1. Purpose and Scope

This GDPR Compliance Policy sets out Digital Builders's commitment to and framework for compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It applies to all personal data we process in our capacity as a data controller and, where applicable, as a data processor for Community Owners using our platform.

This policy is intended to provide transparency for data subjects, Community Owners, and other stakeholders about how Digital Builders meets its obligations under the GDPR.

2. Our Dual Role: Controller and Processor

2.1 When Digital Builders is a Data Controller

Digital Builders acts as a data controller when we determine the purposes and means of processing personal data. This includes:

Account registration and management data.
Billing and subscription data.
Platform usage analytics and technical logs.
Support and communication data.

2.2 When Digital Builders is a Data Processor

Digital Builders acts as a data processor when processing personal data on behalf of Community Owners. This includes member data within a community, course participation records, coaching session records, and community-generated content.

In this capacity, we process data only on documented instructions from the Community Owner (the data controller) and pursuant to a Data Processing Agreement (DPA).

3. Data Processing Agreement (DPA)

All Community Owners on a paid plan are provided with a Data Processing Agreement, which forms part of their agreement with Digital Builders. The DPA covers:

The subject matter and duration of processing.
The nature and purpose of processing.
The types of personal data and categories of data subjects.
Obligations and rights of the Community Owner as controller.
Digital Builders's obligations as processor, including sub-processor management.

Community Owners may request a copy of our standard DPA by contacting dpo@digitalbuilders.io.

4. Lawful Bases for Processing

We identify and document a lawful basis for every category of personal data we process as a controller. Our primary lawful bases are:

Contract (Article 6(1)(b)): Processing necessary to perform our contract with users.
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, balanced against data subjects' rights.
Legal Obligation (Article 6(1)(c)): Processing required by applicable law.
Consent (Article 6(1)(a)): Processing based on clear, freely given, informed consent, particularly for marketing and non-essential cookies.

5. Data Subject Rights Management

We have implemented procedures to honour all data subject rights under the GDPR within required timeframes (generally 30 days, extendable by 2 months in complex cases):

5.1 Rights Requests Process

Data subjects submit requests via email to dpo@digitalbuilders.io or through the account settings panel.
Requests are logged, assigned, and responded to within 30 days.
Identity verification is performed before fulfilling requests to prevent unauthorised disclosure.
Complex requests may require an extension, notified to the data subject.

5.2 Right to Erasure (Right to be Forgotten)

When a deletion request is received, we delete or anonymise personal data within 90 days, except where retention is legally required. We also notify sub-processors to delete the data where technically feasible.

5.3 Data Portability

Users may export their personal data in a machine-readable format (JSON or CSV) via account settings. This includes profile data, course history, and community activity.

6. Sub-Processors

We use the following categories of sub-processors to provide the Service. We maintain a current list of sub-processors and notify Community Owners of material changes:

Cloud Infrastructure & Hosting: for platform hosting and data storage.
Payment Processing: Stripe (for subscription and billing processing).
Video Conferencing: Zoom (for coaching and event sessions).
Error Monitoring: Sentry (for application performance and error tracking).
Email Delivery: for transactional and notification emails.

All sub-processors are bound by data processing agreements requiring GDPR-compliant data handling. Sub-processors located outside the EEA are subject to appropriate transfer safeguards.

7. Data Protection by Design and Default

Digital Builders integrates data protection principles into the design of our platform and business processes:

Data minimisation: We collect only data necessary for the stated purposes.
Purpose limitation: Data collected for one purpose is not repurposed without justification.
Storage limitation: Automated deletion schedules remove data no longer required.
Privacy settings: Accounts default to privacy-protective settings.
Encryption: Personal data is encrypted in transit (TLS) and at rest (AES-256).
Access controls: Role-based access ensures staff access only data necessary for their role.
Pseudonymisation: Where feasible, data used for analytics is pseudonymised.

8. Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments for new processing activities that are likely to result in a high risk to data subjects. DPIAs are triggered for:

Large-scale processing of sensitive personal data.
Systematic monitoring of publicly accessible areas.
Processing involving new technologies (e.g., AI-generated content features).
Profiling or automated decision-making with significant effects.

9. Data Breach Response

We maintain a documented Data Breach Response Procedure:

Detection and containment of the breach within 24 hours.
Assessment of risk to data subjects.
Notification to the relevant supervisory authority within 72 hours where required.
Notification to affected data subjects without undue delay if the breach poses a high risk.
Documentation of the breach, its effects, and remedial actions taken.

Data breaches are logged in our breach register regardless of notification threshold.

10. International Data Transfers

Where personal data is transferred outside the European Economic Area, we rely on:

European Commission adequacy decisions for transfers to recognised adequate countries.
Standard Contractual Clauses (SCCs) per Commission Implementing Decision (EU) 2021/914 for other third-country transfers.
Binding Corporate Rules where applicable.

Transfer impact assessments are conducted when SCCs are used to evaluate the risk of third-country access to transferred data.

11. Records of Processing Activities (Article 30)

As required by Article 30 of the GDPR, we maintain records of our processing activities. These records include:

Categories of data subjects and personal data processed.
Purposes of processing.
Categories of recipients.
International transfers and safeguards.
Retention schedules.
Technical and organisational security measures.

These records are available to supervisory authorities upon request.

12. Data Protection Officer (DPO)

Digital Builders has appointed a Data Protection Officer who is responsible for:

Advising on GDPR compliance and monitoring internal compliance.
Serving as the point of contact for data subjects exercising their rights.
Liaising with supervisory authorities.
Conducting and overseeing DPIAs.
Providing training and awareness to staff.

Contact: dpo@digitalbuilders.io

13. Staff Training and Awareness

All Digital Builders staff with access to personal data receive GDPR training upon onboarding and at least annually thereafter. Training covers data subject rights, security practices, breach reporting procedures, and the use of personal data in AI-powered features.

14. Community Owner Obligations

Community Owners using Digital Builders are independent data controllers for their community member data. They are responsible for:

Having a lawful basis for collecting and processing member data.
Providing members with a compliant privacy notice.
Honouring member data subject rights requests.
Ensuring any additional third-party tools they use comply with GDPR.
Not directing Digital Builders to process data in ways that would violate GDPR.

Digital Builders provides tools within the platform to assist Community Owners with their compliance obligations, but ultimate compliance responsibility rests with the Community Owner as data controller.

15. Supervisory Authority

Digital Builders's lead supervisory authority under the GDPR is determined by our establishment location. Data subjects in EU member states have the right to lodge complaints with their local data protection authority.

A directory of EU/EEA supervisory authorities is maintained by the European Data Protection Board at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

16. Policy Review

This GDPR Compliance Policy is reviewed at least annually and updated to reflect changes in law, regulatory guidance, or our processing activities. The current version is always available at digitalbuilders.io/gdpr-policy.

17. Contact

For all GDPR-related enquiries:

Data Protection Officer: dpo@digitalbuilders.io
General enquiries: privacy@digitalbuilders.io

Digital Builders | Barcelona | Spain