- For Platform Customers (Website Owners / Organisations)
- For End Users of Our Customers' Websites
- Data Sharing & Sub-processors
- International Data Transfers
- Security Measures
- Data Retention Summary
- Your Rights (Customers)
- Children's Privacy
- California Residents (CCPA/CPRA)
- Contact & EU Representative
- Changes to This Policy
- Supervisory Authority
Roshcomm Co WLL, doing business at GDPR Compliance Hub ("Company," "we," "us," "our"), is established in the Kingdom of Bahrain (Company Registration #: 71118-1) and provides a EU-hosted cloud-based (Germany) GDPR compliance management platform that helps organisations manage data subject access requests (DSARs), consent records, breach notifications, data inventories, risk registers, compliance audits, policy libraries, and related compliance activities.
This Privacy Policy explains how we collect, use, disclose, and protect information when:
- Organisations sign up for and use our platform (our Customers).
- End users interact with cookie consent banners on our customers' websites (where the customer uses our consent management module).
- Website visitors visit gdprcompliancehub.com.
PART 1: FOR PLATFORM CUSTOMERS (ORGANISATIONS)
1.1 Information We Collect
| Category | Specific Data | Why We Collect |
|---|---|---|
| Account Information | Organisation name, registered address, billing address, VAT/tax number | Account creation, invoicing, legal obligations |
| Seat (User) Data | Name, work email address, job title, role within the platform, last login | Authenticate users, enforce role-based permissions, audit trail |
| Technical Data | IP address, browser type, pages visited, session timestamps | Platform security, fraud prevention, error diagnosis |
| Compliance Records | DSARs, breach records, data inventory entries, risk register items, audit evidence, consent logs, policy documents — all uploaded or created by the Customer | Provide the Service; stored and processed strictly on the Customer's instructions |
| Payment Information | Processed entirely by Paddle — we NEVER store full card numbers or CVV codes | Subscription billing |
| Support Communications | Emails, support tickets, in-app messages | Customer support; quality improvement |
1.2 How We Use Your Information
- Provide, maintain, and improve the platform and all its modules.
- Authenticate users and enforce role-based access controls.
- Send transactional messages: account activation, security alerts, invoices, trial expiry notices, feature announcements.
- Process subscription payments and manage plan upgrades/downgrades.
- Detect and prevent abuse, fraud, or misconfiguration.
- Comply with legal obligations (e.g., tax record retention).
- Aggregate and anonymise usage statistics to improve the product.
1.3 Legal Basis for Processing Customer Data
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account registration and service delivery | Art. 6(1)(b) — contractual necessity |
| Invoicing and tax records | Art. 6(1)(c) — legal obligation |
| Security, fraud prevention, audit logging | Art. 6(1)(f) — legitimate interest |
| Product improvement (anonymised analytics) | Art. 6(1)(f) — legitimate interest |
| Marketing emails (opt-in) | Art. 6(1)(a) — consent |
1.4 Data Retention for Customers
We retain your account data for as long as your account is active, plus:
- Invoice / billing records: 7 years (tax and legal requirement)
- Support tickets: 3 years
- Application access logs: 12 months
- Compliance records you uploaded: retained until you delete them or your account is closed, then deleted within 30 days
You may request account deletion at any time. All personal data is removed within 30 days of account closure, except where retention is required by law.
PART 2: FOR END USERS OF OUR CUSTOMERS' WEBSITES
This section applies when you interact with a cookie consent banner on a website that uses our consent management module.
2.1 Information We Collect
| Data Point | Purpose | Retention |
|---|---|---|
| Consent choice (accept / reject / custom) | Remember your preference on return visits | Until you clear cookies or 12 months |
| Pseudonymised IP address (last octet masked) | Security and regional compliance verification | 30 days |
| Browser user-agent string | Ensure banner renders correctly | Not stored — used in real time only |
| Timestamp of consent action | Audit trail maintained for the website owner | 12 months |
| Random session cookie ID | Link consent record to your browser session | 12 months |
We do NOT collect: your name, email address, precise geolocation, browsing history across other websites, or any data that directly identifies you.
