GDPR Compliance

UltimateIntel is designed for GDPR compliance from the ground up. Rather than retrofitting compliance onto an existing system, we built privacy-by-design principles into our architecture from the first line of code. This page details our approach to each major GDPR requirement.

Data Subject Access Requests (DSAR) We process DSARs through our automated compliance engine. Request your data export or deletion at any time through the privacy dashboard in your account settings. DSAR requests are acknowledged within 72 hours and completed within 30 days as required by GDPR. Our automated system handles most requests within 48 hours. Export requests produce a comprehensive data package including all personal data, processing records, and consent history in machine-readable JSON format.

Data Processing All data processing follows the principles of purpose limitation, data minimization, and storage limitation defined in GDPR Article 5. We process data solely to provide the intelligence services you have requested and only retain it for as long as necessary to fulfill that purpose.

Key processing safeguards include all data processed within GCP regions with configurable EU residency, Data Processing Agreements (DPA) available and required for all plan tiers, a maintained and published sub-processor list updated within 30 days of any change, and Privacy Impact Assessments conducted before any new processing activity or significant system change.

Legal Basis Our legal basis for processing varies by data category. Account data (name, email, company) is processed under contractual necessity as it is required to provide the service. Connected tool data is processed based on your explicit consent given when you authorize each connector. Usage analytics are processed under legitimate interest for service improvement with opt-out available. Payment data is processed under contractual necessity and legal obligation for tax and accounting requirements.

Deletion and Crypto-Shredding Our deletion system goes beyond simple database record removal. Each tenant has a dedicated Data Encryption Key (DEK) created using AES-256-GCM encryption. The DEK is wrapped by a master Key Encryption Key (KEK) stored in Google Secret Manager. All tenant data at rest is encrypted with the tenant DEK. When deletion is requested, the DEK is destroyed, making all encrypted data permanently and mathematically unrecoverable.

Deletion certificates are generated as cryptographic proof of destruction, containing the timestamp of deletion, a hash of the destroyed key material, confirmation of all storage locations cleared, and a verifiable digital signature. The process completes within 30 days per GDPR requirements, with most deletions finishing within 7 days.

DPO Contact Data protection inquiries can be directed to our Data Protection Officer through the support form. Select "Privacy" as the subject category and include "DPO" in your message. The DPO reviews all privacy-related communications and ensures our processing activities remain compliant with GDPR and other applicable privacy regulations.

Cross-Border Transfers International data transfers are governed by Standard Contractual Clauses approved by the European Commission. For Enterprise and Strategic plan customers, we offer EU-only data residency where all processing occurs within European data centers. Transfer Impact Assessments are conducted for each destination country and reviewed annually.

Processor Agreements All sub-processors are bound by GDPR-compliant Data Processing Agreements that specify the scope and purpose of processing, require implementation of appropriate technical and organizational measures, mandate breach notification within 24 hours, prohibit sub-sub-processing without prior authorization, and require data return or deletion upon termination. We maintain a current list of sub-processors and notify customers 30 days before adding any new sub-processor, providing an opportunity to object.

Consent Management Granular consent records are maintained for each data subject and processing purpose. Consent can be withdrawn at any time through the privacy dashboard. Consent withdrawal is processed immediately with processing ceasing within 24 hours. Historical consent records are retained for audit purposes even after withdrawal.