Scope & Applicability
This GDPR Compliance Statement applies to the processing of personal data of individuals ("data subjects") who are located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK) and who interact with Prometrix's website, platform, or services.
Prometrix Technologies Private Limited is an Indian company. Under Article 3(2) of the GDPR, the Regulation applies to us because we offer services to individuals in the EU/EEA, regardless of where our processing takes place. For UK users, the UK GDPR (retained under the UK Data Protection Act 2018) applies on equivalent terms.
In plain terms: Even though Prometrix is incorporated in India, if you are in the EU, EEA, or UK, the GDPR applies to how we handle your personal data β and you have full GDPR rights.
This statement supplements our main Privacy Policy. Where this statement conflicts with the Privacy Policy in matters relating to EU/UK users, this statement takes precedence.
Our Role under GDPR
2.1 Data Controller
For personal data you provide directly to Prometrix when creating an account, using the platform, or contacting us, Prometrix Technologies Private Limited acts as the Data Controller Art. 4(7) β we determine the purposes and means of processing.
2.2 Data Processor
When you connect third-party marketing platforms (Google, Meta, LinkedIn, etc.) and we process data from those platforms on your behalf to generate agent outputs, Prometrix acts as a Data Processor Art. 4(8) β processing data on your instructions. In this capacity, we enter into a Data Processing Agreement (DPA) with you.
2.3 Data Processing Agreement (DPA)
For business customers who require a formal DPA under Article 28 GDPR, Prometrix provides a standard DPA upon request. The DPA covers the subject matter, duration, nature, and purpose of processing, type of personal data and categories of data subjects, and obligations and rights of both parties.
To request a Data Processing Agreement, email dpo@prometrix.ai with the subject line "DPA Request." We will respond within 5 business days.
Lawful Bases for Processing Art. 6
Under Article 6 GDPR, every processing activity requires a lawful basis. The following table sets out the lawful basis for each category of processing we carry out in relation to EU/UK data subjects.
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account registration and platform access | Performance of a contract | Art. 6(1)(b) |
| Subscription billing and payment processing | Performance of a contract | Art. 6(1)(b) |
| Generating AI agent recommendations from your connected platform data | Performance of a contract / Consent | Art. 6(1)(b) / (a) |
| Sending transactional emails (alerts, invoices, onboarding) | Performance of a contract | Art. 6(1)(b) |
| Sending marketing communications and product updates | Consent (opt-in only) | Art. 6(1)(a) |
| Platform security, fraud prevention, abuse detection | Legitimate interests | Art. 6(1)(f) |
| Anonymised product analytics and improvement | Legitimate interests | Art. 6(1)(f) |
| Compliance with legal obligations (tax, regulatory) | Legal obligation | Art. 6(1)(c) |
| Responding to legal requests from authorities | Legal obligation / Vital interests | Art. 6(1)(c) / (d) |
Legitimate Interests Assessments (LIAs): Where we rely on Art. 6(1)(f), we have conducted and documented Legitimate Interests Assessments. These are available to data subjects upon request at dpo@prometrix.ai.
Personal Data We Process
We apply the GDPR principle of data minimisation Art. 5(1)(c) β we collect only what is necessary for the specified purpose. The following categories of personal data may be processed for EU/UK data subjects:
4.1 Identity & Contact Data
- First and last name, work email address, phone number, job title, and company name.
- Profile photograph if provided voluntarily.
4.2 Technical & Usage Data
- IP address, browser type and version, operating system, device identifiers.
- Session data: pages visited, features used, time spent, click patterns.
- API access logs and error logs (retained for 90 days).
4.3 Financial Data
- Billing address, payment method type, and transaction records. Raw payment card data is processed exclusively by our payment processor (Razorpay) and is never stored by Prometrix.
4.4 Marketing Platform Data (via OAuth)
- Data retrieved from your connected platforms (Google, Meta, LinkedIn, etc.) within the specific OAuth scopes you authorise. This may include campaign metrics, audience data, keyword rankings, and business profile information.
- Where this data contains personal data of third parties (e.g. audience demographic segments), you as the account holder are the data controller for those individuals, and Prometrix acts as your processor.
