GDPR Compliance

Our Commitment to GDPR Compliance

Opto Softechs Pvt. Ltd. is committed to protecting the personal data of individuals in the European Union and European Economic Area. This page explains how we comply with the General Data Protection Regulation (GDPR) and your rights under this regulation.

1. GDPR Principles

We process personal data in accordance with the following GDPR principles:

1.1 Lawfulness, Fairness, and Transparency

• We process data only when we have a legal basis
• We are transparent about our data processing activities
• We provide clear information about data usage
• We never use deceptive practices to collect data

1.2 Purpose Limitation

• We collect data for specific, explicit, legitimate purposes
• We do not process data in ways incompatible with original purpose
• If purposes change, we seek new consent or establish new legal basis

1.3 Data Minimization

• We collect only data necessary for our stated purposes
• We regularly review data we hold
• We delete unnecessary data
• We limit access to personal data

1.4 Accuracy

• We take reasonable steps to ensure data accuracy
• We provide mechanisms to update or correct data
• We delete or rectify inaccurate data promptly
• We encourage users to keep their information current

1.5 Storage Limitation

• We retain data only as long as necessary
• We have clear retention policies
• We delete or anonymize data when no longer needed
• We consider legal obligations in retention decisions

1.6 Integrity and Confidentiality

• We implement appropriate technical security measures
• We protect against unauthorized access, loss, or destruction
• We encrypt sensitive data
• We train staff on data protection

1.7 Accountability

• We document our compliance efforts
• We maintain records of processing activities
• We conduct Data Protection Impact Assessments (DPIAs) when required
• We can demonstrate compliance with GDPR

2. Legal Basis for Processing

2.1 Consent

When we rely on consent:

• Marketing communications and promotional emails
• Optional features and enhanced functionality
• Non-essential cookies and tracking
• Sharing data with third parties for marketing

Your rights when we use consent:

• Consent must be freely given, specific, informed, and unambiguous
• You can withdraw consent at any time
• Withdrawal is as easy as giving consent
• We do not condition service on unnecessary consent

2.2 Contractual Necessity

When we rely on contract:

• Creating and managing your account
• Providing our services
• Processing payments and transactions
• Delivering customer support
• Fulfilling our obligations to you

2.3 Legal Obligation

When required by law:

• Tax and accounting records (7 years)
• Financial transaction records
• Responses to legal requests
• Compliance with court orders
• Anti-money laundering checks

2.4 Legitimate Interest

When we have legitimate interest:

• Fraud prevention and security
• Network and information security
• Service improvement and analytics
• Direct marketing to existing customers
• Internal administrative purposes

We balance our interests against your rights and freedoms through Legitimate Interest Assessments (LIAs).

3. Your GDPR Rights

3.1 Right to Access (Article 15)

You have the right to:

• Request confirmation of whether we process your data
• Obtain a copy of your personal data
• Receive information about processing purposes, categories, recipients
• Know the retention period or criteria
• Learn about data sources (if not collected from you)

How to exercise: Submit a Data Subject Access Request (DSAR) via email

Response time: Within 1 month (may extend to 3 months for complex requests)

3.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete data
• Update outdated information

How to exercise: Update in your account settings or contact us

Response time: Within 1 month

3.3 Right to Erasure / Right to be Forgotten (Article 17)

You have the right to deletion when:

• Data no longer necessary for original purpose
• You withdraw consent (where consent is the legal basis)
• You object to processing and no overriding legitimate grounds exist
• Data processed unlawfully
• Required by legal obligation

Exceptions: We may retain data for:

• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Public interest or scientific research

3.4 Right to Restriction of Processing (Article 18)

You can request restriction when:

• You contest data accuracy (during verification period)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need data but you need it for legal claims
• You object to processing (pending verification of our grounds)

3.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your data in structured, commonly used, machine-readable format
• Transmit data to another controller
• Have data transmitted directly where technically feasible

Applies when:

• Processing is based on consent or contract
• Processing is carried out by automated means

Format provided: JSON, CSV, or XML

3.6 Right to Object (Article 21)

You can object to processing based on:

• Legitimate interests
• Performance of public interest tasks
• Direct marketing (absolute right)
• Profiling for direct marketing

For direct marketing: Opt-out link in every email, unsubscribe immediately

For other purposes: We assess and respond within 1 month

3.7 Rights Related to Automated Decision-Making (Article 22)

You have the right to:

• Not be subject to solely automated decisions with legal/significant effects
• Human review of automated decisions
• Express your point of view
• Contest automated decisions

Our practice: Significant decisions always involve human oversight

3.8 Right to Withdraw Consent

Where processing is based on consent:

