GDPR Compliance
- 1. Our Commitment
- 2. Controller and Processor
- 3. Lawful Basis for Processing
- 4. Data Subject Rights
- 5. Data Protection Officer
- 6. Sub-Processor List
- 7. International Data Transfers
- 8. Data Retention Schedule
- 9. How to Exercise Your Rights
- 10. Data Protection by Design
- 11. Data Protection Impact Assessments
- 13. Contact Us
1. Our Commitment to GDPR
ViralDashboard is committed to protecting the privacy and personal data of all individuals. We comply with the GDPR (EU) 2016/679, the UK GDPR, and applicable national implementing legislation. We apply GDPR-level data protection standards to all users globally.
2. Our Role: Controller and Processor
As Data Controller
We are the data controller for personal data we collect when you visit our website, create an account, contact support, subscribe to marketing, or interact with our sales team.
As Data Processor
We act as a data processor when we process personal data on your behalf through the Service, including social media content, messages, analytics data, and AI-generated content. Our obligations as processor are governed by our Data Processing Agreement.
3. Lawful Basis for Processing
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Service delivery | Performance of contract | Art. 6(1)(b) |
| Payment processing | Performance of contract | Art. 6(1)(b) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Service improvement and analytics | Legitimate interest | Art. 6(1)(f) |
| Marketing emails | Consent | Art. 6(1)(a) |
| Advertising cookies | Consent | Art. 6(1)(a) |
| AI model improvement | Consent | Art. 6(1)(a) |
| Tax and financial records | Legal obligation | Art. 6(1)(c) |
4. Data Subject Rights
- Right of Access (Art. 15) — Request a copy of your personal data. Use Settings > Privacy > Request My Data or email privacy@viraldashboard.com.
- Right to Rectification (Art. 16) — Update your information in Settings > Profile.
- Right to Erasure (Art. 17) — Request deletion via Settings > Account > Delete Account.
- Right to Restriction (Art. 18) — Request restriction of processing.
- Right to Data Portability (Art. 20) — Export your data in JSON or CSV via Settings > Account > Export Data.
- Right to Object (Art. 21) — Object to processing based on legitimate interests or direct marketing.
- Right Related to Automated Decision-Making (Art. 22) — We do not make automated decisions with legal or significant effects.
- Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time in Settings > Privacy.
Response time: Within 30 days (extendable by 60 days for complex requests).
5. Data Protection Officer
Email: dpo@viraldashboard.com
The DPO monitors compliance, advises on data protection obligations, and acts as a point of contact for data subjects and supervisory authorities.
6. Sub-Processor List
| Sub-Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure | US / EU (Frankfurt) | SCCs + AWS DPA |
| Stripe | Payment processing | United States | SCCs + Stripe DPA |
| Postmark | Transactional email | United States | SCCs |
| OpenAI | AI content generation | United States | SCCs + OpenAI DPA |
| Cloudflare | CDN, DNS, DDoS protection | Global | SCCs + Cloudflare DPA |
| Sentry | Error monitoring | United States | SCCs |
| Intercom | Customer support | United States | SCCs + Intercom DPA |
| PostHog | Product analytics | EU (Frankfurt) | EU processing |
| Google LLC | Website analytics | United States | SCCs + Google DPA |
| Hetzner Online | Backup infrastructure | Germany (EU) | EU processing |
We notify customers at least 30 days before adding or replacing a sub-processor. Subscribe to notifications by emailing dpo@viraldashboard.com.
7. International Data Transfers
For transfers outside the EEA/UK/Switzerland, we rely on Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum, and adequacy decisions. We conduct transfer impact assessments and implement supplementary measures including encryption (TLS 1.3, AES-256), pseudonymization, and contractual obligations on sub-processors.
8. Data Retention Schedule
| Data Category | Retention Period |
|---|---|
| Account profile data | Duration of account + 30 days |
| Social media content and analytics | Duration of account + 30 days |
| Billing and payment records | 7 years after last transaction |
| Server and access logs | 90 days |
| Support ticket content | 3 years after resolution |
| Marketing consent records | Duration of consent + 3 years |
| Cookie consent records | 12 months (renewed on revisit) |
| AI prompts and generated content | Duration of account + 30 days |
| Usage analytics (aggregated) | 26 months |
9. How to Exercise Your Rights
Submit requests via email to privacy@viraldashboard.com, in-app at Settings > Privacy, or by postal mail. Standard requests are processed within 30 days. Complex requests may take up to 90 days.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.
10. Data Protection by Design and Default
We implement data protection by design through data minimization, purpose limitation, privacy-protective default settings, pseudonymization, role-based access controls, regular security assessments, Data Protection Impact Assessments, and privacy reviews in our product development lifecycle.
11. Data Protection Impact Assessments
DPIAs have been conducted for AI-powered content generation, social media inbox aggregation, analytics and audience profiling, and cross-platform data aggregation. Summaries are available upon request from dpo@viraldashboard.com.
13. Contact Us
Privacy Team: privacy@viraldashboard.com
Data Protection Officer: dpo@viraldashboard.com
EU Representative: eu-privacy@viraldashboard.com
This GDPR Compliance page is effective as of March 28, 2026.