4.5 Special Category Data
Prometrix does not intentionally collect or process special category data as defined under Article 9 GDPR (health data, biometric data, racial or ethnic origin, political opinions, etc.). If any such data reaches us incidentally through connected platform data, we will delete it upon discovery and notify you.
Your 8 Rights as an EU/UK Data Subject
The GDPR grants you eight fundamental rights over your personal data. To exercise any right, submit a verifiable request to dpo@prometrix.ai. We will respond within 30 days (extendable by a further 60 days for complex requests, with notification).
Right of Access
Obtain confirmation of whether we process your personal data and, if so, receive a copy of that data along with supplementary information about how it is processed.
Right to Rectification
Request correction of inaccurate personal data or completion of incomplete personal data we hold about you, without undue delay.
Right to Erasure
Request deletion of your personal data ("right to be forgotten") where it is no longer necessary, consent is withdrawn, or you object and there is no overriding legitimate ground.
Right to Restriction
Request restriction of processing while accuracy is contested, processing is unlawful but you oppose erasure, or you need data for legal claims while we no longer need it.
Right to Portability
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller where processing is based on consent or contract.
Right to Object
Object at any time to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we will always comply immediately with no need to justify your objection.
Rights re: Automated Decisions
Not be subject to decisions based solely on automated processing β including profiling β that produce legal or similarly significant effects. Prometrix does not make such decisions about individual users.
Right to Withdraw Consent
Withdraw consent for any consent-based processing at any time. Withdrawal does not affect the lawfulness of prior processing. You can withdraw via your account settings or by emailing our DPO.
Right to lodge a complaint: If you are not satisfied with our response to a data subject request, you have the right to lodge a complaint with your local supervisory authority β for example, the Irish Data Protection Commission (for EU users) or the UK Information Commissioner's Office (ICO) (for UK users). Art. 77
International Data Transfers Ch. V
Prometrix is based in India, and our primary data infrastructure runs on AWS Mumbai (ap-south-1). When EU/UK personal data is transferred to India β a country not currently covered by an EU adequacy decision β we use the following safeguards to ensure an equivalent level of protection:
6.1 Standard Contractual Clauses (SCCs)
For transfers of EU personal data from the EU/EEA to India, we rely on the European Commission's Standard Contractual Clauses (SCCs) as updated in June 2021 (Commission Implementing Decision 2021/914). For UK personal data, we use the UK International Data Transfer Agreement (IDTA) issued by the ICO.
Copies of our SCCs and IDTA are available upon request at dpo@prometrix.ai.
6.2 Transfer Impact Assessment
In line with the Schrems II ruling (C-311/18), we have conducted a Transfer Impact Assessment (TIA) evaluating the legal landscape in India with respect to government access to personal data. The TIA is available to data subjects and enterprise customers upon request.
6.3 Sub-processor Transfers
Where our sub-processors process EU/UK personal data outside the EEA, we ensure that appropriate transfer mechanisms are in place (SCCs, adequacy decisions, or BCRs) and maintain contractual obligations requiring equivalent protections.
India Adequacy: The European Commission is in ongoing discussions regarding an adequacy decision for India. Should India receive an adequacy decision in future, our transfers will be governed by that decision instead of SCCs.
Data Retention Art. 5(1)(e)
We apply the GDPR principle of storage limitation β personal data is kept no longer than necessary for the purposes for which it was collected. The following retention periods apply to EU/UK personal data:
- Account and profile data: Duration of active subscription plus 90 days to enable account recovery. Deleted within 30 days of account deletion request.
- Marketing platform data (OAuth): Retained while the integration is active. Deleted within 30 days of disconnection.
- Billing and transaction records: 7 years to comply with applicable financial regulations and tax law.
- Support communications: 3 years for quality assurance and legitimate dispute resolution purposes.
- Technical logs (IP, session data): 90 days, then automatically purged.
- Consent records: 3 years from the date of consent, or until withdrawal β whichever is earlier.
- Data subject request records: 3 years to demonstrate compliance.
At the end of any retention period, data is securely deleted or irreversibly anonymised. We conduct quarterly data retention audits to ensure compliance.
Security Measures Art. 32
Under Article 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our measures include:
Technical Measures
- Encryption in transit: TLS 1.3 for all data transmitted between users and our servers.
- Encryption at rest: AES-256 for all stored personal data in databases and object storage.
