GDPR Commitment

Product7 acts in two distinct capacities depending on the data involved:

• Data Processor for Customer Data — personal data submitted to our platform by our business customers (for example, end-user feedback, support messages, and contact details collected through customer-owned boards and inboxes). The customer is the Data Controller and determines the purpose and means of processing.
• Data Controller for account and Service Data — personal data we collect to operate our business (for example, billing contacts, account administrators, and platform telemetry).

We rely on the following lawful bases under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)) — providing our Services to customers and end users.
• Legitimate interests (Art. 6(1)(f)) — securing the platform, preventing abuse, improving Service performance, and sending Service-related communications.
• Legal obligation (Art. 6(1)(c)) — complying with tax, accounting, and lawful authority requests.
• Consent (Art. 6(1)(a)) — non-essential cookies, marketing communications, and optional features.

If you are a resident of the EU, EEA, or United Kingdom, you have the following rights regarding your personal data:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Rights related to automated decision-making (Art. 22)
• Right to withdraw consent at any time
• Right to lodge a complaint with your local Data Protection Authority

To exercise these rights, contact privacy@product7.io. We respond within 30 days.

Where Product7 acts as a Processor, we will assist our customer (the Controller) in responding to data subject requests in accordance with our Data Processing Agreement.

Product7 offers a Data Processing Agreement (DPA) to all business customers, incorporating the European Commission's Standard Contractual Clauses (SCCs) for international data transfers. Our DPA includes:

• Article 28 GDPR-compliant processor obligations
• EU Standard Contractual Clauses (Module Two: Controller-to-Processor) for transfers outside the EEA
• UK International Data Transfer Addendum where applicable
• Sub-processor disclosure and notification commitments
• Security, breach notification, and audit obligations
• Data subject request assistance

To request a countersigned DPA, email privacy@product7.io.

Product7 is incorporated in the State of Delaware (United States) and operates infrastructure in multiple jurisdictions. For transfers of personal data from the EU/EEA or UK to the United States, we rely on:

• European Commission Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum (IDTA)
• Supplementary technical and organizational measures, including encryption in transit and at rest
• Transfer impact assessments where required

See our Data Transfer Notice for details on the mechanisms we use, and our Sub-processors page for the list of third parties involved.

We implement appropriate technical and organizational measures under Article 32 GDPR, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and least-privilege provisioning
• Multi-factor authentication for administrative access
• Audit logging and monitoring
• Regular vulnerability assessments and patch management
• Confidentiality obligations on all staff and contractors
• Documented incident response and breach notification procedures

In the event of a personal data breach, Product7 will notify affected customers without undue delay and, where required, within 72 hours of becoming aware of the breach, in accordance with Articles 33 and 34 GDPR.

Product7 has designated a Data Protection point of contact responsible for monitoring our compliance with GDPR.

• Privacy Policy
• Sub-processors
• International Data Transfer Notice