GDPR Information

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that protects your personal data and privacy. It gives you control over your personal information and requires companies to be transparent about how they collect, use, and store your data.

GDPR applies to all companies that process personal data of individuals in the EU/EEA, United Kingdom, or Switzerland, regardless of where the company is located.

At Bulktify, we are committed to GDPR compliance and protecting your privacy rights. This page explains your rights under GDPR in simple, easy-to-understand language.

2. Your Rights Under GDPR

GDPR gives you several important rights regarding your personal data. Below, we explain each right in plain language with practical examples.

2.1 Right to Access (Article 15)

What it means: You have the right to know what personal data we hold about you and receive a copy of it.

Example: You can request a report showing all your account information, order history, email communications, and login activity stored in our system.

What you'll receive: A downloadable file (JSON or CSV) containing all your personal data we have on record.

2.2 Right to Rectification (Article 16)

What it means: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected.

Example: If your business address in your profile is outdated, you can ask us to update it. You can also update most information yourself from your account settings.

How to do it: Most information can be edited directly in your account settings. For information you can't edit, contact us at support@bulktify.com.

2.3 Right to Erasure / "Right to be Forgotten" (Article 17)

What it means: You have the right to request deletion of your personal data in certain circumstances.

Example: If you close your Bulktify account, you can request that we permanently delete all your personal information (subject to legal retention requirements).

Important exceptions: We cannot delete data if we need it to:

• Comply with legal obligations (e.g., financial records must be kept for 7 years for tax purposes)
• Establish, exercise, or defend legal claims
• Complete a transaction you requested

2.4 Right to Restriction of Processing (Article 18)

What it means: You can ask us to limit how we use your data in certain situations, without deleting it completely.

Example: If you believe your data is inaccurate, you can request we stop processing it until we verify and correct it. During this time, we'll store your data but not actively use it.

When you can use this right:

• You're contesting the accuracy of your data
• The processing is unlawful, but you don't want deletion
• We no longer need the data, but you need it for legal claims
• You've objected to processing and are waiting for our response

2.5 Right to Data Portability (Article 20)

What it means: You have the right to receive your personal data in a structured, commonly used, machine-readable format and transfer it to another service provider.

Example: If you decide to switch to a different wholesale platform, you can request your product catalog, customer list, and order history in CSV or JSON format to import into the new system.

What data is portable: Data you provided to us and data generated through your use of our Services (excluding derived or aggregated data).

2.6 Right to Object (Article 21)

What it means: You can object to certain types of data processing, particularly for direct marketing or processing based on legitimate interests.

Example: You can opt out of marketing emails at any time by clicking "Unsubscribe" in any marketing email or updating your preferences in account settings.

Absolute right: For direct marketing, you have an absolute right to object—we must stop immediately. For other processing, we'll stop unless we have compelling legitimate grounds to continue.

2.7 Rights Related to Automated Decision Making (Article 22)

What it means: You have the right not to be subject to decisions based solely on automated processing (including profiling) that significantly affect you.

At Bulktify: We do not make automated decisions that significantly affect your rights. Our AI features (product description generation, image creation) are tools you control—they don't make decisions about your account, pricing, or access.

Your control: You can always review, edit, or reject AI-generated content before using it.

3. How to Exercise Your GDPR Rights

Exercising your GDPR rights is simple and free. Follow these steps:

3.1 Submit a Request

Email us: support@bulktify.com

Subject line: "GDPR Request: [Type of Request]"

Example subjects:

• "GDPR Request: Access" - to request your data
• "GDPR Request: Erasure" - to delete your data
• "GDPR Request: Rectification" - to correct data

3.2 Identity Verification

For your security, we need to verify your identity before processing your request. We may ask you to:

• Confirm your registered email address
• Provide your account username or business name
• Answer security questions
• Provide a copy of government-issued ID (for sensitive requests only)

Why verification matters: This prevents unauthorized individuals from accessing or deleting your personal data.

3.3 Response Timeframe

We will respond to your request within 1 month (30 days) from the date we receive it. For complex requests, we may extend this to 3 months and will notify you of the extension.

3.4 No Fee Required

Exercising your GDPR rights is completely free. We will not charge you unless your request is:

• Excessive or repetitive
• Manifestly unfounded
• Clearly unreasonable

If we determine a fee is necessary, we will notify you and explain why before processing your request.

3.5 What to Include in Your Request

To help us process your request quickly, please include:

• Your full name and registered email address
• Clear description of what you're requesting
• Specific data or time period (if applicable)
• Preferred format for data export (JSON, CSV, PDF)

4. Data Subject Access Request (DSAR) Process

A Data Subject Access Request (DSAR) is a formal request for a copy of all your personal data. Here's what to expect:

4.1 Step-by-Step Process

1. Step 1: Submit Request
   Email support@bulktify.com with subject "GDPR Request: Access"
2. Step 2: Identity Verification (1-2 days)
   We'll send you a verification link to confirm your identity
3. Step 3: Data Compilation (7-14 days)
   Our system gathers all your personal data from our databases
4. Step 4: Review & Preparation (3-5 days)
   We review the data to ensure accuracy and remove any third-party information
5. Step 5: Data Delivery (within 30 days total)
   You receive a secure download link to your data package

4.2 What Information You'll Receive

Your DSAR response will include:

• Account Information: Name, email, business details, contact information
• Business Data: Product catalogs, customer lists, order history
• Usage Data: Login history, feature usage, IP addresses
• Communications: Support tickets, email correspondence
• Billing History: Invoices, payment records, subscription details
• Preferences: Notification settings, language, theme

4.3 Data Format Options

You can choose from the following formats:

• JSON: Machine-readable format for importing into other systems
• CSV: Spreadsheet format for viewing in Excel or Google Sheets
• PDF: Human-readable format for printing or archiving

4.4 Security Measures

Your data package will be:

• Encrypted with a unique password sent separately
• Available via secure, time-limited download link (expires in 7 days)
• Never sent via regular email attachment

5. Why We Process Your Data (Lawful Basis)

GDPR requires us to have a legal reason (lawful basis) for processing your personal data. Here's why we process your data in plain language:

5.1 Contract Performance

When it applies: When you subscribe to Bulktify, we need to process your data to deliver the Services you paid for.

