GDPR Compliance

Legal Basis for Processing

• Contract performance — Processing necessary to deliver the CooVex service you subscribed to.
• Legitimate interests — Security monitoring, fraud prevention, service improvement.
• Legal obligation — Tax records, legal requests from authorities.
• Consent — Marketing communications (you can withdraw at any time).

Data Subject Rights (Articles 15–22 GDPR)

EU residents have the following rights, exercisable by emailing dpo@coovex.com:

• Right of access (Art. 15) — Request a copy of all data we hold about you.
• Right to rectification (Art. 16) — Correct inaccurate personal data.
• Right to erasure (Art. 17) — Request deletion ("right to be forgotten").
• Right to restriction (Art. 18) — Limit how we process your data.
• Right to data portability (Art. 20) — Receive your data in a machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interests.

We respond to all requests within 30 days.

Data Transfers

Where data is transferred outside the EEA (to the US), we rely on EU Standard Contractual Clauses (SCCs) approved under EU Commission Decision 2021/914. Sub-processors include Supabase (EU region), Resend, and Stripe — all with valid SCCs or adequacy decisions.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

Data Protection Officer

Our DPO can be reached at dpo@coovex.com. For formal complaints, you may also contact your national supervisory authority (e.g., ICO in the UK, CNIL in France).

Data Processing Agreement

If you are a business processing EU personal data through CooVex, a Data Processing Agreement (DPA) is available and must be signed for compliance. Contact legal@coovex.com to execute a DPA.