GDPR Compliance
HOW WE PROTECT THE RIGHTS OF EU, EEA, UK & SWISS RESIDENTS
Overview
StatusForge processes personal data to help individuals control how AI systems represent them professionally. This page documents our GDPR compliance framework, including legal bases for processing, data subject rights, transfer mechanisms, and our Data Protection Impact Assessment summary.
Our full privacy policy is at /privacy. This page supplements it for EU/EEA/UK/Swiss residents.
1. Data Controller
Controller: Arctic Labs LLC (d/b/a StatusForge)
Address: 6545 Market Ave. North, STE 100, Canton, OH 44721, United States
Data Protection Contact: [email protected]
2. Legal Bases for Processing
We process personal data under the following legal bases (GDPR Article 6):
| Processing activity | Legal basis | Article |
|---|---|---|
| Profile creation and publishing | Consent | 6(1)(a) |
| B2B data licensing via API | Consent | 6(1)(a) |
| Satellite distribution (third-party platforms) | Consent | 6(1)(a) |
| Account management and authentication | Contract performance | 6(1)(b) |
| Payment processing (via Stripe) | Contract performance | 6(1)(b) |
| Micro-royalty calculation and payment | Contract performance | 6(1)(b) |
| Security monitoring and rate limiting | Legitimate interest | 6(1)(f) |
| Fraud prevention and bot detection | Legitimate interest | 6(1)(f) |
| Privacy request processing and audit trail | Legal obligation | 6(1)(c) |
3. Your Rights
Under GDPR, you have the following rights. We honor all of them regardless of whether your country has formally adopted GDPR.
Right of Access (Art. 15)
Request a complete copy of all personal data we hold about you, in a structured, machine-readable format (JSON). Use the export feature in your dashboard or email us.
Right to Rectification (Art. 16)
Correct any inaccurate data directly in your dashboard, or email us with the corrections.
Right to Erasure (Art. 17)
Request deletion of all your personal data. We honor this within 15 business days and cascade deletion to all connected systems. We also notify B2B partners to purge cached copies.
Right to Restriction (Art. 18)
Request that we limit processing of your data while a complaint is being resolved. Your profile will be unpublished and API access suspended during this period.
Right to Data Portability (Art. 20)
Receive your data in a structured, commonly used, machine-readable format (JSON). Available via your dashboard or by emailing us.
Right to Object (Art. 21)
Object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
Right Regarding Automated Decisions (Art. 22)
We do not make automated decisions that produce legal or similarly significant effects. The AI Coverage Index is informational only and is never used for hiring, lending, or other consequential decisions. You can request a human explanation of any score at any time.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time by deleting your profile, setting a do-not-sell flag, or emailing us. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
To exercise any right: [email protected]. Response within 30 days (GDPR) or 15 business days (our pledge), whichever is sooner.
4. International Data Transfers
StatusForge is based in the United States. Your personal data is transferred to and stored in the US. We protect these transfers using:
- EU–U.S. Data Privacy Framework (DPF): Where applicable, for transfers to certified organizations.
- Standard Contractual Clauses (SCCs): European Commission Decision 2021/914, executed with all sub-processors. These clauses impose contractual obligations on the data importer to protect your data to EU standards.
- Supplementary measures: Encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security assessments.
Copies of our executed SCCs are available on request. Email [email protected].
5. Sub-Processors
We use the following sub-processors to operate StatusForge. Each has executed our Data Processing Agreement and, where applicable, Standard Contractual Clauses.
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database, authentication | United States | SCCs + DPF |
| Vercel Inc. | Hosting, serverless functions | United States | SCCs + DPF |
| Stripe Inc. | Payment processing | United States | SCCs + DPF |
| Cloudflare Inc. | CDN, security, bot protection | Global (edge) | SCCs + DPF |
Sub-processor change notification: We notify registered users by email at least 30 days before engaging a new sub-processor. You may object within that period. If we cannot resolve your objection, you may terminate your account and we will delete your data.
6. Data Protection Impact Assessment (Summary)
We have completed a DPIA for our core processing activities in accordance with GDPR Article 35. Key findings:
Processing: Profile publishing and B2B data licensing
Nature: First-party professional data, self-disclosed by the user, published at their explicit request.
Risk assessment: Moderate. Professional data is published publicly by design. Mitigated by: explicit consent, granular control, real deletion, do-not-sell opt-out, and partner contractual restrictions.
Necessity and proportionality: Processing is necessary for the core service. Users explicitly choose to make their professional identity available to AI systems. Less intrusive alternatives (e.g., opt-in per query) would undermine the service purpose.
Processing: AI Coverage Index scoring
Nature: Algorithmic score (0–850) measuring profile completeness and AI visibility.
Risk assessment: Low. Score is informational only, never used for automated decisions with legal effects. Algorithm is fully transparent and explained to users.
Mitigations: Users can request a human explanation of their score. Partners are contractually prohibited from using the score for high-risk decisions. Full algorithm documentation is available.
Processing: Connection requests
Nature: Routing connection requests between businesses and users.
Risk assessment: Low. No contact information is shared until explicit user acceptance. Users are paid for accepted connections.
Mitigations: Individual acceptance required, Do Not Contact opt-out, $3 payment per accepted connection, immediate revocation available.
The full DPIA document is available to supervisory authorities on request.
7. Consent Management
We obtain and manage consent as follows:
- Profile consent: Obtained during the intake process. You explicitly agree that your professional information will be published and licensed to AI companies. You can withdraw at any time.
- Cookie consent: Non-essential cookies are only set after you provide explicit consent via our cookie banner. Essential cookies (authentication, security) do not require consent under the ePrivacy Directive.
- Marketing consent: We do not currently send marketing communications. If we begin, we will obtain separate, explicit consent.
- Consent records: We store a timestamped record of each consent event (grant, withdrawal) for audit purposes.
8. Data Processing Agreement
B2B partners who access user data through our API are required to execute a Data Processing Agreement before receiving access. Our DPA template is available at /dpa.
The DPA includes Standard Contractual Clauses, technical and organizational security measures, data breach notification obligations, and sub-processor approval requirements.
9. Breach Notification
In the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours of becoming aware, where feasible (GDPR Article 33).
- We will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
- We will publish the incident on our transparency page within 7 days (our pledge).
- We will notify B2B partners within 48 hours so they can take protective action.
10. EU AI Act Compliance
StatusForge also complies with the EU Artificial Intelligence Act. Our AI Act compliance documentation is available at /ai-act.
Contact
For all GDPR-related inquiries:
Arctic Labs LLC (d/b/a StatusForge)
6545 Market Ave. North, STE 100
Canton, OH 44721