Legal

GDPR Compliance

Last Updated: July 16, 2026

Our Commitment to GDPR

ExitPolicy is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We respect your right to privacy and have implemented robust measures to ensure your personal data is handled lawfully, fairly, and transparently.

This page describes how we comply with GDPR, the legal bases on which we process your data, and the rights you have as a data subject. For full details, please also review our Privacy Policy and Cookie Policy.

Data Controller

ExitPolicy acts as the Data Controller for personal data collected through exitpolicy.org. As a Data Controller, we determine the purposes and means of processing personal data and are responsible for ensuring compliance with GDPR.

Data Controller Contact

support@exitpolicy.org

Lawful Bases for Processing

We process personal data only when we have a valid lawful basis under GDPR Article 6.

Lawful BasisGDPR ArticleHow We Use It
Legitimate InterestsArt. 6(1)(f)Analytics and site performance monitoring to improve content quality.
ConsentArt. 6(1)(a)Sending policy change alert emails to subscribers who have explicitly consented to receive notifications. Users can withdraw consent at any time by unsubscribing.
ContractArt. 6(1)(b)Processing contact requests to respond to your inquiries.
Legal ObligationArt. 6(1)(c)Compliance with applicable law, regulation, or court order.

Your Data Subject Rights

Under GDPR, EU/EEA residents have the following rights regarding their personal data.

Right to Access

Art. 15

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with details about how it is processed.

Right to Rectification

Art. 16

You have the right to request that we correct inaccurate personal data about you without undue delay.

Right to Erasure

Art. 17

Also known as the "right to be forgotten," you can request deletion of your personal data when it is no longer necessary for the purposes it was collected, or if you withdraw consent.

Right to Restriction

Art. 18

You may request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of disputed data.

Right to Portability

Art. 20

Where processing is based on consent or contract, you have the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.

Right to Object

Art. 21

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Art. 7(3)

Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

Art. 77

You have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with applicable data protection law.

International Data Transfers

Some of our service providers (such as analytics platforms) may process data outside the European Economic Area. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, as required by GDPR Chapter V.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in our Privacy Policy, or as required by applicable law. Analytics data is retained for a maximum of 26 months. Policy alert subscription data is retained for as long as the subscription is active; when a user unsubscribes, the record is marked inactive and retained for audit purposes for up to 12 months before deletion. Contact inquiries are retained for up to 12 months unless a longer period is required by law.

Exercise Your Rights

To exercise any of your GDPR rights, or if you have questions about how we process your personal data, contact our Data Controller. We will respond to verified requests within 30 days as required by GDPR.

Submit a Data Request

You also have the right to lodge a complaint with your national data protection supervisory authority if you believe your rights have been violated.