GDPR Policy

2. Data Controller

MerlinVicki Creative Services is the data controller responsible for your personal data. For questions about this policy or our data processing practices, you can contact us at:

Email:

3. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract Performance: Processing necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and maintaining security
• Legal Compliance: Processing necessary to comply with legal obligations, such as tax and accounting requirements
• Consent: Where you have given explicit consent for specific processing activities, such as marketing communications

4. Personal Data We Collect

Information You Provide

• Contact Information: Name, email address, phone number, company name, job title
• Communication Data: Information contained in inquiries, messages, and correspondence with us
• Project Information: Details about your project requirements, business needs, and preferences
• Payment Information: Billing address and payment details (processed securely through third-party payment processors)

Information We Collect Automatically

• Technical Data: IP address, browser type and version, device type, operating system
• Usage Data: Pages visited, time spent on pages, referring URLs, click patterns
• Cookie Data: Information collected through cookies and similar tracking technologies (see Cookie Policy)

5. How We Use Your Data

We process your personal data for the following purposes:

• Service Delivery: To provide our UX research, accessibility audits, AI automation, and consulting services
• Communication: To respond to your inquiries, send service updates, and provide customer support
• Contract Management: To manage our contractual relationship, process payments, and fulfill our obligations
• Service Improvement: To analyze usage patterns, improve our website and services, and develop new offerings
• Marketing: To send you relevant marketing communications (with your consent, where required)
• Legal Compliance: To comply with legal obligations and protect our legal rights
• Security: To maintain the security of our systems and protect against fraud and abuse

6. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

• Service Providers: Third-party companies that provide services on our behalf (e.g., hosting, analytics, payment processing, email services)
• Professional Advisors: Lawyers, accountants, auditors, and other professional advisors
• Law Enforcement: Government authorities, regulators, and law enforcement agencies when required by law
• Business Transfers: Potential buyers or investors in the event of a merger, acquisition, or sale of assets

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. All third-party service providers are required to maintain appropriate security measures and process data only according to our instructions.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Transfers to countries with an adequacy decision from the European Commission
• Use of Standard Contractual Clauses approved by the European Commission
• Compliance with the EU-U.S. Data Privacy Framework (where applicable)
• Other legally recognized transfer mechanisms

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Our retention periods are based on:

• Contract Performance: During the contract period and for up to 7 years after contract termination (for legal and tax purposes)
• Marketing Communications: Until you withdraw consent or for up to 3 years of inactivity
• Website Analytics: Typically 26 months (Google Analytics default)
• Legal Requirements: As required by applicable laws (e.g., tax records, employment records)

After the retention period expires, we securely delete or anonymize your personal data.

9. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data. You can exercise these rights by contacting us at the email address provided above.

Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with specific information about the processing.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure - 'Right to be Forgotten' (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or when you withdraw consent.

Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Article 7)

Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before the withdrawal.

Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with GDPR requirements. However, we encourage you to contact us first so we can address your concerns.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. We do not currently engage in automated decision-making with legal or similarly significant effects.

10. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection and security
• Regular backups and disaster recovery procedures
• Secure disposal of data when no longer needed

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you of any data breaches as required by law.

11. Cookies and Tracking

We use cookies and similar tracking technologies on our website. For detailed information about our use of cookies, including how to manage your cookie preferences, please see our Privacy Policy.

Key points about our cookie use:

• We use both first-party and third-party cookies
• Cookies include analytics cookies (e.g., Google Analytics)
• You can manage cookie preferences through your browser settings
• Some cookies are essential for website functionality

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Provide information about the nature of the breach, the likely consequences, and the measures taken to address it
• Take appropriate measures to mitigate any adverse effects

13. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately, and we will delete such information.

14. Changes to This GDPR Policy

We may update this GDPR Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by:

• Posting the updated policy on our website
• Updating the "Last updated" date at the top of this page
• Sending you an email notification (for significant changes)

We encourage you to review this policy periodically to stay informed about how we protect your data.

15. Contact and Supervisory Authority

Contact Us

If you have any questions, concerns, or requests regarding this GDPR Policy or our data processing practices, please contact us at:

Email:

Supervisory Authority

If you are located in the EEA and have concerns about our data processing practices that we have not adequately addressed, you have the right to lodge a complaint with your local data protection authority. You can find contact information for EU data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en.

16. Additional Resources

For more information about your privacy rights and our data practices, please see:

• Our Privacy Policy
• Our Terms of Service