Our commitment to protecting your personal data under the General Data Protection Regulation
GDPR Effective: May 25, 2018
Last compliance review: September 18, 2025
At Indica 7, we are fully committed to complying with the General Data Protection Regulation (GDPR) and ensuring the highest standards of data protection for all individuals in the European Union.
Clear information about how we process your data
Easy access to your data and privacy settings
We only collect data necessary for our services
Robust technical and organizational measures
Regular audits and compliance monitoring
Full support for all GDPR rights
Our data processing activities are guided by the seven key principles of GDPR:
We process personal data lawfully, fairly, and transparently. We clearly explain our data practices and obtain appropriate consent when required.
Personal data is collected for specified, explicit, and legitimate purposes. We don't process data for purposes incompatible with the original purpose.
We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Personal data is kept accurate and up-to-date. We take reasonable steps to ensure inaccurate data is erased or rectified without delay.
Personal data is kept only for as long as necessary for the purposes for which it was collected. We have clear retention policies and deletion procedures.
Personal data is processed securely using appropriate technical and organizational measures to protect against unauthorized access, loss, or damage.
We are responsible for and can demonstrate compliance with all GDPR principles through documentation, policies, and regular audits.
Under GDPR, we must have a legal basis for processing your personal data. Here are the legal bases we rely on:
Processing necessary to provide our services, manage your account, and fulfill our contractual obligations.
For marketing communications, optional features, and cookies (where required by law).
For platform improvement, fraud prevention, and business operations (balanced against your interests).
When required by law, such as tax obligations or responses to legal requests.
Under GDPR, you have several rights regarding your personal data. We are committed to facilitating the exercise of these rights:
You can request a copy of the personal data we hold about you, including information about how it's processed.
Response time: Within 1 month | Fee: Usually free
You can request correction of inaccurate personal data or completion of incomplete data.
Response time: Within 1 month | Fee: Free
You can request deletion of your personal data in certain circumstances, such as when it's no longer necessary.
Response time: Within 1 month | Note: Subject to legal obligations
You can request limitation of processing in certain circumstances, such as when you contest data accuracy.
Response time: Within 1 month | Effect: Limited processing only
You can receive your personal data in a structured, commonly used format and transmit it to another controller.
Format: JSON, CSV, or XML | Scope: Data you provided with consent or contract
You can object to processing based on legitimate interests, direct marketing, or for research purposes.
Marketing: Immediate cessation | Other: Balanced assessment required
You have rights regarding automated decision-making, including profiling, that produces legal or significant effects.
Includes: Right to human intervention, explanation, and to challenge the decision
We process personal data for the following categories and purposes in accordance with GDPR requirements:
We implement comprehensive technical and organizational measures to ensure the security of your personal data:
Our security measures are continuously monitored and updated to address emerging threats and maintain the highest levels of data protection.
We are committed to ensuring that any international transfers of personal data comply with GDPR requirements:
All personal data is primarily processed and stored within the European Union, specifically in data centers located in:
When transferring data to third countries, we only use destinations with EU adequacy decisions or appropriate safeguards.
Current adequacy countries include: UK, Switzerland, Canada, and others as recognized by the European Commission.
For transfers to countries without adequacy decisions, we use Standard Contractual Clauses (SCCs) approved by the EU Commission.
These provide appropriate safeguards for your personal data and ensure GDPR-level protection.
We minimize international transfers and only transfer data when necessary for service provision, such as for cloud services, analytics, or customer support. All such transfers are protected by appropriate safeguards.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
Retention Period: While account remains active
Purpose: Service provision and platform functionality
Deletion: Upon account closure request or after 2 years of inactivity
Retention Period: 3 years after last interaction
Purpose: Communication history and application tracking
Deletion: Automatic deletion after retention period
Retention Period: 24 months maximum
Purpose: Platform improvement and analytics
Processing: Anonymized after 12 months when possible
Retention Period: As required by applicable law
Purpose: Legal compliance and dispute resolution
Examples: Financial records (7 years), tax data (varies by jurisdiction)
We have implemented automated systems to ensure data is deleted according to our retention schedules. You can request early deletion of your data at any time, subject to our legal obligations.
We have established comprehensive procedures to detect, investigate, and respond to potential data breaches:
Timeline: Within 72 hours of becoming aware
Information included: Nature of breach, affected data categories, number of affected individuals, and measures taken.
Timeline: Without undue delay (when high risk to rights)
Information included: Nature of breach, recommended actions, contact information for our DPO.
We continuously improve our security measures based on lessons learned from any incidents, industry best practices, and evolving threat landscapes to prevent future breaches.
Our Data Protection Officer (DPO) is responsible for overseeing our data protection strategy and ensuring GDPR compliance.
dpo@indica7.pt
+351 XXX XXX XXX
Lisbon, Portugal
Monday-Friday, 9:00-17:00
Use the form below to exercise your GDPR rights. We will respond to your request within one month.