Privacy Policy

2.1 Applicable Laws

We comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• California Consumer Privacy Act (CCPA) for US users
• Other applicable international privacy laws

2.2 Data Controller vs Processor Roles

• EzAz as Controller: For user accounts, platform operations, marketing, and analytics
• EzAz as Processor: For Creator-Customer communications and certain custom services
• Joint Controllers: With payment processors for transaction data

3.1 Information You Provide Directly

3.2 Information Automatically Collected

3.3 Information from Third Parties

4.1 Essential Cookies (Always Active)

• Purpose: Platform functionality and security
• Examples: Session management, authentication, fraud prevention, load balancing
• Legal Basis: Legitimate interests (platform operation)
• Retention: Session duration or as technically required

4.2 Analytics Cookies

• Purpose: Understanding user behavior and platform improvements
• Providers: Google Analytics 4, internal analytics
• Legal Basis: Consent (can be disabled)
• Retention: Up to 26 months
• Opt-out: Available via cookie preferences or browser settings

4.3 Marketing Cookies

• Purpose: Campaign measurement and personalized marketing
• Providers: HubSpot, Google Ads (if applicable)
• Legal Basis: Consent (can be disabled)
• Retention: Up to 24 months
• Opt-out: Available via cookie preferences or unsubscribe

4.4 Cookie Management

• Cookie preference center available on first visit
• Browser-level controls respected
• Regular cookie audit and inventory updates
• Third-party opt-out mechanisms provided

5.1 Primary Processing Purposes

5.2 Legal Bases Under UK GDPR

• Consent: Marketing communications, non-essential cookies, optional features
• Contract: Service provision, account management, payment processing
• Legal Obligation: Tax reporting, regulatory compliance, legal requests
• Legitimate Interests: Analytics, security, platform improvements, fraud prevention
• Vital Interests: Emergency situations requiring immediate action

5.3 Automated Decision-Making

We use automated processing for:

• Fraud detection and prevention
• Content recommendation algorithms
• Pricing optimization
• Risk assessment for payments

Your Rights: You can request human review of automated decisions that significantly affect you.

6.1 Service Providers (Data Processors)

6.2 Legal Disclosures

We may disclose personal information when required by law:

• Court orders and legal processes
• Regulatory investigations (ICO, ASA, etc.)
• Law enforcement requests with proper authority
• Protection of rights, property, or safety
• Prevention of fraud or illegal activities

Process: We review all requests for legal validity and narrow scope before disclosure.

6.3 Business Transfers

In the event of merger, acquisition, or asset sale:

• Users will be notified via email and platform notice
• Successor entity must honor existing privacy commitments
• Users may have rights to object or withdraw consent
• Data minimization principles applied to transfers

6.4 Public Information

The following information is publicly visible by design:

• Creator profiles (name, bio, professional links)
• Published Templates, Apps, and Bundles with descriptions
• Product reviews and ratings (with username)
• Blog posts and community contributions
• Team memberships and collaboration history

7.1 Transfer Mechanisms

• Adequacy Decisions: Transfers to countries deemed adequate by UK/EU authorities
• Standard Contractual Clauses: EU/UK approved contracts for adequate protection
• Binding Corporate Rules: For multinational organizations with approved rules
• Derogations: Specific situations allowing transfers (consent, contract performance)

7.2 Specific Transfer Details

7.3 Your Rights Regarding Transfers

• Right to be informed about transfer safeguards
• Right to object to transfers in certain circumstances
• Right to complain to supervisory authorities
• Right to effective judicial remedies

8.1 Retention Principles

• Data Minimization: Only retain what's necessary
• Purpose Limitation: Delete when purpose fulfilled
• Storage Limitation: Regular review and deletion cycles
• Legal Requirements: Comply with statutory retention periods

8.2 Specific Retention Periods

8.3 Automated Deletion Processes

• Regular automated purging of expired data
• Manual review for complex retention scenarios
• Secure deletion using industry-standard methods
• Documentation of deletion activities for compliance

9.1 Your Legal Rights

9.2 Exercising Your Rights

9.3 Complaints and Supervisory Authorities

10.1 California Residents (CCPA/CPRA)

10.2 Other US State Laws

We comply with privacy laws in:

• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Other applicable state privacy laws

