GDPR Compliance

How Rewatched complies with EU data protection regulations

Our Commitment to GDPR

Rewatched is committed to complying with the General Data Protection Regulation (GDPR) and helping our customers meet their own GDPR obligations. This page explains how we process personal data, your rights under GDPR, and the tools we provide to help you comply with the regulation.

Our Role as Data Processor

In most cases, Rewatched acts as a data processor on behalf of our customers (the data controllers). This means:

  • You (the customer) control what data is collected from your users
  • We process that data according to your instructions
  • You are responsible for obtaining proper consent from your users
  • We provide tools to help you meet your GDPR obligations

For your own account data (name, email, billing information), we act as the data controller.

Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Contract Performance: To provide our services to you under our Terms of Service
  • Legitimate Interests: To improve our services, prevent fraud, and maintain security
  • Legal Obligations: To comply with applicable laws and regulations
  • Consent: Where explicitly provided for specific purposes (e.g., marketing communications)

Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data:

Right of Access

You have the right to request a copy of your personal data. We will provide this information within 30 days of your request.

Right to Rectification

You can request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will delete your data within 90 days unless we have a legal obligation to retain it.

Right to Data Portability

You can request your data in a structured, machine-readable format. We provide data export functionality in your account settings.

Right to Object

You can object to processing of your personal data based on legitimate interests. Contact us at info@rewatched.io to exercise this right.

Right to Restrict Processing

You can request restriction of processing in certain circumstances, such as while we verify the accuracy of data you have challenged.

Tools to Help You Comply

Rewatched provides tools to help you meet your GDPR obligations:

PII Exclusion Rules

Configure rules to automatically exclude personally identifiable information (PII) from being collected, such as email addresses, phone numbers, and credit card numbers.

User Identification & Deletion

Identify specific users and delete all their data to fulfill erasure requests from your end users.

Data Export

Export user data in standard formats to fulfill data portability requests.

Consent Management

Track and manage user consent for data collection. Integrate with your existing consent management platform.

Data Processing Agreement (DPA)

We offer a Data Processing Agreement (DPA) that meets GDPR requirements. The DPA includes:

  • Details of processing activities
  • Data security measures
  • Subprocessor list and notification procedures
  • Data subject rights fulfillment procedures
  • Data breach notification requirements
  • Data transfer mechanisms (Standard Contractual Clauses)

To request a DPA, please contact us at info@rewatched.io.

International Data Transfers

Your data may be processed in the United States and other countries outside the European Economic Area (EEA). We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Hosting infrastructure that meets EU data protection standards
  • Organizational and technical security measures

We can provide EU data residency options for enterprise customers. Contact us for details.

Subprocessors

We use carefully selected subprocessors to help provide our services. Current subprocessors include:

  • Cloud infrastructure providers (data hosting)
  • Payment processors (billing and subscriptions)
  • Email service providers (transactional emails)

We maintain a complete subprocessor list and will notify you of any changes. All subprocessors are bound by data protection agreements.

Data Breach Notification

In the event of a data breach affecting personal data, we will notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will provide details of the breach, its potential impact, and the measures taken to address it.

Privacy by Design & Default

We implement privacy by design and by default principles:

  • Data minimization – collect only necessary data
  • Purpose limitation – use data only for specified purposes
  • Storage limitation – retain data only as long as necessary
  • Pseudonymization and encryption where appropriate
  • Regular privacy impact assessments

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

Email: info@rewatched.io

Subject line: "GDPR Data Subject Request"

Please include:

  • Your full name and account email
  • The specific right you wish to exercise
  • Any relevant details to help us process your request

We will respond to your request within 30 days. If we need additional time, we will inform you and explain why.

Supervisory Authority

If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority or the Irish Data Protection Commission (our lead supervisory authority in the EU).

Updates to This Page

This GDPR compliance page is reviewed and updated regularly to reflect our current practices and any changes to GDPR requirements. For questions about our GDPR compliance, please contact us at info@rewatched.io.