GDPR Compliance

Valorcy is committed to full compliance with the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. The GDPR establishes enhanced rights for individuals within the European Economic Area (EEA) and imposes strict obligations on organizations that process personal data of EEA residents, regardless of where the organization is based.

As a data controller under the GDPR, Valorcy is responsible for ensuring that all personal data we collect, process, store, and transfer is handled in accordance with the regulation. We have implemented comprehensive data protection measures, appointed a Data Protection Officer, and established processes to uphold the rights and freedoms of data subjects.

This GDPR Compliance Statement outlines our approach to data protection, the legal bases for our processing activities, the rights available to you as a data subject, and the measures we have implemented to ensure ongoing compliance with the GDPR and related data protection laws.

Under the GDPR, we must have a valid legal basis for processing your personal data. For most of our core services, we process data based on the necessity to perform a contract with you. This includes processing your account information, website content, and billing details to provide the website building platform you have subscribed to.

We also process certain data based on your explicit consent. This includes marketing communications, analytics tracking beyond essential functionality, and the integration of certain third-party services. Consent can be withdrawn at any time through your account settings or by contacting our privacy team, and withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

In some cases, we process data based on our legitimate business interests, such as improving our platform, preventing fraud, ensuring security, and conducting analytics. When relying on legitimate interests, we always perform a balancing test to ensure that our interests do not override your rights and freedoms as a data subject.

Under the GDPR, you have several important rights regarding your personal data. These include the right of access, which allows you to request a copy of the personal data we hold about you; the right to rectification, which allows you to correct inaccurate or incomplete data; and the right to erasure, also known as the "right to be forgotten," which allows you to request deletion of your data under certain circumstances.

You also have the right to restrict processing in specific situations, the right to data portability which enables you to receive your data in a structured, commonly used, and machine-readable format, and the right to object to processing based on legitimate interests or for direct marketing purposes. Additionally, you have rights related to automated decision-making, including profiling.

To exercise any of these rights, you can submit a request through your account settings or by contacting our Data Protection Officer at dpo@Valorcy.io. We will respond to your request within 30 days and may ask for verification of your identity before processing your request. In some cases, we may not be able to fulfill your request in full due to legal exemptions.

Valorcy is headquartered in the United States and processes data globally. When personal data of EEA residents is transferred outside the EEA, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR requirements. We rely on Standard Contractual Clauses (SCCs) adopted by the European Commission for international data transfers.

We carefully evaluate the data protection frameworks of all countries to which personal data may be transferred. Where required, we implement supplementary measures to ensure an adequate level of protection is maintained. This includes encryption of data in transit and at rest, access restrictions, and regular audits of our data processing practices.

Our sub-processors and third-party service providers are contractually bound to provide the same level of data protection as required by the GDPR. We maintain an up-to-date list of all sub-processors, which is available upon request, and notify data subjects of any intended changes to sub-processor arrangements that may affect the protection of their personal data.

In accordance with GDPR Article 33, Valorcy has established procedures for detecting, reporting, and investigating personal data breaches. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by law.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences of the breach, and the measures we have taken or propose to take to address the breach and mitigate potential harm.

We maintain comprehensive incident response procedures, conduct regular training for all personnel who handle personal data, and perform periodic security assessments to identify and address potential vulnerabilities. Our goal is to prevent breaches before they occur and to respond swiftly and transparently when incidents do happen.

Valorcy recognizes the role of data protection supervisory authorities in upholding the rights of data subjects under the GDPR. If you have concerns about how we handle your personal data and are unsatisfied with our response to any complaints or requests, you have the right to lodge a complaint with the supervisory authority in your jurisdiction.

Our designated Data Protection Officer can be reached at dpo@Valorcy.io for any questions, concerns, or requests related to GDPR compliance and data protection. We are committed to addressing all inquiries promptly and thoroughly, typically within 10 business days for general questions and within 30 days for formal data subject requests.

We conduct regular Data Protection Impact Assessments (DPIAs) for new processing activities that are likely to result in a high risk to data subjects. These assessments help us identify and mitigate potential privacy risks before they materialize, ensuring that data protection is embedded into our products and processes from the ground up.