EU General Data Protection Regulation

GDPR Compliance

Your data privacy rights and how we protect them

Last updated: 2025-01-15

GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how organizations collect, store, process, and protect personal data of individuals in the European Union (EU) and European Economic Area (EEA).

At Fiddle, we are committed to ensuring the privacy and protection of your personal data in compliance with GDPR requirements. This page explains your rights under GDPR and how you can exercise them.

Our Commitment

We process your personal data lawfully, fairly, and transparently. We collect only the data necessary for specific purposes and ensure it is accurate and kept secure.

Scope and Application

This GDPR compliance notice applies to:

  • All individuals located in the EU/EEA who use our services
  • Processing of personal data of EU/EEA residents regardless of where the processing occurs
  • Personal data we collect through our website, applications, and services
  • Data we receive from our customers about their employees or contacts in the EU/EEA

If you are a resident of the EU/EEA, you have specific rights regarding your personal data under GDPR, which we outline in detail below.

Data Controller

For the purposes of GDPR, Fiddle, Inc. acts as the data controller for personal data we collect directly from you. When processing data on behalf of our customers, we act as a data processor.

Data Controller Details

Fiddle, Inc.
333 W 2230 N
Suite 310
Provo, UT 84604
United States

Lawful Basis for Processing

We process your personal data based on one or more of the following lawful bases:

Contractual Necessity

Processing is necessary to perform a contract with you or take pre-contractual steps at your request, such as providing our inventory management services.

Legitimate Interests

Processing is necessary for our legitimate business interests, such as improving our services, fraud prevention, and ensuring network security.

Consent

Where required, we obtain your explicit consent before processing, such as for marketing communications. You may withdraw consent at any time.

Legal Obligation

Processing is necessary to comply with legal requirements, such as tax reporting or responding to lawful requests from authorities.

Your Rights Under GDPR

Under GDPR, you have the following rights concerning your personal data. We are committed to honoring these rights and making it easy for you to exercise them.

1Right of Access

You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, access to that data along with information about:

  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the data has been disclosed
  • The envisaged retention period
  • The source of the data (if not collected from you directly)

2Right to Rectification

You have the right to obtain the correction of inaccurate personal data and to have incomplete personal data completed. We will promptly rectify any inaccurate or incomplete data upon your request.

3Right to Erasure ("Right to be Forgotten")

You have the right to request the deletion of your personal data when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

Note: This right is not absolute. We may retain data where required by law or for legitimate business purposes as permitted under GDPR.

4Right to Restriction of Processing

You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you prefer restriction over erasure.

5Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You may also request that we transmit your data directly to another controller where technically feasible.

6Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately.

Automated Decision Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

Currently, Fiddle does not engage in automated decision-making that produces legal effects. If this changes, we will provide clear notice and obtain appropriate consent or ensure suitable safeguards are in place.

International Data Transfers

As a US-based company, we transfer personal data from the EU/EEA to the United States and potentially other countries. We ensure appropriate safeguards are in place for such transfers:

  • Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses when transferring data outside the EEA.
  • Data Processing Agreements: We maintain agreements with sub-processors that include GDPR-compliant data protection provisions.
  • Supplementary Measures: We implement additional technical and organizational measures where necessary to ensure data protection.

Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Retention periods vary based on:

Data TypeRetention Period
Account dataDuration of account + 30 days
Transaction records7 years (legal requirement)
Support communications3 years after resolution
Marketing preferencesUntil opt-out or 3 years of inactivity
Analytics data26 months (aggregated thereafter)

Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Access controls and authentication measures
  • Regular security assessments and penetration testing
  • Employee training on data protection and security
  • Incident response and business continuity plans
  • Regular backups and disaster recovery procedures

Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible)
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Document all breaches and remedial actions taken
  • Take immediate steps to contain and mitigate the breach

Submit a Data Request

Use the form below to exercise your rights under GDPR. We will respond to your request within one month of receipt. In complex cases, this may be extended by up to two additional months, in which case we will inform you.

Contact Our Data Protection Officer

If you have questions about this GDPR compliance notice, our data practices, or wish to make a complaint, you can contact our Data Protection Officer:

Data Protection Officer

Fiddle, Inc.
333 W 2230 N
Suite 310
Provo, UT 84604

Email: privacy@fiddle.io

Right to Lodge a Complaint

If you are not satisfied with how we handle your request or believe we are processing your data unlawfully, you have the right to lodge a complaint with your local supervisory authority. A list of EU Data Protection Authorities can be found at edpb.europa.eu.