Pearlixa designs products and processes with privacy by default and privacy by design principles as required by GDPR Article 25.
We maintain comprehensive records of processing activities (ROPA) as required by GDPR Article 30.
We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by GDPR Article 35.
Our legal team regularly reviews processing activities to ensure ongoing compliance with GDPR requirements.
We are committed to transparency about how we collect, use, and protect personal data of EU/EEA and UK residents.

Controller vs Processor Role

DATA CONTROLLER: For user account data, Pearlixa acts as the data controller. We determine the purposes and means of processing your personal data.
DATA PROCESSOR: When processing data on behalf of enterprise customers (e.g., API data they send us), we act as a data processor under their instructions.
Enterprise customers who are controllers must enter into a Data Processing Agreement (DPA) with us before processing EU/EEA personal data through our services.
As a processor, we only process personal data according to documented instructions from the controller and applicable law.

Lawful Bases for Processing (Article 6)

CONTRACT PERFORMANCE (Art. 6(1)(b)): To provide our services, process payments, deliver API access, and respond to support requests.
LEGITIMATE INTERESTS (Art. 6(1)(f)): To secure our platform, prevent fraud, improve service quality, and conduct analytics. We balance our interests against your rights through Legitimate Interest Assessments (LIAs).
CONSENT (Art. 6(1)(a)): For non-essential cookies, marketing communications, and optional features. You may withdraw consent at any time.
LEGAL OBLIGATION (Art. 6(1)(c)): To comply with tax laws, anti-money laundering requirements, and respond to lawful government requests.
We do NOT process special category data (Article 9) such as health, biometric, or political opinion data.

RIGHT OF ACCESS (Art. 15): You can request a copy of your personal data and information about how we process it.
RIGHT TO RECTIFICATION (Art. 16): You can request correction of inaccurate personal data.
RIGHT TO ERASURE (Art. 17): You can request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
RIGHT TO RESTRICTION (Art. 18): You can request we limit processing of your data in certain circumstances.
RIGHT TO DATA PORTABILITY (Art. 20): You can request your data in a structured, machine-readable format.
RIGHT TO OBJECT (Art. 21): You can object to processing based on legitimate interests or for direct marketing.
RIGHTS RELATED TO AUTOMATED DECISION-MAKING (Art. 22): You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
We respond to verified requests within 30 days (may be extended by 60 days for complex requests).

Pearlixa is headquartered in the United States. Personal data of EU/EEA and UK residents may be transferred to and processed in the US.
TRANSFER MECHANISM: We use the European Commission's Standard Contractual Clauses (SCCs) - specifically the controller-to-processor and processor-to-processor modules as appropriate.
POST-SCHREMS II COMPLIANCE: We conduct Transfer Impact Assessments (TIAs) to evaluate US surveillance laws and implement supplementary measures where necessary.
SUPPLEMENTARY MEASURES: We implement encryption in transit and at rest, access controls, and contractual commitments to challenge unlawful government requests.
UK DATA: For UK residents, we comply with the UK GDPR and use the UK International Data Transfer Agreement (IDTA) alongside SCCs.
Our cloud infrastructure (AWS) provides data processing in specific regions. EU data may be processed in us-east-1 and us-west-2 regions.

We engage subprocessors to assist in providing our services. All subprocessors are bound by data processing agreements with equivalent protections.
CURRENT SUBPROCESSORS: Amazon Web Services (hosting, US), Vercel (frontend hosting, global CDN), Stripe (payments, US), email service providers.
We maintain a current subprocessor list which is available upon request to privacy@pearlixa.com or as an attachment to our DPA.
SUBPROCESSOR CHANGES: We notify customers of new subprocessors at least 30 days before engagement. You may object to new subprocessors within 14 days.
We conduct security assessments of subprocessors before engagement and periodically thereafter.

We retain personal data only as long as necessary for the purposes for which it was collected, as required by GDPR Article 5(1)(e).
ACCOUNT DATA: Retained while your account is active, plus 30 days after deletion for reactivation.
API LOGS: 24 months for billing, security analysis, and troubleshooting.
PAYMENT RECORDS: 7 years as required by tax and accounting regulations.
SUPPORT COMMUNICATIONS: 3 years from resolution.
When data is no longer needed, it is securely deleted or anonymized within 90 days.
See our Privacy Policy for the complete retention schedule.

ENCRYPTION: Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
ACCESS CONTROLS: Role-based access controls, principle of least privilege, multi-factor authentication for staff.
MONITORING: 24/7 security monitoring, intrusion detection, and automated threat response.
TESTING: Regular penetration testing and vulnerability assessments.
INCIDENT RESPONSE: Documented incident response procedures with defined roles and escalation paths.
TRAINING: Regular security and privacy training for all staff handling personal data.
We implement appropriate technical and organizational measures considering the state of the art, costs, and nature of processing.

We maintain incident detection systems and response procedures to identify breaches promptly.
AUTHORITY NOTIFICATION: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses risk to individuals (Article 33).
INDIVIDUAL NOTIFICATION: We will notify affected individuals without undue delay when a breach is likely to result in high risk to their rights and freedoms (Article 34).
DOCUMENTATION: We document all breaches, including facts, effects, and remedial actions taken.
CUSTOMER NOTIFICATION: For enterprise customers, we notify them of breaches affecting their data within 48 hours.
Contact security@pearlixa.com immediately if you suspect unauthorized access to your account.

While not legally required to appoint a DPO, we have designated a privacy lead responsible for GDPR compliance.
DATA PROTECTION CONTACT: privacy@pearlixa.com
Our privacy team monitors regulatory developments and updates our practices accordingly.
You may contact our privacy team for any questions about how we handle your personal data.

If you believe we have not complied with our data protection obligations, you have the right to lodge a complaint with a supervisory authority.

• EU residents: Contact your local Data Protection Authority (DPA)
• UK residents: Contact the Information Commissioner's Office (ICO) at ico.org.uk
• List of EU DPAs: edpb.europa.eu/about-edpb/about-edpb/members_en

We encourage you to contact us first at privacy@pearlixa.com so we can address your concerns directly.

For any GDPR-related questions, data subject requests, or to request our DPA.

Email: privacy@pearlixa.com

Data Protection Contact: privacy@pearlixa.com

Response time: Within 30 days for data subject requests