GDPR Compliance

Last updated: September 1, 2025

1. INTRODUCTION TO GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union, regardless of where the organization is located.

At CouplyAI Limited, we are committed to full compliance with the GDPR and protecting the privacy rights of our users. This page provides detailed information about your rights under the GDPR and how we ensure compliance.

Note: This information applies to all users in the EU/EEA and UK. Some rights may also apply to users in other jurisdictions under local data protection laws.

2. YOUR GDPR RIGHTS

Under the GDPR, you have several fundamental rights regarding your personal data. These rights are designed to give you control over how your personal information is processed.

2.1 Right of Access (Article 15)

You have the right to:

  • Confirm whether we are processing your personal data
  • Obtain a copy of your personal data we hold
  • Receive information about how we process your data
  • Learn about the purposes, categories, and recipients of your data
  • Know the retention period for your data
  • Understand the source of your data if not collected directly from you

How to exercise: Submit a request to privacy@couplyai.com with the subject line "Data Access Request"

Response time: Within 1 month (may be extended to 3 months for complex requests)

2.2 Right to Rectification (Article 16)

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete personal data
  • Update outdated information
  • Have corrections communicated to third parties where feasible

How to exercise: Update information in your account settings or contact privacy@couplyai.com

2.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to have your personal data deleted in the following circumstances:

  • The data is no longer necessary for the original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required for compliance with a legal obligation
  • The data was collected from a child under 16

Exceptions: We may not be able to delete your data if we need it for legal compliance, public interest, freedom of expression, or legitimate business purposes.

2.4 Right to Restrict Processing (Article 18)

You can request that we limit how we use your data in these situations:

  • You contest the accuracy of the data (during verification)
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you need it for legal claims
  • You object to processing (pending verification of overriding grounds)

2.5 Right to Data Portability (Article 20)

You have the right to:

  • Receive your personal data in a structured, machine-readable format
  • Transmit your data to another service provider
  • Have your data transmitted directly to another controller (where technically feasible)

Available formats: JSON, CSV, XML, or other machine-readable formats

Scope: Applies to data processed by automated means based on consent or contract

2.6 Right to Object (Article 21)

You have the right to object to processing based on:

  • Legitimate interests: We must stop processing unless we can demonstrate compelling legitimate grounds
  • Direct marketing: We must stop all marketing communications immediately
  • Profiling for marketing: Automated profiling for marketing purposes
  • Scientific/historical research: Processing for research purposes (with exceptions for public interest)

2.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. This includes:

  • Right to human review of automated decisions
  • Right to express your point of view
  • Right to contest the decision
  • Right to receive an explanation of the logic involved

3. HOW TO EXERCISE YOUR RIGHTS

3.1 Submit a Request

You can exercise your GDPR rights by:

3.2 Identity Verification

To protect your privacy and security, we may need to verify your identity before processing your request. We may ask for:

  • Account information (email address, username)
  • Government-issued ID (for sensitive requests)
  • Additional verification steps for account security

3.3 Processing Timeframes

Request TypeStandard TimeComplex Requests
Access Request1 monthUp to 3 months
Rectification1 month1-2 months
Erasure30 days60 days
Data Portability1 monthUp to 3 months
ObjectionImmediate*1 month

*For direct marketing objections

3.4 No Fee Policy

Exercising your GDPR rights is generally free of charge. However, we may charge a reasonable fee if:

  • Your request is clearly unfounded or excessive
  • You make repetitive requests for the same information
  • The request requires disproportionate effort to fulfill

4. LEGAL BASIS FOR PROCESSING

Under GDPR, we must have a legal basis for processing your personal data. We process your data based on:

4.1 Consent (Article 6(1)(a))

  • Processing uploaded images for AI generation
  • Marketing communications and newsletters
  • Non-essential cookies and tracking
  • AI model training data contribution
  • Public sharing of generated content

4.2 Contract Performance (Article 6(1)(b))

  • Account creation and management
  • Service delivery and core functionality
  • Payment processing and billing
  • Customer support and assistance

4.3 Legitimate Interests (Article 6(1)(f))

  • Service improvement and optimization
  • Fraud prevention and security
  • Analytics and business intelligence
  • System administration and maintenance

4.4 Legal Obligation (Article 6(1)(c))

  • Compliance with applicable laws
  • Response to legal requests
  • Tax and financial reporting
  • Regulatory compliance

5. DATA PROTECTION PRINCIPLES

We adhere to the seven key data protection principles under GDPR:

1. Lawfulness, Fairness, Transparency

We process data lawfully, fairly, and transparently.

2. Purpose Limitation

Data is collected for specific, explicit, and legitimate purposes.

3. Data Minimization

We collect only data that is necessary for our purposes.

4. Accuracy

Data is kept accurate and up to date.

5. Storage Limitation

Data is retained only as long as necessary.

6. Integrity & Confidentiality

Data is processed securely with appropriate safeguards.

7. Accountability

We can demonstrate compliance with all data protection principles.

6. INTERNATIONAL DATA TRANSFERS

When we transfer your data outside the EU/EEA, we ensure adequate protection through:

6.1 Adequacy Decisions

We prioritize transfers to countries with EU adequacy decisions, including:

  • United Kingdom (under the UK GDPR)
  • Countries with current adequacy decisions
  • Regular monitoring of adequacy status changes

6.2 Standard Contractual Clauses (SCCs)

For transfers without adequacy decisions, we use:

  • European Commission Standard Contractual Clauses
  • Additional safeguards and security measures
  • Regular review and updates of transfer mechanisms
  • Data Processing Agreements with all processors

6.3 Additional Safeguards

  • Technical safeguards including encryption and pseudonymization
  • Certification schemes and codes of conduct
  • Regular assessment of destination country laws
  • Monitoring of government access requests

7. DATA BREACH PROCEDURES

7.1 Detection and Assessment

  • 24/7 monitoring systems for security incidents
  • Automated threat detection and alerting
  • Incident classification and risk assessment
  • Data Protection Impact Assessment for breaches

7.2 Notification Procedures

To Supervisory Authorities:

  • Notification within 72 hours of becoming aware
  • Detailed information about the nature and scope
  • Measures taken and proposed to address the breach
  • Contact details for further information

To Data Subjects:

  • Notification without undue delay for high-risk breaches
  • Clear communication about the nature of the breach
  • Specific steps you should take to protect yourself
  • Contact information for additional support

8. COMPLAINTS AND ENFORCEMENT

8.1 Internal Complaints

If you have concerns about our data processing:

  • Contact our Data Protection Officer: dpo@couplyai.com
  • We will respond within 5 business days
  • Escalation procedures for unresolved issues
  • Documentation and tracking of all complaints

8.2 Supervisory Authority Complaints

You have the right to lodge a complaint with supervisory authorities:

EU/EEA Users:

UK Users:

  • Information Commissioner's Office (ICO)
  • Website: ico.org.uk
  • Phone: 0303 123 1113

8.3 Judicial Remedies

You also have the right to:

  • Seek judicial remedies against our data processing decisions
  • Claim compensation for material or non-material damage
  • Obtain effective remedies against supervisory authorities

9. CONTACT INFORMATION

Data Controller

CouplyAI Limited
[Complete London Address]
United Kingdom

Data Protection Officer

Email: dpo@couplyai.com
Phone: [Phone Number]
Office Hours: Monday-Friday, 9 AM - 5 PM GMT

Quick Contact: For urgent GDPR-related matters, email privacy@couplyai.com with "URGENT GDPR" in the subject line.

This page provides a comprehensive overview of your GDPR rights and our compliance measures. For more detailed information, please refer to our Privacy Policy and Terms of Service.