2.2 Legal Basis
We process this data on the lawful instructions of the website owner (our Customer). The applicable legal basis is determined by the website owner.
2.3 Cookies Set by Our Service
| Cookie Name | Purpose | Duration |
|---|---|---|
gdprhub_consent | Stores your consent choices | 12 months |
gdprhub_session | Prevents banner from re-appearing during the same visit | Session |
These are strictly necessary / functional cookies — they do not track you across websites.
2.4 Your Rights as an End User
Since the website owner (our Customer) controls your data, direct your requests to them first. We will assist the website owner in fulfilling your request.
| Right | How to Exercise |
|---|---|
| Access your consent record | Contact the website owner |
| Delete your consent record | Contact the website owner — they can delete via our dashboard |
| Withdraw consent | Click "Reject" or "Manage Cookies" on the cookie banner |
| Lodge a complaint | Contact your local data protection authority |
If the website owner cannot be reached, contact us at
Contact Us and we will forward your request.
PART 3: DATA SHARING AND SUB-PROCESSORS
3.1 Authorised Sub-processors
We share data with the following service providers solely to operate the platform:
| Provider | Purpose | Data Shared | Location | Safeguard |
|---|---|---|---|---|
| Managed PostgreSQL (EU host) | Primary database — all platform data | All customer and compliance data | EU (EEA) | EEA — no transfer |
| Cloudflare | DDoS protection, CDN, DNS | Request metadata (no compliance content) | Global (EU nodes in use) | SCCs + DPF |
| Mailgun (EU region) | Transactional and notification emails | Name, email address | EU region | SCCs |
| Paddle.com | Merchant of Record / Payment processing | Billing data only (no compliance records) | Ireland / UK / US | SCCs + DPF; PCI DSS L1 |
| Sentry | Application error tracking | Technical logs — no personal compliance data | US | SCCs + DPF |
| Encrypted backup provider (EU) | Encrypted off-site backups | Encrypted database snapshots | EU (EEA) | EEA — no transfer |
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914). DPF = EU–U.S. Data Privacy Framework. A full, up-to-date sub-processor list is available on request.
3.2 When We Disclose Without Consent
We may disclose data if required by law, regulation, legal process, or governmental authority, or to protect the security and integrity of our platform.
3.3 Business Transfers
In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify affected Customers and, where practicable, end users via email and in-platform notice at least 30 days before any transfer.
PART 4: INTERNATIONAL DATA TRANSFERS
All Customer compliance data is stored on servers within the European Economic Area (EEA). However, as a company established in the Kingdom of Bahrain (which does not hold an EU adequacy decision), access to EU personal data from Bahrain — for example, for technical support or maintenance — constitutes a restricted transfer under GDPR Chapter V.
We address this by:
- Standard Contractual Clauses (SCCs) — Module 2 (Controller-to-Processor), EU Commission Implementing Decision 2021/914, governing any access from Bahrain.
-
A Transfer Impact Assessment (TIA) specific to Bahrain, available on
written request to
Contact Us. - Compliance with the Bahrain Personal Data Protection Law (PDPL, Law No. 30 of 2018, as amended 2023) as our local data protection framework.
Where sub-processors are located outside the EEA, we use SCCs, the EU–U.S. Data Privacy Framework, or a European Commission adequacy decision as the applicable safeguard (detailed in Section 3.1).
PART 5: SECURITY MEASURES
We implement technical and organisational measures (TOMs) appropriate to the risk, in accordance with GDPR Article 32.
