GDPR Compliance

Your data protection rights under the General Data Protection Regulation

Pixeva is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This page explains your rights under GDPR and how we handle your personal data. For complete details, please also review our Privacy Policy.

Your Rights Under GDPR

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of your request.

Right to Rectification

You can request that we correct any inaccurate personal data or complete any incomplete data we hold about you.

Right to Erasure

Also known as the "right to be forgotten," you can request that we delete your personal data in certain circumstances.

Right to Restrict Processing

You can request that we limit how we use your personal data while we verify its accuracy or legitimacy of processing.

Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format to transfer to another service.

Right to Object

You can object to the processing of your personal data for direct marketing or when processing is based on legitimate interests.

Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

Right to Withdraw Consent

Where we rely on consent to process your data, you can withdraw that consent at any time without affecting prior processing.

Data Controller

Pixeva Inc. is the data controller responsible for your personal data. Our contact details are: Pixeva Inc. 110 Sun King Crescent Barrie, ON L4N 0H7 Canada Data Protection Officer: Email: dpo@pixeva.co For EU residents, our EU representative is: Pixeva EU Ltd. Dublin, Ireland Email: eu-privacy@pixeva.co

Legal Basis for Processing

We process your personal data under the following legal bases: Contract Performance: Processing necessary to provide our services to you, including account management, photo processing, and customer support. Legitimate Interests: Processing for our legitimate business interests, such as improving our services, fraud prevention, and security, where these interests are not overridden by your rights. Consent: Where you have given explicit consent for specific processing activities, such as marketing communications or optional analytics. Legal Obligation: Processing necessary to comply with legal requirements, such as tax obligations or responding to lawful requests from authorities.

Data We Collect

We collect and process the following categories of personal data: Identity Data: Name, username, profile information Contact Data: Email address, phone number Technical Data: IP address, browser type, device information Usage Data: How you use our services, features accessed Photo Data: Photos you upload, including facial recognition data Payment Data: Payment card details (processed by Stripe) For facial recognition specifically:

•We extract facial features (embeddings) from photos

•These embeddings are encrypted and stored separately from photos

•Face data is automatically deleted when you delete your event or account

International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. Safeguards we use:

•Standard Contractual Clauses (SCCs) approved by the European Commission

•Data Processing Agreements with all sub-processors

•Technical measures including encryption in transit and at rest

Sub-processors: We use the following sub-processors who may process your data:

•Amazon Web Services (AWS) - Cloud infrastructure

•Stripe - Payment processing

•Supabase - Database services

•Vercel - Website hosting

You can request a full list of our sub-processors by contacting dpo@pixeva.co.

Data Retention

We retain your personal data only for as long as necessary: Account Data: Retained while your account is active and for 30 days after deletion Event Data: Retained based on your subscription plan (30-365 days) Face Data: Deleted immediately when the associated event is deleted Guest Selfies: Deleted immediately after processing (not stored) Payment Records: Retained for 7 years for tax and legal compliance Support Communications: Retained for 2 years after resolution You can request earlier deletion of your data by contacting us.

Automated Decision-Making

Our facial recognition technology uses automated processing to match faces in photos. This processing:

•Is necessary for the performance of our contract with you

•Does not produce legal effects or similarly significantly affect you

•Can be reviewed by our team upon request

You can request human review of any automated matching results by contacting support@pixeva.co.

Security Measures

We implement appropriate technical and organizational measures to protect your data: Technical Measures:

•Encryption in transit (TLS 1.3) and at rest (AES-256)

•Regular security audits and penetration testing

•Access controls and authentication requirements

•Secure data centers with SOC 2 compliance

•Automated threat detection and monitoring

Organizational Measures:

•Staff training on data protection

•Data protection impact assessments

•Incident response procedures

•Regular policy reviews

How to Exercise Your Rights

To exercise any of your GDPR rights, you can: 1. Use Account Settings: Many rights can be exercised directly through your account dashboard 2. Email Us: Contact dpo@pixeva.co with your request 3. Write to Us: Send a letter to our address above What we need from you:

•Proof of identity (to protect your data from unauthorized access)

•Clear description of your request

•Any relevant details to help us locate your data

Response Time: We will respond to your request within 30 days. If your request is complex, we may extend this by up to 60 days, but we will notify you. Fees: We do not charge for most requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.

Complaints

If you are not satisfied with how we handle your data or respond to your requests, you have the right to lodge a complaint with a supervisory authority. For EU residents: You can contact your local Data Protection Authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en For UK residents: Information Commissioner's Office (ICO) Website: https://ico.org.uk Phone: 0303 123 1113 We encourage you to contact us first so we can try to resolve your concerns directly.