GDPR Compliance

Last updated: July 1, 2025

For EU/EEA Users: This page provides detailed information about how Eddie.surf complies with the General Data Protection Regulation (GDPR) 2016/679. We are committed to protecting the privacy and rights of individuals in the European Economic Area.

1. Our GDPR Commitment

Eddie.surf is fully committed to GDPR compliance. We have implemented comprehensive measures to ensure that personal data of EU residents is processed lawfully, fairly, and transparently. Our approach includes:

  • Privacy by Design and Default principles
  • Comprehensive data protection policies
  • Regular privacy impact assessments
  • Continuous monitoring and improvement

2. Legal Basis for Processing

We process personal data only when we have a valid legal basis under Article 6 of the GDPR:

2.1 Contract Performance (Article 6(1)(b))

  • Account creation and management
  • Service delivery and API access
  • Billing and payment processing
  • Customer support services

2.2 Legitimate Interests (Article 6(1)(f))

  • Service improvement and optimization
  • Security and fraud prevention
  • Anonymous analytics and reporting
  • Business operations and administration

2.3 Consent (Article 6(1)(a))

  • Marketing communications
  • Non-essential cookies and tracking
  • Participation in surveys or research

2.4 Legal Obligations (Article 6(1)(c))

  • Tax and accounting requirements
  • Legal compliance and reporting
  • Response to lawful requests

3. Your Rights Under GDPR

As an EU resident, you have comprehensive rights regarding your personal data:

3.1 Right of Access (Article 15)

You can request:

  • Confirmation of whether we process your data
  • Access to your personal data
  • Information about processing purposes and categories
  • Details of recipients and international transfers

3.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

3.3 Right to Erasure/"Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

  • Data is no longer necessary for original purposes
  • You withdraw consent (where consent is the legal basis)
  • You object to processing and no overriding legitimate grounds exist
  • Data has been unlawfully processed

3.4 Right to Restrict Processing (Article 18)

You can request restriction of processing when:

  • You contest data accuracy
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You've objected pending verification of legitimate grounds

3.5 Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

3.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

3.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling.

4. How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Email our Data Protection Officer at dpo@eddie.surf
  2. Include proof of identity (we may request additional verification)
  3. Specify which right(s) you wish to exercise
  4. Provide relevant details to help us locate your data

We will respond within one month of receipt. Complex requests may require up to two additional months, but we'll inform you of any delays.

5. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

5.1 Transfer Mechanisms

  • Standard Contractual Clauses (SCCs): EU Commission-approved model contracts
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU
  • Binding Corporate Rules: For intra-group transfers

5.2 Current Transfer Locations

Country Purpose Safeguard
Singapore Primary processing SCCs + Additional measures
United States Cloud infrastructure SCCs + Technical measures

6. Data Protection Impact Assessments (DPIA)

We conduct DPIAs for processing operations likely to result in high risk to individuals' rights and freedoms, including:

  • New AI/ML model deployments
  • Large-scale processing operations
  • Introduction of new technologies
  • Processing of sensitive data categories

7. Privacy by Design

We implement Privacy by Design principles in all our operations:

  • Proactive: Preventing privacy invasions before they occur
  • Default Settings: Maximum privacy protection by default
  • Full Functionality: Accommodating all legitimate interests
  • End-to-End Security: Secure lifecycle data management
  • Transparency: Ensuring all stakeholders operate according to stated promises
  • User-Centric: Keeping user interests paramount

8. Data Breach Response

In the event of a personal data breach, we follow GDPR requirements:

  • Authority Notification: Within 72 hours to the relevant supervisory authority
  • Individual Notification: Without undue delay for high-risk breaches
  • Documentation: Comprehensive breach register maintenance
  • Mitigation: Immediate steps to minimize harm

9. Data Protection Officer (DPO)

Our DPO oversees GDPR compliance and serves as your point of contact:

  • Email: dpo@eddie.surf
  • Address: Sure Scale Private Limited, 160 Robinson Road, #14-04 SBF Center, Singapore 068914
  • Responsibilities: Monitoring compliance, conducting assessments, liaising with authorities
  • Independence: Reports directly to senior management

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

Find your local authority: European Data Protection Board Members

11. Cookies and Tracking

We comply with the ePrivacy Directive requirements:

  • Clear cookie consent mechanisms
  • Granular control over cookie categories
  • Easy withdrawal of consent
  • Detailed cookie information

See our Cookie Policy for detailed information.

12. Children's Privacy

In compliance with Article 8 of GDPR:

  • We do not knowingly collect data from children under 16
  • Age verification measures are in place
  • Parental consent required where applicable

13. Special Categories of Data

We do not intentionally collect special categories of personal data (Article 9) including:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data
  • Health data
  • Sexual orientation

If such data is inadvertently collected through our services, please notify us immediately for deletion.

14. Accountability and Records

We maintain comprehensive records of processing activities including:

  • Purposes of processing
  • Categories of data and data subjects
  • Recipients and international transfers
  • Retention periods
  • Technical and organizational security measures

15. Regular Reviews and Updates

We conduct regular reviews of our GDPR compliance:

  • Annual compliance audits
  • Quarterly policy reviews
  • Ongoing staff training
  • Continuous improvement processes

16. GDPR Compliance Resources

Additional resources for understanding your rights:

Questions? If you have any questions about our GDPR compliance or wish to exercise your rights, please contact our Data Protection Officer at dpo@eddie.surf. We are committed to protecting your privacy and ensuring full compliance with GDPR requirements.