GDPR Compliance

TrafficSpy Pro acts as the data controller for personal data collected directly through our Service — meaning we determine the purposes and means of processing.

We do not have a formally appointed Data Protection Officer (DPO) at this time, as we are a small startup and do not currently meet the thresholds requiring a mandatory DPO appointment under Art. 37 GDPR. We handle all data protection inquiries directly:

Email: dexteritydevelops@gmail.com

We rely on the following legal bases for processing personal data under GDPR Art. 6:

• Contract performance (Art. 6(1)(b)): Processing your account and usage data to provide the Service you signed up for — including authentication, credit tracking, and feature access.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud and abuse prevention, and basic server logging. We have conducted a balancing test and determined these interests are not overridden by your rights, given the minimal data involved and the security benefits to all users.
• Legal obligation (Art. 6(1)(c)): Where applicable law requires us to retain or disclose data.
• Consent (Art. 6(1)(a)): For any optional communications (such as product newsletters) that you explicitly opt into. You may withdraw consent at any time by emailing us or unsubscribing.

As a data subject under GDPR, you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data. You can also update your display name directly in Settings.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days of a verified request, subject to any legal retention obligations.
• Right to restriction of processing (Art. 18): Request that we restrict how we process your data in certain circumstances (for example, while a correction request is being verified).
• Right to data portability (Art. 20): Receive the personal data you have provided to us in a structured, commonly used, machine-readable format where processing is based on consent or contract.
• Right to object (Art. 21): Object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights related to automated decision-making (Art. 22): We do not currently make any solely automated decisions that produce legal or similarly significant effects on individuals.

To exercise any of these rights, email us at dexteritydevelops@gmail.com with "GDPR Request" in the subject line. We will respond within 30 days (or up to 3 months for complex requests, with notice). We may need to verify your identity before acting on a request.

Our primary infrastructure is hosted in the United States (AWS US-East-1) via Supabase and Vercel. This means personal data of EEA and UK users is transferred to and processed in the United States, which is a third country without an EU adequacy decision.

We rely on the following safeguards for these transfers:

• Supabase, Inc.: We rely on Supabase's Data Processing Agreement (DPA), which incorporates Standard Contractual Clauses (SCCs) under European Commission Implementing Decision (EU) 2021/914 for transfers to the United States. Supabase also participates in the EU–US Data Privacy Framework where applicable.
• Vercel, Inc.: We rely on Vercel's DPA and associated SCCs for EEA-to-US transfers.

You may request copies of the applicable SCCs by emailing us. We will provide these within a reasonable time.

We retain personal data for as long as your account is active or as necessary to provide the Service. When you delete your account:

• Your profile and account data are deleted within 30 days.
• Server access logs (IP address, request timestamps) may be retained for up to 90 days for security and abuse-prevention purposes, then deleted.
• Feedback you submitted as a registered user is anonymised (user ID and email removed) within 30 days but the message content may be retained indefinitely in anonymised form.
• We may retain data longer if required to comply with a legal obligation or to defend against a legal claim, in which case we will retain only the minimum data necessary for that purpose.

The following sub-processors may process personal data on our behalf. We have entered into (or rely on the processor's standard) Data Processing Agreements with each:

• Supabase, Inc. (United States) — authentication, database, and storage. GDPR-compliant DPA with SCCs.
• Vercel, Inc. (United States) — web application hosting and global edge delivery. GDPR-compliant DPA with SCCs.

We will update this list if we add new sub-processors and, where required, will notify you before any material change.

We use only strictly necessary session cookies to maintain your logged-in state. These are required for the Service to function and do not track you across other websites. We do not use:

• Analytics cookies (e.g., Google Analytics)
• Advertising or retargeting cookies
• Third-party social media tracking pixels
• Fingerprinting or behavioural tracking technologies

Under GDPR and the ePrivacy Directive (as implemented nationally), strictly necessary cookies do not require prior consent. We therefore do not display a cookie consent banner.

We implement the following technical and organisational measures to protect personal data:

• Encryption in transit using TLS 1.2 or higher for all data exchanged with our Service.
• Encryption at rest for database storage, managed by Supabase/AWS.
• Access controls: personal data is accessible only to authorised personnel and systems that require it to provide the Service.
• Password hashing using bcrypt via Supabase Auth — we never store or transmit plain-text passwords.
• API-level input sanitisation and parameterised queries to prevent injection attacks.

We are a small team and do not currently conduct formal third-party security audits. We apply reasonable care and best practices commensurate with our size and the nature of the data we process.

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of natural persons, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible (GDPR Art. 33).
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34), including a description of the breach, likely consequences, and measures taken.

We maintain an internal breach register to document any incidents, whether or not they meet the notification threshold.

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can address your concern directly:

Email: dexteritydevelops@gmail.com

To find your national data protection authority in the EU, visit edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO).