GDPR Compliance Statement

Last updated: January 2025

Our Commitment to GDPR

BPW Consulting OÜ is committed to protecting the privacy and security of personal data. We comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and ensure that all personal data is processed lawfully, fairly, and transparently.

Data Controller Information

BPW Consulting OÜ
Maakri 23A
Tallinn, Estonia
Email: dpo@seesamnfc.com
Data Protection Officer: Available at dpo@seesamnfc.com

Legal Basis for Processing

We process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to deliver our Service under the terms of your subscription
• Legitimate Interests: Processing for business operations, security, and service improvement
• Legal Obligations: Processing required by law or regulatory requirements
• Consent: Processing based on your explicit consent for specific purposes

Types of Personal Data We Process

Customer Data

• Contact information (name, email, phone number)
• Company details
• Billing information
• Account credentials

End User Data

• User identifiers
• Access permissions and roles
• Access logs (time, date, door accessed)
• Device information (for mobile app users)

Technical Data

• IP addresses
• Device IDs
• NFC chip identifiers (encrypted)
• System logs

Your Rights Under GDPR

As a data subject, you have the following rights:

1. Right to Access (Article 15)

You can request a copy of your personal data and information about how we process it.

2. Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

3. Right to Erasure (Article 17)

You can request deletion of your personal data ("right to be forgotten") under certain circumstances.

4. Right to Restriction (Article 18)

You can request that we limit the processing of your personal data in specific situations.

5. Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, and machine-readable format.

6. Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing.

How to Exercise Your Rights

To exercise any of your GDPR rights:

1. Email our Data Protection Officer at dpo@seesamnfc.com
2. Include proof of identity
3. Specify which right you wish to exercise
4. Provide relevant details about your request

We will respond to your request within 30 days, as required by GDPR.

Data Protection Measures

We implement appropriate technical and organizational measures:

• Encryption: All data is encrypted in transit (TLS) and at rest (AES-256)
• Access Controls: Role-based access control and authentication
• Data Minimization: We only collect data necessary for service provision
• Regular Audits: Security assessments and penetration testing
• Employee Training: Regular GDPR and security awareness training
• Incident Response: Procedures for detecting and responding to data breaches

Data Processing Activities

Access Control Management

• Purpose: Managing door access permissions
• Data Categories: User IDs, access rights, timestamps
• Retention: Active account duration + 90 days for logs
• Recipients: Authorized administrators only

Service Analytics

• Purpose: Service improvement and troubleshooting
• Data Categories: Usage statistics, performance metrics
• Retention: 12 months
• Recipients: Internal development team

International Data Transfers

Your data is primarily stored in the EU (AWS Paris region). Any international transfers are protected by:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Additional security measures

Data Breach Procedures

In case of a personal data breach:

1. We will notify the relevant supervisory authority within 72 hours
2. If the breach poses high risk to your rights, we will notify you directly
3. We maintain records of all data breaches
4. We implement measures to prevent future breaches

Data Protection Impact Assessments (DPIA)

We conduct DPIAs for:

• New processing activities involving sensitive data
• Large-scale processing operations
• Systematic monitoring activities
• Implementation of new technologies

Third-Party Processors

We ensure all third-party processors:

• Sign data processing agreements
• Implement appropriate security measures
• Process data only on our instructions
• Comply with GDPR requirements

Cookie Policy

Our website uses:

• Essential Cookies: Required for website functionality
• Analytics Cookies: Google Analytics (with IP anonymization)

You can manage cookie preferences through your browser settings or our cookie banner.

Children's Privacy

We do not knowingly collect data from children under 16. If we discover such collection, we will promptly delete the data.

Supervisory Authority

You have the right to lodge a complaint with:

Estonian Data Protection Inspectorate
(Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Phone: +372 627 4135

Updates to This Statement

We may update this GDPR compliance statement. Significant changes will be communicated via email or through our Service.

Contact Us

For GDPR-related inquiries:

Data Protection Officer
Email: dpo@seesamnfc.com
Address: BPW Consulting OÜ, Maakri 23A, Tallinn, Estonia

Records of Processing Activities

We maintain detailed records of all processing activities as required by Article 30 of GDPR. These records are available for inspection by supervisory authorities upon request.