Data Controller
Legal entity
Roshcomm
Data Protection Officer
Write to us at: Contact Us
Write to us at: Contact Us for more details.
Article 27 notice: We are in the process of appointing an EU Representative. Once appointed, EU/EEA data subjects and supervisory authorities may contact our EU Representative directly in addition to contacting us at Contact Us.
Our Roles Under GDPR
Depending on the context, GDPR Compliance Hub acts as different roles. Understanding the distinction is important for data subject rights.
Platform & account data
When you create an account, subscribe to a plan, or contact our support team, we determine the purposes and means of processing. We are the Controller for your registration details, billing records, and usage analytics.
Your customer data
When you use our platform to manage your own organisation's GDPR compliance — storing DSAR records, consent logs, or breach notifications — we act as your Processor. You remain the Controller. Our Data Processing Agreement (DPA) governs this relationship.
A signed DPA is available at no charge. Request the DPA →
Personal Data We Collect
We apply data minimisation — we only collect what is necessary for the stated purpose.
| Category | Data fields | Purpose | Legal basis |
|---|---|---|---|
| Account data | Full name, work email, job title, company name, phone (optional) | Create and manage your account; authenticate you; send service notifications | Contract |
| Billing data | Invoice name/address, VAT number, payment method token (no full card stored) | Process subscription payments; issue VAT invoices; handle refunds | Contract Legal obligation |
| Usage & log data | IP address, browser type, pages visited, timestamps, session tokens, API call logs | Security monitoring; abuse prevention; service reliability; debugging | Legitimate interests |
| Support communications | Email content, support ticket body, attachments you send | Respond to enquiries; improve the platform; training | Contract |
| Marketing preferences | Email address, opted-in marketing categories | Send product updates, newsletters, and feature announcements | |
| Profile & preferences | Avatar image, department, bio, UI settings, notification preferences | Personalise the platform experience | Contract |
We do not process special-category data (Article 9) or data relating to criminal convictions as part of our platform service.
Legal Basis for Processing
Performance of a contract
Account registration, subscription management, billing, and platform access.
Legal obligation
VAT record-keeping, anti-money-laundering checks, regulatory reporting.
Legitimate interests
Security logs, fraud prevention, product analytics, and platform improvement. A Legitimate Interests Assessment (LIA) is available on request.
Consent
Marketing emails and optional analytics cookies. You may withdraw consent at any time without affecting prior processing.
Data Retention
We retain personal data only for as long as necessary for the purposes described above, or as required by law. When data is no longer needed, it is securely deleted or anonymised.
| Data category | Retention period | Rationale |
|---|---|---|
| Active account data | Duration of subscription | Required to provide the service |
| Account data after closure | 30 days (grace period) | Account recovery; then deleted |
| Billing & invoice records | 7 years | EU VAT / accounting legal requirement |
| Security & access logs | 12 months | Incident investigation; threat detection |
| Support tickets | 3 years | Quality assurance; recurring issue analysis |
| Marketing preferences | Until consent is withdrawn | Consent-based processing |
| Anonymised analytics | Indefinite | No personal data — aggregate statistics only |
Your Data Subject Rights
Under GDPR Chapter III you have the following rights. All requests are free of charge and responded to within 30 days (extendable to 90 days for complex requests). Submit requests to Contact Us.
Right of Access Art. 15
Request a copy of all personal data we hold about you, including the purposes, categories, recipients, and retention periods.
Right to Rectification Art. 16
Correct inaccurate or incomplete personal data. Many fields can be updated directly in your Account Settings.
Right to Erasure Art. 17
Request deletion of your personal data where there is no legitimate reason to continue processing. Billing records retained per legal obligation.
Right to Restriction Art. 18
Request that we restrict processing of your data — for example, while you contest its accuracy or object to processing.
Right to Portability Art. 20
Receive your personal data in a structured, machine-readable format (JSON / CSV) or have it transmitted directly to another controller.
Right to Object Art. 21
Object to processing based on legitimate interests or for direct marketing purposes. Marketing objections are always honoured immediately.
Automated Decision-Making Art. 22
We do not make solely automated decisions that produce legal or similarly significant effects on you.
