Data Protection Policy
Purpose and Scope
This internal policy ensures FlopHero complies with privacy laws like GDPR and CCPA. It applies to all staff who handle personal data.
This Data Protection Policy establishes Flophero US LLC’s commitment to protecting personal data in compliance with applicable privacy laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant data protection regulations.
This policy applies to all employees, contractors, and third parties who process personal data on behalf of Flophero US LLC.
Data Protection Principles
We follow six key principles: lawful processing, purpose limitation, data minimization, accuracy, storage limitation, and security. We adhere to the following data protection principles:
- Lawfulness, Fairness, and Transparency
– Process personal data lawfully, fairly, and transparently
– Provide clear information about data processing activities
– Ensure individuals understand how their data is used
- Purpose Limitation
– Collect personal data for specified, explicit, and legitimate purposes
– Not process data in ways incompatible with original purposes
– Regularly review and update processing purposes
- Data Minimization
– Collect only personal data that is adequate, relevant, and necessary
– Regularly review data collection practices
– Implement privacy-by-design principles
- Accuracy
– Ensure personal data is accurate and kept up to date
– Take reasonable steps to correct or delete inaccurate data
– Implement processes for data quality management
- Storage Limitation
– Retain personal data only as long as necessary for processing purposes
– Implement data retention schedules and deletion procedures
– Regularly review and purge unnecessary data
- Integrity and Confidentiality
– Implement appropriate technical and organizational measures
– Protect against unauthorized processing, loss, or damage
– Ensure ongoing confidentiality, integrity, and availability
Organizational Structure
We are presently below the GDPR thresholds that trigger a mandatory Data Protection Officer (Article 37). Our current data volume (<10,000 EU data subjects/year) and monitoring scope do not require DPO appointment. We maintain a Privacy Point-of-Contact structure to ensure comprehensive data protection compliance. Any future DPO appointment will be evaluated in due course and inline with business growth.
Our Privacy point of contact oversees data protection compliance and reports directly to the CEO for independence.
- Overall responsibility for data protection compliance
- Email: [email protected]
- Reports to: CEO
- Independence: Direct reporting line to ensure independence in data protection matters
Responsibilities:
- Monitor compliance with data protection laws
- Conduct privacy impact assessments
- Serve as point of contact for data protection authorities
- Provide data protection training and guidance
- Investigate and respond to data protection incidents
Data Processing Responsibilities
- CEO: Ultimate accountability for data protection compliance
- Development Team: Privacy-by-design implementation
- Customer Support: Data subject rights handling
All Staff: Day-to-day compliance with data protection procedures
Data Processing Register
We maintain detailed records of all personal data processing activities, including purpose, legal basis, retention periods, and processor locations. All data processing activities include appropriate international transfer safeguards:
- AWS Ireland: EU adequacy decision
- Stripe/PayPal (US): Standard Contractual Clauses (2021 SCCs Modules 1 & 2)
- Google Analytics (US): Standard Contractual Clauses (2021 SCCs Modules 1 & 2)
- Zoho (India): Standard Contractual Clauses (2021 SCCs Modules 1 & 2)
Payment Information
- Purpose: Subscription billing and payment processing
- Legal Basis: Contract performance and legal obligation
- Data Categories: Payment method, transaction history, billing address
- Data Subjects: Paying customers
- Recipients: Stripe, PayPal, internal finance team
- Storage Period: 7 years (legal requirement)
- Processor Location: Stripe (US), PayPal (US)
- International Transfers: Standard Contractual Clauses (2021 SCCs Modules 1 & 2)
- Safeguards: PCI DSS compliance, encryption, tokenization
Usage Analytics
- Purpose: Service improvement and analytics
- Legal Basis: Legitimate interest
- Data Categories: Usage patterns, feature interactions, performance metrics
- Data Subjects: All service users
- Recipients: Internal development team, Google Analytics
- Storage Period: 2 years (anonymized after 6 months)
- Processor Location: Google (US)
- International Transfers: Standard Contractual Clauses (2021 SCCs Modules 1 & 2)
- Safeguards: Anonymization, aggregation, access controls
Customer Support Communications
- Purpose: Customer service and support
- Legal Basis: Contract performance and legitimate interest
- Data Categories: Support tickets, email communications, issue resolution
- Data Subjects: Users requesting support
- Recipients: Customer support team, Zoho support platform
- Storage Period: 3 years from last contact
- Processor Location: Zoho (India)
- International Transfers: Standard Contractual Clauses (2021 SCCs Modules 1 & 2)
Safeguards: Access controls, encryption, audit logs
Data Subject Rights
We handle requests for access, correction, deletion, and other privacy rights within 30 days and we have established procedures to handle data subject rights requests.
