GDPR Compliance
Your data rights and how we protect EU/EEA users
Last updated: January 1, 2026
Your Rights Under GDPR
Right of Access
Request a copy of all personal data we hold about you in a structured format.
Right to Portability
Receive your data in a machine-readable format to transfer to another service.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Restriction
Restrict how we process your data in certain circumstances.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Right to Rectification
Correct inaccurate or incomplete personal data we hold about you.
Our Commitment to GDPR
Perfo Review is fully committed to complying with the General Data Protection Regulation (GDPR). We have implemented comprehensive measures to ensure the protection of personal data for all users, with particular attention to those in the European Union and European Economic Area.
Data Processing Roles
Perfo Review as Data Processor
When you use Perfo Review as part of an organization, your employer or organization is the Data Controller. Perfo Review acts as the Data Processor, processing personal data on behalf of your organization according to their instructions and our Data Processing Agreement.
Perfo Review as Data Controller
For certain data, such as website visitors and individual account holders, Perfo Review acts as the Data Controller. This includes marketing communications, website analytics, and customer support interactions.
Legal Basis for Processing
We process personal data under the following legal bases:
- Contract Performance (Article 6(1)(b)): Processing necessary to provide our Services as agreed in our Terms of Service.
- Legitimate Interests (Article 6(1)(f)): Processing for fraud prevention, security, service improvement, and business operations, where our interests don't override your rights.
- Legal Obligations (Article 6(1)(c)): Processing required to comply with applicable laws and regulations.
- Consent (Article 6(1)(a)): Processing for marketing communications and optional features where you have given explicit consent.
Data We Collect
We collect and process the following categories of personal data:
- Identity Data: Name, email address, job title, department
- Account Data: Login credentials, profile settings, preferences
- Performance Data: Reviews, feedback, ratings (anonymous where configured)
- Usage Data: How you interact with our Services
- Technical Data: IP address, browser type, device information
For detailed information, see our Privacy Policy.
International Data Transfers
Perfo Review is headquartered in the United States. When we transfer personal data from the EU/EEA to the US, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for data transfers to non-EU countries.
- Data Processing Agreements: All sub-processors are bound by DPAs that incorporate SCCs.
- Additional Safeguards: Encryption, access controls, and security measures that meet EU standards.
Sub-Processors
We use the following sub-processors for EU/EEA data:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | EU (Frankfurt) |
| Stripe | Payment processing | US (SCCs) |
| Resend | Email delivery | US (SCCs) |
| Vercel | Hosting & CDN | Global (SCCs) |
Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected. Specific retention periods are outlined in our Privacy Policy. Upon account termination:
- Active data is deleted within 30 days
- Backups are purged within 90 days
- Anonymized analytics data may be retained indefinitely
Data Protection Measures
We implement technical and organizational measures to protect personal data:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Control: Role-based access, MFA, audit logging
- Infrastructure: SOC 2 Type II certified, regular penetration testing
- Training: Employee data protection training and awareness
- Incident Response: 72-hour breach notification to authorities
How to Exercise Your Rights
To exercise your GDPR rights, you can:
- Self-Service: Access, download, and delete your data from Account Settings
- Email Request: Send a request to privacy@perforeview.com
- Contact DPO: Reach our Data Protection Officer at dpo@perforeview.com
We will respond to your request within 30 days. Complex requests may take up to 90 days, and we will inform you if an extension is needed.
Data Processing Agreement
Organizations using Perfo Review can request our Data Processing Agreement (DPA), which includes:
- Standard Contractual Clauses (2021 EU Commission version)
- Technical and organizational security measures
- Sub-processor list and notification procedures
- Data breach notification commitments
- Audit and inspection rights
To request a DPA, contact legal@perforeview.com.
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe we have not handled your personal data appropriately. In the EU, you can contact your local Data Protection Authority (DPA).
Our lead supervisory authority is the Irish Data Protection Commission:
- Website: www.dataprotection.ie
- Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Contact Information
For GDPR-related inquiries:
- Data Protection Officer: dpo@perforeview.com
- Privacy Team: privacy@perforeview.com
- EU Representative: Perfo Review EU Ltd., Dublin, Ireland
Our Privacy Promise
We are committed to protecting your privacy and handling your data with care. If you have any questions or concerns about our GDPR compliance, please don't hesitate to contact our Data Protection Officer.