ZoxrimZoxrim

GDPR Rights

Last updated: January 1, 2025

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and its equivalent national laws give you specific rights over your personal data. This page explains those rights and how to exercise them with Zoxrim.

Your Rights Under GDPR

Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. This includes your account information, scan history, and usage data. You can download a copy of most of your data directly from Settings → Privacy → Export Data. For a complete data export, contact us at [email protected].

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected. You can update most of your account information directly in Settings → Profile. If you need us to correct data that you cannot update yourself, please contact us.

Right to Erasure / "Right to Be Forgotten" (Article 17)

You have the right to request permanent deletion of your personal data when it is no longer necessary for the purposes it was collected. To exercise this right, go to Settings → Account → Delete Account. Your data will be permanently erased within 30 days. Note that we may retain certain data for legal compliance purposes (e.g., billing records required by tax law).

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) so that you can transfer it to another service. Use the Export Data function in your account settings, or contact us for a full export.

Right to Object (Article 21)

You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. In particular, you may opt out of analytics tracking at any time via Settings → Privacy → Analytics. You may also object to receiving marketing communications via the unsubscribe link in any email.

Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while we are investigating a complaint about data accuracy. During a restriction, we will retain your data but not actively use it.

Legal Basis for Processing

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

  • Legitimate interests (Article 6(1)(f)): We process technical data such as IP addresses, device information, and scan hashes to detect abuse, prevent fraud, and improve the security of our platform. Our security mission constitutes a legitimate interest that we believe is not overridden by your privacy rights.
  • Contract performance (Article 6(1)(b)): Processing your account information, managing your subscription, and delivering scan results are necessary for us to fulfil our contract with you.
  • Consent (Article 6(1)(a)): We rely on your explicit consent for optional marketing emails. You can withdraw this consent at any time without affecting the legality of processing prior to withdrawal.
  • Legal obligation (Article 6(1)(c)): We may process certain data to comply with tax, financial reporting, or other legal obligations.

International Data Transfers

Zoxrim is operated by FloodHacking LLC, a US company. Your data is processed primarily on AWS infrastructure in the US-East (N. Virginia) region. Transfers of personal data from the EEA or UK to the United States are made under the European Commission's Standard Contractual Clauses (SCCs) as our transfer mechanism, ensuring your data receives adequate protection equivalent to that provided by EU law.

Our key sub-processors (MongoDB Atlas, AWS, Stripe, OpenAI) are all either US-based entities covered by SCCs or have self-certified under an equivalent adequacy framework.

How to Exercise Your Rights

To submit a data subject request or ask a question about our GDPR compliance:

  • Email our Data Protection contact: [email protected]
  • We will acknowledge your request within 5 business days.
  • We will respond fully within 30 days, as required by GDPR (extendable by up to 2 months for complex requests, with notice).
  • We will not charge a fee for reasonable requests.

If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your national authority at edpb.europa.eu.