GDPR & PIPEDA Compliance
This Compliance Statement explains how AllHeart Web Inc. ("MarketXY") meets its obligations under the General Data Protection Regulation (GDPR) — applicable to users in the European Union and United Kingdom — and the Personal Information Protection and Electronic Documents Act (PIPEDA) — applicable to users in Canada. Both frameworks are addressed in this unified document.
Overview
MarketXY processes personal data in two primary contexts:
GDPR — EU & UK Compliance
MarketXY processes the personal data of EU and UK residents in accordance with the General Data Protection Regulation (EU) 2016/679 and the UK GDPR (as retained by the UK Data Protection Act 2018).
Legal Bases We Rely On
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing subscription Services | Performance of a contract | Art. 6(1)(b) |
| Processing payments & invoicing | Performance of a contract | Art. 6(1)(b) |
| Tax & accounting compliance | Legal obligation | Art. 6(1)(c) |
| Platform security & fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Platform analytics & improvement | Legitimate interests | Art. 6(1)(f) |
| Marketing communications | Consent or Legitimate interests | Art. 6(1)(a)/(f) |
| WHOIS data processing | Legitimate interests | Art. 6(1)(f) |
| Processing customer-submitted data | Data Processing Agreement (processor) | Art. 28 |
Data Minimisation
We collect only the personal data necessary for the identified purpose. Data collection practices are reviewed periodically to ensure they remain proportionate and limited to what is necessary.
Retention
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. See our Privacy Policy for specific retention periods by data category.
Your GDPR Rights
If you are in the EU, EEA, or UK, you have the following rights under GDPR. To exercise any of these rights, contact [email protected]. We will respond within 30 days (which may be extended to 60 days in complex cases, with notice).
| Right | What It Means |
|---|---|
| Right of Access (Art. 15) | Request a copy of the personal data we hold about you, and information about how it is processed |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Right to Erasure (Art. 17) | Request deletion of your personal data, subject to legal retention obligations |
| Right to Restriction (Art. 18) | Request that we restrict processing of your data in certain circumstances |
| Right to Portability (Art. 20) | Receive your personal data in a structured, machine-readable format and transfer it to another controller |
| Right to Object (Art. 21) | Object to processing based on legitimate interests, including profiling and direct marketing |
| Right to Withdraw Consent (Art. 7) | Withdraw consent at any time where processing is consent-based, without affecting prior processing |
| Right Not to Be Subject to Automated Decisions (Art. 22) | Not be subject to solely automated decisions that produce significant legal effects, without human review |
Data Processing Agreement (DPA)
Where MarketXY acts as a Data Processor on behalf of an enterprise customer (as Data Controller), a Data Processing Agreement (DPA) is required under Article 28 of the GDPR. The DPA sets out the nature, purpose, and duration of the processing, the types of personal data involved, and the obligations of each party.
Requesting a DPA
Enterprise customers who qualify as Data Controllers may request a DPA by emailing [email protected]. We will respond within 5 business days. Failure to enter into a DPA where legally required constitutes a material breach of the Terms of Use.
Subprocessors
MarketXY uses a limited number of authorised subprocessors to provide the Services, including cloud infrastructure, payment processing, email delivery, and support platforms. A current list of subprocessors is available upon request. We ensure all subprocessors are bound by data protection agreements equivalent to the DPA.
International Data Transfers
MarketXY is operated by AllHeart Web Inc. and may transfer personal data to countries outside the EEA or UK, including Canada and the United States. Where such transfers occur, we rely on one or more of the following safeguards:
- ✓Standard Contractual Clauses (SCCs): the European Commission's approved SCCs (2021/914) are incorporated into our DPA and service agreements for transfers to non-adequate countries
- ✓UK International Data Transfer Agreements (IDTAs): used for transfers from the UK where SCCs are not applicable
- ✓Adequacy decisions: Canada (PIPEDA) has an adequacy decision from the European Commission; transfers to Canada are therefore permitted without additional safeguards
- ✓Binding Corporate Rules (BCRs): evaluated on a case-by-case basis for specific enterprise arrangements
PIPEDA — Canadian Compliance
MarketXY complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) for the collection, use, and disclosure of personal information in the course of commercial activities involving Canadian residents.
Our PIPEDA compliance is built around PIPEDA's Ten Fair Information Principles:
Your PIPEDA Rights
Canadian residents have the following rights under PIPEDA. To exercise these rights, contact our Privacy Officer at [email protected]. We respond within 30 days.
- ✓Right of Access: request access to the personal information we hold about you and how it is used
- ✓Right to Correction: request correction of any inaccurate personal information
- ✓Right to Withdraw Consent: withdraw consent for collection, use, or disclosure at any time, subject to legal or contractual restrictions
- ✓Right to Challenge Compliance: challenge our compliance with PIPEDA principles; complaints will be investigated and responded to in writing
- ✓Right to Complain: file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca if you are not satisfied with our response
Data Breach Notification
GDPR Obligations
In the event of a personal data breach that poses a risk to the rights and freedoms of EU/UK individuals, MarketXY will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible)
- Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
- Maintain internal records of all breaches, including those that do not require notification
PIPEDA Obligations
For breaches involving Canadian residents, MarketXY will comply with PIPEDA's mandatory breach reporting requirements by:
- Reporting breaches that pose a real risk of significant harm to the OPC as soon as feasible
- Notifying affected individuals of such breaches directly
- Maintaining records of all breaches for a minimum of 24 months
Data Protection Officer
MarketXY has designated a Privacy Officer responsible for overseeing compliance with GDPR, PIPEDA, and this Compliance Statement. The Privacy Officer reviews data processing activities, handles data rights requests, responds to regulatory enquiries, and conducts periodic compliance audits.
To contact the Privacy Officer: [email protected] — or by post to: Privacy Officer, AllHeart Web Inc., [Registered Address].
Complaints & Supervisory Authorities
If you are not satisfied with how we have handled your data rights request or privacy complaint, you have the right to lodge a complaint with the appropriate supervisory authority:
| Jurisdiction | Authority | Contact |
|---|---|---|
| European Union | Your local EU Data Protection Authority (DPA) — list at edpb.europa.eu | edpb.europa.eu |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Canada | Office of the Privacy Commissioner of Canada (OPC) | priv.gc.ca |
| All regions | MarketXY Privacy Officer (first-instance complaints) | [email protected] |