Legal
GDPR Compliance
Last updated: March 21, 2026
1. Our Commitment
Fleeq is committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We take the protection of your personal data seriously and process it lawfully, fairly, and transparently.
This page explains how we comply with GDPR requirements and outlines the rights available to you as a data subject. This supplements our Privacy Policy, which provides full details on our data processing activities.
2. Data Controller
Fleeq acts as the data controller for personal data collected through our website and services. This means we determine the purposes and means of processing your personal data.
For any data protection inquiries, you can reach our data protection contact at [email protected].
3. Legal Basis for Processing
We process personal data only when we have a valid legal basis under Article 6 of the GDPR:
- Consent (Art. 6(1)(a)): When you have given clear consent for us to process your personal data for a specific purpose, such as subscribing to communications or submitting a contact form.
- Contract (Art. 6(1)(b)): When processing is necessary for the performance of a contract with you, such as providing our managed infrastructure or development services.
- Legal Obligation (Art. 6(1)(c)): When processing is necessary to comply with a legal obligation, such as tax or accounting requirements.
- Legitimate Interest (Art. 6(1)(f)): When processing is necessary for our legitimate interests, such as improving our services, website analytics, or fraud prevention, provided these interests are not overridden by your rights.
4. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. We will respond to your requests within 30 days.
Right of Access (Art. 15)
You have the right to obtain confirmation as to whether we process your personal data, and if so, to request a copy of that data along with information about how it is processed.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data we hold about you.
Right to Erasure (Art. 17)
You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful.
Right to Restriction (Art. 18)
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you oppose erasure.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to Object (Art. 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
Right Not to Be Subject to Automated Decision-Making (Art. 22)
You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.
5. Data Processing Activities
We process personal data for the following purposes:
| Purpose | Legal Basis | Retention |
|---|---|---|
| Service delivery | Contract | Duration of contract + 1 year |
| Contact form inquiries | Consent | Until resolved + 6 months |
| Job applications | Consent | 6 months after decision |
| Website analytics | Legitimate interest | 26 months |
| Invoicing and billing | Legal obligation | As required by law |
| Security and fraud prevention | Legitimate interest | 12 months |
6. International Data Transfers
When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V. These safeguards include:
- Transfers to countries with an adequacy decision by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules where applicable
- Your explicit consent for specific transfers
7. Data Protection Measures
We implement appropriate technical and organizational measures under Article 32 of the GDPR to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS) and at rest
- Regular security assessments and vulnerability testing
- Access controls and authentication mechanisms
- Employee training on data protection
- Incident response procedures
- Regular backups with tested restoration procedures
- Data minimization — we only collect data that is necessary
8. Data Breach Notification
In accordance with Articles 33 and 34 of the GDPR, in the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay
- We maintain an internal record of all data breaches, including their effects and the remedial action taken
9. Data Protection Impact Assessments
Where required under Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) before introducing new processing activities that are likely to result in a high risk to individuals' rights and freedoms. This includes processing involving new technologies, large-scale profiling, or systematic monitoring.
10. Sub-Processors
When we engage third-party sub-processors who may access personal data on our behalf, we ensure:
- Each sub-processor is bound by a Data Processing Agreement (DPA)
- Sub-processors provide sufficient guarantees to implement appropriate technical and organizational measures
- We remain liable for our sub-processors' compliance
- We maintain an up-to-date list of sub-processors and will inform you of any changes
11. Cookies and Tracking
In compliance with the ePrivacy Directive and GDPR, we:
- Only use essential cookies without consent (strictly necessary for site functionality)
- Obtain explicit consent before placing analytics or marketing cookies
- Provide clear information about each cookie's purpose and duration
- Allow you to withdraw cookie consent at any time
12. Children's Data
Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without parental consent, we will take immediate steps to delete it in accordance with Article 8 of the GDPR.
13. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).
We encourage you to contact us first at [email protected] so we can address your concerns directly.
14. How to Exercise Your Rights
To exercise any of your rights under the GDPR, please contact us at:
Email: [email protected]
Subject line: GDPR Request — [Your Name]
We may need to verify your identity before processing your request. We will respond within 30 days, with the possibility of a 60-day extension for complex requests, as permitted by Article 12(3) GDPR.
15. Updates to This Policy
We may update this GDPR compliance page to reflect changes in our data processing practices or legal requirements. Material changes will be communicated via our website. The "Last updated" date at the top indicates when this page was last revised.