• You can withdraw at any time
• Withdrawal does not affect lawfulness of past processing
• We provide easy withdrawal mechanisms
• No negative consequences for withdrawal

3.9 Right to Lodge a Complaint

You can file a complaint with:

• Your national data protection authority
• The authority where you reside, work, or where alleged infringement occurred
• List of EU authorities: EDPB Members

4. International Data Transfers

4.1 Transfer Mechanisms

When transferring data outside the EEA, we use:

Standard Contractual Clauses (SCCs):

• EU Commission approved clauses
• Legally binding data protection obligations
• Available upon request

Adequacy Decisions:

• Transfers to countries with adequate data protection
• Current list maintained by European Commission

Additional Safeguards:

• Transfer Impact Assessments
• Technical measures (encryption, pseudonymization)
• Contractual safeguards with processors

4.2 US Data Transfers

For transfers to the United States:

• We monitor developments post-Schrems II decision
• We use SCCs with supplementary measures
• We conduct case-by-case assessments
• We may seek explicit consent for sensitive transfers

5. Data Processing Records

5.1 Article 30 Records

We maintain records of processing activities including:

• Controller and processor contact details
• Processing purposes and legal bases
• Categories of data subjects and personal data
• Categories of recipients
• International transfers and safeguards
• Retention periods
• Security measures

5.2 Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for:

• Systematic monitoring of public areas
• Large-scale processing of sensitive data
• Automated decision-making with legal effects
• New technologies or processing operations

6. Data Breach Procedures

6.1 Breach Detection and Response

In the event of a personal data breach:

Internal Response (0-24 hours):

• Identify and contain the breach
• Assess the risk to individuals
• Document the breach
• Activate incident response team

Supervisory Authority Notification (within 72 hours):

• Nature of the breach
• Categories and approximate numbers affected
• Likely consequences
• Measures taken or proposed

Individual Notification (without undue delay):

• Required when high risk to rights and freedoms
• Clear and plain language
• Direct communication to affected individuals
• Advice on protective measures

6.2 Our Commitment

• We maintain incident response procedures
• We conduct regular security audits
• We train staff on breach response
• We continuously improve security measures

7. Children’s Data

Under GDPR:

• We do not knowingly process data of children under 16 (or lower age set by member state)
• Parental consent required for information society services
• We verify parental consent when collecting children’s data
• We delete data if we discover it belongs to a child

8. Data Protection Officer (DPO)

8.1 DPO Role

Our Data Protection Officer:

• Monitors GDPR compliance
• Advises on data protection matters
• Cooperates with supervisory authorities
• Serves as contact point for data subjects

8.2 Contact DPO

Email: dpo@optosoftechs@gmail.com
Postal Address: [Your Business Address]

9. EU Representative

If you’re in the EU and want to contact our EU representative:

Email: eu-rep@optosoftechs@gmail.com
Postal Address: [EU Representative Address]

10. Security Measures

10.1 Technical Measures

• Encryption (in transit and at rest)
• Access controls and authentication
• Regular security testing and audits
• Intrusion detection systems
• Secure data deletion procedures

10.2 Organizational Measures

• Staff training on data protection
• Confidentiality agreements
• Data protection policies
• Vendor due diligence
• Regular compliance reviews

11. Processor Obligations

When acting as a data processor for your data:

• We process only on your documented instructions
• We ensure confidentiality of processing staff
• We implement appropriate security measures
• We use sub-processors only with your authorization
• We assist with data subject rights requests
• We help with security incidents
• We delete or return data at contract end
• We provide information to demonstrate compliance

11.1 Data Processing Agreement

Available for business customers requiring Article 28 DPA. Contact us for a signed agreement.

12. How to Exercise Your Rights

12.1 Submit a Request

Email: optosoftechs@gmail.com
Subject Line: ‘GDPR Rights Request’
Include: Your name, account email, specific request

12.2 Verification

To protect your privacy:

• We verify your identity before responding
• May require additional documentation
• Will not disclose data to unauthorized parties

12.3 Response Timeline

• Standard: Within 1 month
• Complex requests: Up to 3 months (with notification)
• Unfounded/excessive requests: May charge reasonable fee or refuse

13. Updates to GDPR Compliance

We update our practices to:

• Reflect changes in GDPR guidance
• Incorporate supervisory authority decisions
• Address new EDPB guidelines
• Improve data protection measures

14. Questions and Complaints

14.1 Contact Us

For GDPR questions or concerns:

• Email: optosoftechs@gmail.com
• DPO: dpo@optosoftechs@gmail.com
• Phone: [Your Phone Number]

14.2 Complaint to Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. Find your authority at: EDPB Members

This GDPR Compliance page was last updated in February 2026.