| Measure | Implementation |
|---|---|
| Encryption at rest | Sensitive credentials (e.g., SMTP passwords) are encrypted at the application level using AES-128-CBC with HMAC-SHA256 (Fernet) with per-company, per-field derived keys. All data at rest additionally benefits from disk-level encryption provided by our managed database host. |
| Encryption in transit | All browser-to-server traffic is encrypted using TLS 1.2 or higher, enforced by our TLS-terminating reverse proxy. Unencrypted HTTP connections are redirected to HTTPS. Email is transmitted using STARTTLS where supported by the receiving server. |
| Access controls | Role-based access control (RBAC) with granular permissions. Multi-factor authentication (MFA) is enforced for privileged roles, when elected by the Customer. All seat actions are logged with timestamps and actor identity. |
| Audit logging | All data access, modifications, and administrative actions are logged and retained for 12 months. |
| Password security | Passwords are never stored in plaintext. We use SHA-256 hashing with a server-side pepper unique to our deployment. |
| Vulnerability management | Dependencies are monitored and patched on a regular basis. Security issues are triaged and resolved according to severity. |
| Data minimisation | We collect only the data required to provide the Service. Error-tracking tools (Sentry) are configured to scrub personal data from payloads before transmission. |
PART 6: DATA RETENTION SUMMARY
| Data Type | Retention Period |
|---|---|
| End user consent records | 12 months |
| End user pseudonymised IP addresses | 30 days |
| Customer compliance records (DSARs, breaches, etc.) | Until deleted by Customer or account closure + 30 days |
| Customer account data (name, email, org) | Until account closure + 30 days |
| Invoice / billing records | 7 years (legal requirement) |
| Support tickets | 3 years |
| Application access logs | 12 months |
PART 7: YOUR RIGHTS (FOR CUSTOMERS)
If you are an organisation or individual using our platform, you have the following rights in relation to your personal data:
| Right | How to Exercise |
|---|---|
| Access your data | Download via Dashboard → Settings → Export Data, or email privacy@gdprcompliancehub.com |
| Correct inaccurate data | Edit directly in the dashboard or contact us |
| Delete your account | Dashboard → Settings → Delete Account, or email us |
| Data portability | Export all compliance data in JSON format via the dashboard |
| Restrict processing | Contact Us |
| Object to processing | Contact Us |
| Lodge a complaint | Contact your local DPA or the lead supervisory authority for our EU Representative's country (see Part 12) |
We respond to all valid requests within 30 days (extendable by a further 60 days for complex requests, with notice given).
PART 8: CHILDREN'S PRIVACY
Our platform is intended for use by organisations and their employees; it is not directed at children under 16. We do not knowingly collect data from children. If we discover we have processed a child's data without appropriate consent, we will delete it immediately. Website owners using our consent management module are responsible for age verification on their own websites.
PART 9: CALIFORNIA RESIDENTS (CCPA/CPRA)
If you are a California resident, you have the following additional rights:
| Right | Description |
|---|---|
| Know | Request disclosure of the categories and specific pieces of data we hold about you |
| Delete | Request deletion of your personal information, subject to certain exceptions |
| Correct | Request correction of inaccurate personal information |
| Opt-out of sale | We do not sell or share personal information as defined by California law — no opt-out is needed |
| Non-discrimination | We will not discriminate against you for exercising your CCPA rights |
To exercise California rights, email privacy@gdprcompliancehub.com with
"California Privacy Request" in the subject line. We will respond within 45 days.
PART 10: CONTACT INFORMATION
Data Processor (for end user / consent data):
Roshcomm Co WLL, doing business as GDPR Compliance Hub
Write to us at: Contact Us
Data Protection Officer:
Contact Us for more details
EU Representative (Article 27 GDPR):
Once appointed, we will provide the details of our EU Representative.
We are in the process of appointing an EU Representative. Once appointed, EU/EEA data subjects and supervisory authorities may contact our EU Representative
directly in addition to contacting us.
PART 11: CHANGES TO THIS POLICY
We will notify Customers of material changes via:
- Email to the registered account address, at least 30 days before the effective date
- In-platform notification banner
- Update to the "Last Updated" date at the top of this page
For end users, the website owner (our Customer) is responsible for updating their own privacy notice and informing their users.
PART 12: SUPERVISORY AUTHORITY
As a company established in Bahrain with an EU Representative, our lead supervisory authority is the data protection authority of the EU Member State where our EU Representative is based.
[Address — to be confirmed once EU Representative is appointed]
Regardless of our lead authority, you may lodge a complaint with the supervisory authority in your own EU/EEA Member State.