Privacy by Design
All new features undergo privacy impact assessment before development. We build privacy protection into our systems from the start. All new features and systems must undergo privacy impact assessment:
Privacy Impact Assessment Gate:
- Identify personal data involved
- Assess privacy risks and mitigation measures
- Document privacy-by-design implementation
- Obtain privacy approval before development
- Data minimization in system design
- Encryption and pseudonymization
- Access controls and audit logging
- Automated data retention and deletion
- Privacy training for development team
- Regular privacy reviews and updates
- Documentation of privacy decisions
- Ongoing monitoring and assessment
Vendor Management
All third-party vendors processing personal data must:
- Demonstrate adequate data protection measures
- Provide appropriate contractual safeguards
- Undergo regular security and privacy assessments
- Maintain current certifications and compliance
Data Breach Response
We have a 72-hour incident response plan with clear roles and notification procedures.
Incident Response Team
- Privacy Manager: Incident coordination and authority notification
- CEO: Executive decision-making and external communications
- Technical Lead: Technical investigation and remediation
- Legal Counsel: Legal assessment and regulatory guidance
72-Hour Incident Response Flow
- Detection and Containment (0-1 hours)
- Identify and contain the incident
- Assess scope and severity of breach
- Determine if personal data is involved
- Activate incident response team
- Investigation and Assessment (1-24 hours)
- Conduct detailed technical investigation
- Document timeline and affected data
- Assess risk to data subjects
- Determine notification requirements
- Authority Notification (24-72 hours)
- Notify supervisory authority within 72 hours (if required)
- Prepare data subject notifications (if high risk)
- Coordinate with legal counsel and authorities
- Document all notification activities
- Remediation and Follow-up (Ongoing)**
- Implement technical and organizational fixes
- Monitor for ongoing threats or impacts
- Conduct post-incident review and lessons learned
- Update policies and procedures as needed
Training and Awareness
All staff receive mandatory data protection training with role-specific requirements.
Mandatory Training
- All staff must complete data protection training covering:
- Data protection principles and legal requirements
- Company policies and procedures
- Data subject rights and request handling
- Incident reporting and response
- Privacy-by-design principles
- Role-Specific Training
- Customer Support: Data subject rights, request handling, escalation procedures
- Development Team: Privacy-by-design, technical safeguards, secure coding
- Management: Compliance oversight, incident management, vendor assessment
Ongoing Awareness
- Regular privacy updates and communications
- Annual policy review and acknowledgment
- Privacy considerations in team meetings
- External training and certification opportunities
Monitoring and Compliance
We regularly assess our privacy program and track key performance indicators.
Regular Assessments
- Monthly: Review data subject rights requests and response times
- Quarterly: Assess vendor compliance and security posture
- Annually: Comprehensive privacy program review and update
- Ad-hoc: Incident-driven assessments and improvements
Key Performance Indicators
- Data subject rights response time (target: <30 days)
- Privacy training completion rate (target: 100%)
- Vendor compliance assessment completion (target: 100% annually)
- Incident response time (target: <72 hours for authority notification)
Contact Information
Contact [email protected] for privacy matters or [email protected] for security incidents.
- Name: Noorul Ilahi – Privacy Point-of-Contact
- Email: [email protected]
- Response Time: Within 5 business days
- Email: [email protected]
General Contact
- Flophero US LLC
- 30 N Gould St Ste R
- Sheridan, WY 82801
- Email: [email protected]
This Data Protection Policy is effective and will be reviewed annually or as needed to ensure continued compliance with applicable data protection laws.