- Pseudonymisation: Where technically feasible, personal data is pseudonymised in analytics systems.
- Access controls: Role-based access control (RBAC) with multi-factor authentication for all staff accessing production systems.
- Vulnerability management: Regular penetration testing and automated vulnerability scanning.
- Audit logging: Comprehensive audit trails for all access to and processing of personal data.
Organisational Measures
- Data protection training for all staff handling personal data.
- Privacy by Design and by Default Art. 25 embedded in our product development process.
- Data Protection Impact Assessments (DPIAs) Art. 35 conducted for high-risk processing activities.
- Written confidentiality agreements with all employees and contractors who handle personal data.
- Vendor due diligence process for all sub-processors.
Sub-processors Art. 28
We use a limited number of trusted sub-processors to deliver our services. We conduct due diligence on all sub-processors and ensure they are bound by data processing agreements that impose obligations no less protective than those we have with you.
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute | India (ap-south-1) primary; EU (eu-west-1) for EU-specific deployments | SCCs / AWS DPA |
| Razorpay | Payment processing | India | SCCs |
| Transactional Email Provider | Account notifications, alerts, invoices | EU / USA | SCCs / Adequacy |
| Analytics Provider | Aggregated, anonymised product usage analytics | EU | No transfer (EU-only) |
We will notify you of any intended changes to our sub-processor list β additions or replacements β at least 30 days in advance, giving you the opportunity to object. The current sub-processor list is maintained and available at dpo@prometrix.ai.
Data Breach Protocol Art. 33 & 34
In the event of a personal data breach, we follow the GDPR's mandatory notification requirements:
- Supervisory authority notification (Art. 33): We will notify the relevant lead supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. Where notification is not possible within 72 hours, we will provide it in phases with reasons for the delay.
- Data subject notification (Art. 34): Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay in clear and plain language, describing the nature of the breach and the measures taken.
- Internal documentation: All breaches β regardless of severity β are documented in our internal breach register, including facts, effects, and remedial actions taken.
If you discover or suspect a data breach affecting Prometrix systems, please report it immediately to security@prometrix.ai. We acknowledge all reports within 24 hours.
Cookies & Consent ePrivacy Directive
For EU/EEA users, our use of non-essential cookies is governed by the ePrivacy Directive (2002/58/EC) as implemented in relevant national laws, in addition to the GDPR. For UK users, the Privacy and Electronic Communications Regulations (PECR) apply.
We operate a consent-first approach for all non-essential cookies:
- Strictly necessary cookies are deployed without consent as they are required for the platform to function (session management, security, load balancing).
- Functional, analytics, and marketing cookies are only set after you provide explicit, granular consent via our cookie consent banner on first visit.
- Consent is recorded with a timestamp, the version of the consent notice shown, and the specific preferences selected.
- You can withdraw or modify cookie consent at any time via the cookie settings panel in the platform footer.
- We do not use cookie walls that make access to the platform conditional on accepting non-essential cookies.
Consent records are retained for 3 years as evidence of compliance, in line with guidance from the CNIL and other European supervisory authorities.
Children Art. 8
Prometrix services are directed at business professionals and are not intended for use by children. We do not knowingly collect personal data from individuals under the age of 16 (or the applicable age of digital consent in the relevant EU Member State or UK).
If we become aware that personal data of a child has been collected without appropriate consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact dpo@prometrix.ai immediately.
Data Protection Officer & Contact
Prometrix has appointed a Data Protection Officer (DPO) as the primary point of contact for all GDPR-related enquiries, data subject requests, and supervisory authority communications.
Data Protection Officer
Our DPO is responsible for overseeing our data protection strategy, ensuring compliance with the GDPR and UK GDPR, handling data subject requests, and liaising with supervisory authorities. The DPO operates independently and reports directly to senior management.
DPO Email
dpo@prometrix.aiPostal Address
Prometrix Technologies Pvt. Ltd.
New Delhi, India
Response Time
Within 30 days (Art. 12(3) GDPR)
Lead Supervisory Authority
Irish Data Protection Commission (EU)
UK ICO (United Kingdom)
When contacting us to exercise a data subject right, please include: your full name, email address associated with your account, the specific right you wish to exercise, and any relevant details. We may request additional information to verify your identity before processing the request.