// Legal · GDPR

GDPR Compliance

Effective Date: April 28, 2026 · Last Updated: April 28, 2026 · Version 1.0

iCirus Technologies is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page outlines our GDPR obligations, your rights as a data subject, and how we protect personal data of individuals in the European Economic Area (EEA) and United Kingdom.

1. Our Role Under GDPR

Depending on the context, iCirus operates as either a Data Controller or a Data Processor:

Data Controller: When we collect and process personal data for our own business purposes (e.g., client account management, billing, marketing)
Data Processor: When we process personal data on behalf of our clients as part of delivering our services (e.g., hosting client data, email services)

Where iCirus acts as a Data Processor, we enter into a Data Processing Agreement (DPA) with our clients that governs how we handle their data.

2. Legal Bases for Processing

iCirus processes personal data under the following lawful bases as defined in GDPR Article 6:

Contract (Art. 6(1)(b)): Processing necessary to perform our services
Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement
Legal Obligation (Art. 6(1)(c)): Tax records, regulatory compliance, law enforcement requests
Consent (Art. 6(1)(a)): Marketing communications and optional data processing

3. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is used.

Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data without undue delay.

Right to Erasure / "Right to be Forgotten" (Art. 17)

You have the right to request deletion of your personal data where there is no compelling reason for its continued processing, subject to our legal retention obligations.

Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of the data.

Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

Right to Object (Art. 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes at any time.

Right to Withdraw Consent (Art. 7)

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

Right to Lodge a Complaint (Art. 77)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, contact our Data Protection Officer at dpo@icirus.com. We will respond within 30 days.

4. International Data Transfers

As iCirus operates globally, personal data may be transferred outside the EEA. We ensure all international transfers are protected by appropriate safeguards including:

Standard Contractual Clauses (SCCs) as approved by the European Commission
Adequacy decisions for transfers to countries with equivalent protection
Binding Corporate Rules where applicable
EU-US Data Privacy Framework compliance

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are outlined in our Privacy Policy. Upon expiry, data is securely deleted or anonymized.

6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, iCirus will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
Notify affected data subjects without undue delay where the breach is likely to result in high risk (GDPR Art. 34)
Document all breaches, including those not requiring notification

7. Data Protection Officer

iCirus has appointed a Data Protection Officer (DPO) responsible for overseeing GDPR compliance. You may contact our DPO at:

Email: dpo@icirus.com
Phone: 647-455-3079

8. Data Processing Agreement

If you are a business using iCirus services to process personal data of EU/EEA residents, you may require a Data Processing Agreement (DPA) under GDPR Article 28. To request a DPA, contact us at legal@icirus.com.

9. Supervisory Authorities

You have the right to contact your local data protection supervisory authority. Key authorities include:

EU: Your national Data Protection Authority (find yours at edpb.europa.eu)
UK: Information Commissioner's Office (ICO) — ico.org.uk
Canada: Office of the Privacy Commissioner — priv.gc.ca
USA (California): California Privacy Protection Agency — cppa.ca.gov