10.3 International Compliance

• Canada (PIPEDA): Consent requirements and access rights
• Brazil (LGPD): Data subject rights and processing limitations
• Australia (Privacy Act): Australian Privacy Principles compliance
• Other jurisdictions: Local privacy law compliance where applicable

11.2 Parental Rights and Controls

Parents/guardians of users under 18 may:

• Review their child's personal information
• Request correction or deletion of data
• Withdraw consent for data processing
• Receive notifications about data practices
• Contact us at dpo@ezaz.io for assistance

11.3 Special Protections

• Enhanced verification for users claiming to be under 16
• Restricted data processing for users under 18
• No behavioral advertising to users under 18
• Regular review of age verification processes

12.1 Technical Safeguards

12.2 Organizational Safeguards

12.3 Data Breach Response

13.1 Automated Systems We Use

13.2 Your Rights Regarding Automated Decisions

• Right to be informed about automated decision-making
• Right to human intervention for significant decisions
• Right to challenge automated decisions
• Right to receive explanation of decision logic
• Right to request reconsideration

14.1 Automation Platform Integrations

We integrate with third-party platforms (HubSpot, Make, Zapier, etc.):

• Data sharing: Limited to necessary integration data
• User control: You control what data is shared through integrations
• Third-party policies: Subject to their respective privacy policies
• Responsibility: We are not responsible for third-party data practices

14.2 External Links and Services

Our platform may contain links to external websites:

• No control: We do not control external websites
• No responsibility: External sites have their own privacy policies
• User caution: Review privacy policies before providing information
• Notification: External links are clearly marked where possible

14.3 Social Media Integration

If you connect social media accounts:

• Limited access: We only access publicly available information
• User control: You can disconnect accounts at any time
• Data use: Social data used only for profile enhancement
• Third-party terms: Subject to social media platform policies

15.1 Types of Communications

15.2 Communication Preferences

15.3 Marketing Analytics

16.1 Our Responsibilities

• Implement reasonable measures to ensure data accuracy
• Provide mechanisms for users to update their information
• Regular data quality audits and cleansing
• Correction of inaccuracies when identified

16.2 User Responsibilities

• Provide accurate information during registration
• Update information when circumstances change
• Report inaccuracies through appropriate channels
• Verify information before relying on platform data

16.3 Data Verification Processes

• Email verification for account registration
• Identity verification for high-value transactions
• Business verification for Creator accounts
• Regular prompts to review and update profile information

17.1 Design Principles

• Proactive not Reactive: Privacy considerations built into system design
• Privacy as the Default: Most privacy-friendly settings by default
• Full Functionality: Privacy protections without compromising functionality
• End-to-End Security: Comprehensive security throughout data lifecycle

17.2 Implementation Examples

• Minimal data collection by default
• Strong privacy settings for new accounts
• Regular privacy impact assessments
• User-friendly privacy controls and settings

17.3 Continuous Improvement

• Regular review of privacy practices
• User feedback incorporation
• Technology updates for enhanced privacy
• Industry best practice adoption

18.1 Amendment Process

18.2 Version Control

• All versions dated and archived
• Previous versions available upon request
• Change log maintained for transparency
• Regular review and update schedule

18.3 User Notification Methods

• Direct email to registered users
• Platform notifications and banners
• Social media announcements for major changes
• Website notice for minimum required period

19.1 Privacy Team Contacts

Our Data Protection Officer and privacy team handle:

• General privacy inquiries
• Data subject rights requests
• GDPR-related matters
• Privacy compliance oversight

19.2 Business Contact Information

19.3 Supervisory Authority Information

20.1 Key Definitions

• Personal Data: Any information relating to an identified or identifiable individual
• Processing: Any operation performed on personal data (collection, use, storage, etc.)
• Data Controller: Entity that determines purposes and means of processing
• Data Processor: Entity that processes data on behalf of a controller
• Consent: Freely given, specific, informed indication of agreement
• Legitimate Interests: Processing necessary for legitimate interests pursued by controller

20.2 Technical Terms

• Encryption: Process of encoding information to prevent unauthorized access
• Anonymization: Process of removing personally identifiable information
• Pseudonymization: Processing that prevents identification without additional information
• Data Minimization: Principle of collecting only necessary personal data