GDPR Compliance

BttrForm is fully committed to compliance with the General Data Protection Regulation (GDPR). We have implemented comprehensive measures to ensure that your data is processed lawfully, fairly, and transparently.

As a data processor, we help our customers (data controllers) maintain their GDPR compliance by providing tools and features that respect data subject rights and ensure data security.

We process personal data under the following legal bases:

• Contractual necessity: To provide our services as outlined in our terms
• Legitimate interests: To improve our services and ensure security
• Consent: For marketing communications and optional features
• Legal obligation: To comply with applicable laws and regulations

As a data subject, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Limit how we process your data
• Right to Portability: Receive your data in a machine-readable format
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent at any time

To exercise any of these rights, please contact our Data Protection Officer.

We implement appropriate technical and organizational measures:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Regular security audits and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response and breach notification procedures
• Regular data backup and disaster recovery

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with equivalent data protection laws
• Additional technical and organizational measures where necessary

Our primary data centers are located in the EU (Frankfurt, Germany) for customers who require data residency within the EEA.

For business customers, we provide a Data Processing Agreement (DPA) that outlines our obligations as a data processor. The DPA includes:

• Scope and nature of data processing
• Sub-processor list and notification procedures
• Security measures and audit rights
• Data breach notification procedures
• Data deletion and return obligations

To request a signed DPA, please contact our legal team.

We use carefully selected sub-processors to provide our services. All sub-processors are bound by contractual obligations to maintain data security and GDPR compliance.

A list of our current sub-processors is available upon request. We notify customers of any new sub-processors with at least 30 days' notice.

If you have questions about our GDPR compliance or wish to exercise your rights, please contact our Data Protection Officer:

Email: dpo@bttrform.com
Address: BttrLabs, Inc.
San Francisco, CA, USA

You also have the right to lodge a complaint with a supervisory authority in your country of residence.