Jaytech GDPR Compliance Policy
Effective Date: May 27, 2025
1. Scope & Commitment
Jaytech LLC (“we,” “us,” or “our”), headquartered in Plainfield, Indiana, fully complies with the EU General Data Protection Regulation (GDPR) when processing personal data of EU/EEA residents. This policy applies to all services, including digital marketing, AI automation, and web development, regardless of client location.
2. Lawful Basis for Processing
We process data only under these GDPR Article 6 conditions:
Contractual Necessity: To deliver agreed services (e.g., building client websites).
Consent: For marketing emails or non-essential cookies (explicitly opt-in).
Legal Obligation: To comply with tax or regulatory requirements.
Legitimate Interests: Fraud prevention or service improvement (balanced against data subject rights).
3. Roles & Responsibilities
Data Controller: For client-provided data (e.g., business contact details).
Data Processor: When handling client customer data (e.g., chatbot interactions).
4. Data Subject Rights
We facilitate all GDPR rights (Articles 12–23):
| Right | Our Action | Timeline |
|---|---|---|
| Access | Provide data copy via secure portal | 30 days |
| Rectification | Update inaccuracies across all systems | 15 days |
| Erasure | Delete data unless legally required to retain | 30 days |
| Restriction | Suspend processing during disputes | 5 business days |
| Portability | Export data in machine-readable format (JSON/CSV) | 30 days |
| Objection | Cease processing for direct marketing immediately | 48 hours |
Submit Requests: Via [GDPR Request Form] or email [email protected].
5. Third-Party Processors
We use GDPR-compliant vendors with signed Data Processing Agreements (DPAs):
| Processor | Purpose | Safeguards |
|---|---|---|
| AWS (US) | Cloud hosting | SCCs + AES-256 encryption |
| Vitna Media (Cameroon) | Client project collaboration | Binding Corporate Rules |
| HubSpot (EU) | CRM management | EU-US Data Privacy Framework certified |
6. International Data Transfers
EU → US: Rely on SCCs (2021 Standard Contractual Clauses).
EU → Cameroon: Apply SCCs + supplementary technical measures.
Transparency: Data flow maps available upon request.
7. Security Measures
Aligned with GDPR Article 32:
Technical: End-to-end encryption, pseudonymization for AI training data, annual penetration tests.
Organizational: Role-based access, mandatory staff GDPR training (bi-annual), vendor audits.
Physical: Biometric access to Indiana servers, 24/7 surveillance.
8. Breach Notification
Internal Protocol: Detect → Contain → Assess → Report.
Supervisory Authority: Notified within 72 hours of awareness.
Data Subjects: Informed if high risk to rights/freedoms.
9. Data Protection Impact Assessments (DPIAs)
Conducted for high-risk processing (GDPR Article 35), including:
AI-driven customer profiling
Large-scale health/nonprofit data handling
Cross-border biometric data transfers
10. Accountability & Governance
Records of Processing Activities: Updated quarterly.
Staff Training: Mandatory GDPR modules for all employees.
Annual Audit: By independent EU-based firm [Audit Partner Name].
11. Contact & Complaints
GDPR Queries:
📧 [email protected]
📞 +1 (463) 256-3979