What we process:

• Account creation and management
• Service delivery (platform access, features)
• Billing and payment processing
• Customer support

Your control: This processing is necessary for the contract between you and Bulktify. If you don't want this processing, you would need to cancel your subscription.

5.2 Consent

When it applies: When you explicitly agree to specific types of data processing.

What we process:

• Marketing emails (you can opt-in or opt-out anytime)
• Optional analytics cookies (you can disable in browser settings)
• AI feature usage (you choose when to use AI tools)

Your control: You can withdraw consent at any time by:

• Clicking "Unsubscribe" in marketing emails
• Disabling cookies in your browser
• Contacting us at support@bulktify.com

5.3 Legitimate Interest

When it applies: When we have a legitimate business reason to process your data, balanced against your privacy rights.

What we process:

• Fraud prevention and security monitoring
• Platform improvement and bug fixes
• Internal analytics (how users interact with features)
• Customer support quality improvement

Your control: You can object to legitimate interest processing. We will stop unless we can demonstrate compelling reasons to continue.

5.4 Legal Obligation

When it applies: When the law requires us to process your data.

What we process:

• Tax records and financial reporting
• Responses to lawful requests from authorities
• Data breach notifications
• Compliance with GDPR itself (record-keeping)

Your control: Limited—legal obligations override other rights in most cases.

6. International Data Transfers

Bulktify is based in the United States, which means your data may be transferred outside the EU/EEA. Here's how we protect your data during these transfers:

6.1 Where Your Data Goes

• Primary Hosting: United States (Google Cloud / Firebase, Vercel)
• Email Services: United States (Resend)
• Payment Processing: Global (Stripe and AcceptBlue - with regional data residency)

6.2 Safeguards We Use

To ensure your data is protected when transferred outside the EU/EEA, we use:

Standard Contractual Clauses (SCCs)

Pre-approved contract terms by the European Commission that require US companies to protect EU data to the same standards as if it were in the EU.

Cloud Provider Compliance

• Google Cloud / Firebase: GDPR-compliant, ISO 27001 certified, SCCs in place
  View Google Cloud compliance certifications →
• Vercel: GDPR-compliant, SOC 2 Type II certified
  View Vercel security & compliance →

Technical Safeguards

• Encryption in Transit: TLS 1.3 for all data transfers
• Encryption at Rest: AES-256 encryption for stored data
• Access Controls: Role-based access with multi-factor authentication

6.3 Your Rights Regarding Transfers

You have the right to:

• Request information about safeguards used for data transfers
• Obtain a copy of the Standard Contractual Clauses we use
• Object to data transfers (though this may prevent you from using our Services)

7. Right to File a Complaint

If you believe we have not handled your personal data properly or violated your GDPR rights, you have the right to lodge a complaint with a supervisory authority.

7.1 Contact Us First

Before filing a formal complaint, we encourage you to contact us at support@bulktify.com. We take privacy concerns seriously and will work to resolve issues quickly.

7.2 Supervisory Authority

You can file a complaint with the Data Protection Authority (DPA) in your country. Each EU/EEA country has its own DPA.

Find your DPA: https://edpb.europa.eu/about-edpb/board/members_en

7.3 What to Include in Your Complaint

• Your name and contact information
• Description of the privacy concern or violation
• What resolution you're seeking
• Any correspondence with us regarding the issue
• Supporting documentation (if applicable)

7.4 No Retaliation

You will not face any negative consequences for filing a complaint with a supervisory authority. Your rights to use our Services will not be affected.

8. Data Protection Officer

Under GDPR Article 37, some organizations are required to appoint a Data Protection Officer (DPO)—an expert responsible for monitoring data protection compliance.

8.1 Our Approach

Bulktify is a B2B SaaS platform and is not currently required to appoint a formal DPO. However, we take data protection seriously and have internal processes to ensure GDPR compliance.

8.2 Privacy Contact

For all privacy and data protection matters, please contact:

• Email: support@bulktify.com
• Subject Line: "Data Protection Inquiry"

Our privacy team will respond to your inquiry within 1 business day.

9. Children's Data

Bulktify is a B2B platform designed for businesses. We do not knowingly process personal data of children.

9.1 Age Requirements

• EU/EEA: You must be at least 16 years old (or the applicable age of digital consent in your country)
• United States: You must be at least 13 years old (COPPA compliance)
• Business Use: You must be at least 18 years old to enter into contracts (our Terms of Service)

9.2 Parental Rights

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@bulktify.com. We will delete such information promptly.

10. Contact Us About GDPR

We're here to help you understand and exercise your GDPR rights. If you have any questions, please reach out:

Language: This GDPR information page is provided in English. If you need assistance in another language, please contact us and we will do our best to accommodate your request.