Right to Lodge a Complaint Art. 77
You have the right to lodge a complaint with the Irish Data Protection Commission (DPC) or your local supervisory authority at any time.
Submit any data subject request at Contact Us. We will verify your identity and respond within 30 days.
Sub-processors
We engage trusted third-party sub-processors to deliver our service. All are bound by Data Processing Agreements and provide adequate safeguards under GDPR Article 28. We will notify you of any material changes to this list with at least 30 days' notice.
PostgreSQL / Managed DB
Database hosting — EU region
Cloudflare
DDoS protection & CDN — SCCs in place
Mailgun / SMTP provider
Transactional & notification emails
Stripe
Payment processing — PCI DSS Level 1
Sentry
Error tracking & performance monitoring
Backblaze B2 / S3-compatible
Encrypted backups — EU region
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914). A full list of sub-processors is available on request.
International Data Transfers
Our primary data storage is located in the European Union. Our company is established in the Kingdom of Bahrain, which currently has no EU adequacy decision. Accordingly, any access to EU personal data from Bahrain (e.g., for support or maintenance) is governed by Standard Contractual Clauses (SCCs) — Module 2 (Controller→Processor), EU Commission Decision 2021/914.
Where we additionally engage sub-processors outside the EEA (e.g., Cloudflare, Stripe), we rely on the following safeguards in order of preference:
- Standard Contractual Clauses (SCCs) — using the 2021 EU Commission Implementing Decision templates (primary mechanism for Bahrain and other third countries).
- Adequacy decision — for countries recognised by the European Commission (e.g., UK, Switzerland).
- EU-U.S. Data Privacy Framework — where applicable for US-based processors that are certified.
A Transfer Impact Assessment (TIA) has been performed for the Bahrain transfer. Copies of all TIAs and SCCs are available on written request to Contact Us.
Security Measures
We implement technical and organisational measures (TOMs) appropriate to the risk, in accordance with GDPR Article 32.
AES-256 encryption for all stored data. Database-level and volume-level encryption enabled.
TLS 1.2+ enforced for all API and web traffic. HSTS headers applied. TLS 1.0/1.1 disabled.
TOTP multi-factor authentication. Role-based access control. Session tokens signed with HMAC. Automatic idle-session expiry.
Tamper-evident audit log for all data access and changes. Logs retained 12 months; immutable once written.
Principle of least privilege. Production access requires MFA. Background checks for engineering staff.
Daily encrypted backups. Point-in-time restore available. Backup integrity tested quarterly. RTO < 4 hours.
Dependency scanning on every build. SAST & DAST in CI pipeline. Annual penetration test by accredited third party.
Documented incident response plan. Supervisory authority notified within 72 hours. Affected data subjects notified without undue delay.
Mandatory annual GDPR & security awareness training. Confidentiality agreements signed by all staff and contractors.
Children's Privacy
Our platform is a professional B2B compliance tool intended for business users aged 18 and over. We do not knowingly collect personal data from individuals under 16. If you believe we have inadvertently received data relating to a child, please contact Contact Us and we will delete it promptly.
Changes to This Notice
We review this notice at least annually, and whenever there is a material change to our processing activities. When we make significant changes, we will:
- Display an in-app notification to all active users
- Send an email to the primary account holder
- Update the "Last reviewed" date on this page
- Maintain a version history available on request
Continued use of the platform after notice of changes constitutes acceptance, except where changes require a fresh legal basis such as renewed consent.
Contact Us & DPO
Data Protection Officer
For all data protection queries, subject access requests, and compliance matters:
Contact Us for more details
Response within 5 business days for general enquiries;
DSARs actioned within 30 calendar days.
Supervisory Authority
You have the right to lodge a complaint with our lead supervisory authority:
[Country] Data Protection Authority
The authority in the EU Member State where our EU Representative
(Article 27) is established.
[Fill in once EU Representative is appointed]
Regardless of lead authority, you may also lodge a complaint with your local supervisory authority in any EU/EEA Member State.
We practise what we preach
GDPR Compliance Hub is managed using our own platform. Our DSAR log, breach register, data inventory, and processor records are all tracked in-app — the same way our customers use it. If you'd like a live demonstration of the platform, start a free trial →