GDPR Compliance
Last Updated: July 16, 2026
Our Commitment to GDPR
ExitPolicy is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We respect your right to privacy and have implemented robust measures to ensure your personal data is handled lawfully, fairly, and transparently.
This page describes how we comply with GDPR, the legal bases on which we process your data, and the rights you have as a data subject. For full details, please also review our Privacy Policy and Cookie Policy.
Data Controller
ExitPolicy acts as the Data Controller for personal data collected through exitpolicy.org. As a Data Controller, we determine the purposes and means of processing personal data and are responsible for ensuring compliance with GDPR.
Data Controller Contact
support@exitpolicy.orgLawful Bases for Processing
We process personal data only when we have a valid lawful basis under GDPR Article 6.
| Lawful Basis | GDPR Article | How We Use It |
|---|---|---|
| Legitimate Interests | Art. 6(1)(f) | Analytics and site performance monitoring to improve content quality. |
| Consent | Art. 6(1)(a) | Sending policy change alert emails to subscribers who have explicitly consented to receive notifications. Users can withdraw consent at any time by unsubscribing. |
| Contract | Art. 6(1)(b) | Processing contact requests to respond to your inquiries. |
| Legal Obligation | Art. 6(1)(c) | Compliance with applicable law, regulation, or court order. |
Your Data Subject Rights
Under GDPR, EU/EEA residents have the following rights regarding their personal data.
Right to Access
Art. 15You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with details about how it is processed.
Right to Rectification
Art. 16You have the right to request that we correct inaccurate personal data about you without undue delay.
Right to Erasure
Art. 17Also known as the "right to be forgotten," you can request deletion of your personal data when it is no longer necessary for the purposes it was collected, or if you withdraw consent.
Right to Restriction
Art. 18You may request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of disputed data.
Right to Portability
Art. 20Where processing is based on consent or contract, you have the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.
Right to Object
Art. 21You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Art. 7(3)Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of prior processing.
Right to Lodge a Complaint
Art. 77You have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with applicable data protection law.
International Data Transfers
Some of our service providers (such as analytics platforms) may process data outside the European Economic Area. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, as required by GDPR Chapter V.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in our Privacy Policy, or as required by applicable law. Analytics data is retained for a maximum of 26 months. Policy alert subscription data is retained for as long as the subscription is active; when a user unsubscribes, the record is marked inactive and retained for audit purposes for up to 12 months before deletion. Contact inquiries are retained for up to 12 months unless a longer period is required by law.
Exercise Your Rights
To exercise any of your GDPR rights, or if you have questions about how we process your personal data, contact our Data Controller. We will respond to verified requests within 30 days as required by GDPR.
Submit a Data RequestYou also have the right to lodge a complaint with your national data protection supervisory authority if you believe your rights have been violated.