GDPR Compliance Statement
Last Updated: October 1, 2023
This document outlines how OpenExchangeAPI Inc. complies with the General Data Protection Regulation (GDPR) (EU) 2016/679, which governs the protection of personal data of individuals located in the European Union.
Effective Date: 2023-10-01
Applies To: All users and visitors from the European Economic Area (EEA)
Service: https://openexchangeapi.com
1. Data Controller and Processor Roles
OpenExchangeAPI Inc. acts as both a Data Controller (when handling account and billing information) and a Data Processor (when processing API usage data on behalf of customers).
2. Lawful Basis for Processing
We process personal data under the following legal bases:
- Contractual necessity – to provide our API services.
- Legitimate interests – such as improving our platform, ensuring security, and preventing abuse.
- Consent – where required, such as for marketing communications or optional cookies.
3. Data Subject Rights
Under GDPR, individuals have the right to:
- Access their personal data.
- Rectify inaccurate or incomplete data.
- Erase data (“right to be forgotten”).
- Restrict or object to processing.
- Data portability.
- Withdraw consent at any time.
To exercise your rights, email us at [email protected].
4. International Data Transfers
Data may be transferred and stored outside the EU, including in the United States. We use appropriate safeguards such as:
- Standard Contractual Clauses (SCCs)
- Data processing agreements with sub-processors
5. Sub-Processors
We engage third-party sub-processors for infrastructure, analytics, and billing. All sub-processors are contractually required to comply with GDPR and maintain security standards.
6. Security Measures
We implement technical and organizational measures including:
- Encryption (TLS/HTTPS)
- Authentication and access controls
- Periodic security audits and incident response
7. Data Retention
Personal data is retained only as long as necessary for the purposes stated. Account data and logs are retained according to the Privacy Policy.
8. Breach Notification
In the event of a data breach affecting EU users, we will notify the relevant supervisory authorities and affected users without undue delay, and within 72 hours where feasible.
9. Contact Information
Data Protection Contact:
1234 Wilshire Blvd, Suite 400, Los Angeles, CA 90017
If you believe your rights have been violated, you may also lodge a complaint with your local Data Protection Authority in the EU.