PrimoDato is committed to complying with the General Data Protection Regulation ("GDPR") and related European data protection laws. This page summarizes how PrimoDato approaches GDPR compliance, the legal bases on which we process personal data, the safeguards we apply, and the rights available to individuals in the European Economic Area, United Kingdom, and Switzerland.
1. Our Role
PrimoDato may act as either a Controller or a Processor depending on the context. We act as a Controller for account registration, billing, customer support, product analytics, and our own website operations. We act as a Processor when customers use the Services and instruct us to store or handle personal data on their behalf in connection with their workspace and workflows.
2. Lawful Basis for Processing
Where PrimoDato acts as Controller, we rely on one or more of the following lawful bases:
- Performance of a contract for account creation, billing, and service delivery.
- Legitimate interests for security monitoring, analytics, abuse prevention, and service improvement.
- Consent where required for optional marketing communications or certain analytics cookies.
- Legal obligation where we must retain records or respond to lawful requests.
3. Your Rights Under GDPR
Individuals covered by GDPR may have the following rights:
- Right of access: obtain confirmation that we process your personal data and request a copy.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure: request deletion where there is no overriding reason for continued processing.
- Right to restriction: ask us to pause certain processing while a concern is reviewed.
- Right to portability: receive data in a structured, commonly used, machine-readable format.
- Right to object: object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent: where processing relies on consent, withdraw it at any time.
4. Data We Process as a Controller
As a Controller, PrimoDato primarily processes account-level data such as names, business email addresses, hashed passwords, authentication events, billing metadata, support messages, and high-level usage and telemetry data used to secure and improve the Service.
5. Data We Process as a Processor
As a Processor, PrimoDato may process customer-submitted workspace data, team account metadata, saved searches, export history, and related operational information strictly on the documented instructions of the customer. Our Processing obligations in that role are described in our Data Processing Agreement.
6. Data Retention Schedules
| Data category | Typical retention period | Reason |
|---|---|---|
| Account profile and authentication records | Account lifetime plus up to 24 months | Service continuity, fraud prevention, and auditability |
| Billing and tax records | Up to 7 years | Accounting, tax, and legal compliance |
| Search logs and telemetry | Up to 90 days unless preserved longer for security | Performance analysis, abuse monitoring, and troubleshooting |
| Support communications | Up to 3 years | Customer support history and service quality review |
| Backups | Rolling retention according to infrastructure policies | Business continuity and disaster recovery |
7. Sub-processors
PrimoDato currently relies on the following core sub-processors and infrastructure partners:
- Paddle
- Vercel
- MongoDB Atlas
- Upstash Redis
- Resend
- AWS
8. Data Transfers Outside the EEA
Where personal data is transferred outside the EEA, PrimoDato applies safeguards such as the Standard Contractual Clauses, security controls, and supplementary measures appropriate to the sensitivity of the data and the destination country.
9. How to Exercise Your Rights
You may exercise your GDPR rights by contacting gdpr@primodato.com. We may request reasonable verification information before acting on a request. Customers may also contact us through their account representative or workspace administrator where appropriate.
10. Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or the place of the alleged infringement.
11. Data Protection Officer
PrimoDato can be contacted on privacy governance matters through our privacy team and acting DPO contact at dpo@primodato.com.