GDPR Compliance

1. Introduction to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union (EU), regardless of where the organization is located.

NeoWriting is committed to full compliance with GDPR and respects the data protection rights of all our users, particularly those in the EU and EEA (European Economic Area).

2. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

3. How to Exercise Your Rights

3.1 Data Access Request (SAR)

To request a copy of your personal data:

• Send an email to Click to reveal email with subject "GDPR Data Access Request"
• Include your account email and any additional verification information
• We will respond within 30 days with your data in a portable format (JSON, CSV, or PDF)

3.2 Data Correction

To correct your personal data:

• Log in to your account and update your profile information directly
• Or email Click to reveal email with the corrections needed
• We will update your information within 5 business days

3.3 Data Deletion (Right to be Forgotten)

To request deletion of your data:

• Go to Account Settings → Privacy & Data → Delete Account
• Or email Click to reveal email with subject "GDPR Deletion Request"
• We will delete your data within 30 days, except where retention is legally required
• You will receive confirmation once deletion is complete

3.4 Data Portability

To export your data:

• Log in to your account → Settings → Export Data
• Choose format: JSON, CSV, or XML
• Your data will be prepared and sent to your email within 48 hours

3.5 Withdraw Consent

To withdraw consent for data processing:

• Go to Account Settings → Privacy Preferences
• Toggle off specific consent options (marketing emails, analytics, etc.)
• Changes take effect immediately

4. Legal Basis for Data Processing

We process your personal data based on the following legal grounds under GDPR:

4.1 Contractual Necessity (Article 6(1)(b))

• To provide our AI content generation services
• To process payments and manage subscriptions
• To deliver WordPress integration features
• To provide customer support

4.2 Legitimate Interests (Article 6(1)(f))

• To improve our services and develop new features
• To prevent fraud and ensure platform security
• To analyze usage patterns and optimize performance
• To send service-related communications

4.3 Consent (Article 6(1)(a))

• To send marketing and promotional emails
• To use cookies for analytics and advertising
• To share data with third parties for marketing purposes

4.4 Legal Obligation (Article 6(1)(c))

• To comply with tax and accounting regulations
• To respond to legal requests and court orders
• To meet data retention requirements

5. Data Protection Measures

5.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access with multi-factor authentication
• Firewalls: Advanced firewall protection and intrusion detection systems
• Regular Audits: Quarterly security assessments and penetration testing

5.2 Organizational Measures

• Data Protection Officer (DPO): Dedicated DPO overseeing GDPR compliance
• Staff Training: Regular GDPR and data protection training for all employees
• Privacy by Design: Data protection integrated into all new features and services
• Data Minimization: We only collect data necessary for our services

6. International Data Transfers

When we transfer personal data outside the EU/EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries with adequate data protection (e.g., UK, Switzerland)
• Privacy Shield (where applicable): For US-based service providers
• Binding Corporate Rules: For transfers within our corporate group

7. Third-Party Data Processors

We work with GDPR-compliant third-party processors:

• AI Providers: OpenAI, Anthropic, Google (with data processing agreements)
• Payment Processing: Stripe (GDPR-compliant payment processor)
• Cloud Hosting: AWS, Google Cloud (with EU data residency options)
• Analytics: Google Analytics (with IP anonymization and data processing agreement)

All processors have signed Data Processing Agreements (DPAs) ensuring GDPR compliance.

8. Data Retention

We retain personal data only as long as necessary:

• Active Accounts: Data retained while your account is active
• Inactive Accounts: Deleted after 12 months of inactivity (with prior notice)
• Deleted Accounts: Personal data erased within 30 days of deletion request
• Legal Requirements: Some data retained for 7 years for tax/accounting purposes
• Backups: Backup data deleted within 90 days of account deletion

9. Data Breach Notification

In the event of a data breach affecting your personal data:

• We will notify the relevant supervisory authority within 72 hours
• You will be notified without undue delay if the breach poses a high risk to your rights
• We will provide details of the breach, potential consequences, and mitigation measures
• We maintain a breach register and incident response plan

10. Children's Privacy

NeoWriting does not knowingly process data of children under 16 (or the applicable age in your country):

• Our services are not directed at children
• We require users to confirm they are 18+ during registration
• If we discover we have collected data from a child, we will delete it immediately
• Parents/guardians can contact us to request deletion of their child's data

11. Automated Decision-Making and Profiling

We use limited automated decision-making:

• AI Content Generation: Automated content creation based on your inputs (you have full control)
• Fraud Detection: Automated systems to detect suspicious activity
• No Profiling: We do not use automated profiling that produces legal or significant effects
• Human Review: You can request human review of any automated decision

12. Contact Our Data Protection Officer

For GDPR-related questions, concerns, or to exercise your rights:

• Email: Click to reveal email
• Privacy Team: Click to reveal email
• Response Time: Within 30 days (as required by GDPR)
• Postal Address: NeoWriting Data Protection Officer, [Your Business Address]

13. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. For EU users:

• Find your DPA: European Data Protection Board - Member List
• You can file a complaint if you believe we have violated your GDPR rights
• We encourage you to contact us first so we can address your concerns

14. Updates to GDPR Compliance

We continuously monitor GDPR developments and update our practices accordingly:

• Regular compliance audits and assessments
• Updates to this page when our practices change
• Email notifications for material changes affecting your rights
• Annual review of data processing activities

15. Related Policies

For more information about data protection:

• Privacy Policy - Comprehensive data protection information
• Cookie Policy - How we use cookies and tracking
• Terms of Service - Our service agreement