GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations operating within the EU and those that offer goods or services to individuals in the EU, regardless of where the organization is based.

Support Saga is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles.

Under the GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request access to your personal data and information about how we process it.

Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure (Right to be Forgotten)

You have the right to request that we delete your personal data in certain circumstances.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to the processing of your personal data in certain circumstances.

Rights Related to Automated Decision Making

You have the right not to be subject to a decision based solely on automated processing.

To exercise any of your GDPR rights, you can:

Contact Us

• Email us at: privacy@supportsaga.com
• Write to us at: 123 Learning Street, Education City, EC 12345
• Call us at: +1 (555) 123-4567

What We Need

To process your request, we may need to verify your identity. We may ask for:

• Proof of identity (e.g., passport, driving license)
• Proof of address (e.g., utility bill, bank statement)
• Additional information to help us locate your data

Response Time

We will respond to your request within one month of receipt. If your request is complex or we receive multiple requests, we may extend this period by up to two months.

Personal Information

• Name and contact information (email, phone number)
• Account credentials and profile information
• Payment information (processed securely by Stripe)
• Course enrollment and progress data
• Communication preferences

Usage Information

• Course viewing patterns and engagement metrics
• Device information and browser type
• IP address and location data
• Cookies and similar tracking technologies
• Error logs and performance data

Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent: When you explicitly agree to our processing
• Contract: To fulfill our obligations under our terms of service
• Legitimate Interest: To improve our services and prevent fraud
• Legal Obligation: To comply with applicable laws

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data

• Active accounts: Retained while your account is active
• Inactive accounts: Deleted after 2 years of inactivity
• Deleted accounts: Permanently deleted within 30 days

Course Data

• Enrollment records: Retained for 7 years for tax purposes
• Progress data: Retained while account is active
• Certificates: Retained indefinitely for verification

Usage Data

• Analytics data: Retained for 2 years
• Error logs: Retained for 90 days
• Cookies: As specified in our Cookie Policy

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest (AES-256)
• Regular security audits and penetration testing
• Multi-factor authentication for admin access
• Secure payment processing through Stripe

Organizational Measures

• Staff training on data protection
• Access controls and authentication
• Regular backups and disaster recovery
• Incident response procedures
• Data protection impact assessments

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure that such transfers comply with GDPR requirements:

Adequacy Decisions

We transfer data to countries that have been deemed to provide an adequate level of protection by the European Commission.

Standard Contractual Clauses

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission.

Certification Schemes

We work with service providers who have appropriate certification schemes in place.

In the event of a personal data breach, we have procedures in place to:

Detection and Assessment

• Detect and assess the breach within 72 hours
• Determine the nature and scope of the breach
• Assess the potential risks to individuals

Notification

• Notify the relevant supervisory authority within 72 hours
• Notify affected individuals without undue delay
• Provide clear information about the breach and its consequences

Remediation

• Take immediate steps to contain the breach
• Implement measures to prevent future breaches
• Document all actions taken in response to the breach