Contact Our DPO