GDPR Compliance Statement

Last Updated: 15 September 2025

1. COMPANY INFORMATION

Company Name: DIGIFABRICA LTD
Company Number: 15390190
Registered Office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Email: info@bittenpay.com
Director: Ümit Sönmez
Data Protection Officer (DPO): Available via info@bittenpay.com

2. INTRODUCTION

This GDPR Compliance Statement demonstrates DIGIFABRICA’s commitment to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement outlines our approach to data protection, privacy rights, and regulatory compliance for our digital marketplace platform operations.

3. REGULATORY FRAMEWORK

3.1 Applicable Regulations

Primary Legal Framework:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018 (DPA 2018)
Privacy and Electronic Communications Regulations (PECR)
Retained EU law and international data protection standards
Sector-specific data protection requirements

International Compliance:

EU GDPR for European Economic Area operations
Adequacy decisions and international transfer mechanisms
Country-specific data protection laws where applicable
International data transfer safeguards and standards

3.2 Supervisory Authority

UK Supervisory Authority:

Information Commissioner’s Office (ICO)
Registration Number: [To be obtained if required]
Contact: ico.org.uk
Phone: 0303 123 1113
Complaint procedures available through ICO

4. DATA CONTROLLER RESPONSIBILITIES

4.1 DIGIFABRICA as Data Controller

Controller Activities:

Digital marketplace platform operations
User account management and authentication
Payment processing and financial transactions
Marketing communications and customer engagement
Customer support and service delivery
Business analytics and platform optimization

Controller Obligations:

Lawful basis determination for all processing activities
Data subject rights facilitation and response
Privacy impact assessments for high-risk processing
Data protection by design and default implementation
Records of processing activities maintenance
Data breach notification and reporting compliance

4.2 Joint Controller Arrangements

Potential Joint Controllers:

Payment processors for transaction data
Third-party analytics providers for usage data
Marketing automation platforms for communication data
Cloud service providers for infrastructure services

Joint Controller Agreements:

Clear responsibility allocation between controllers
Data subject rights response coordination
Privacy notice and transparency obligations
Data security and protection measure alignment
Breach notification and reporting procedures

5. LAWFUL BASIS FOR PROCESSING

5.1 Processing Activities and Legal Bases

Contract Performance (Article 6(1)(b) UK GDPR):

User account creation and management
Digital product delivery and access provision
Payment processing and transaction completion
Customer support and service delivery
Affiliate commission calculation and payment
Vendor payout processing and administration

Legitimate Interest (Article 6(1)(f) UK GDPR):

Platform security and fraud prevention
Business analytics and performance optimization
Marketing to existing customers
System administration and maintenance
Legal compliance and regulatory reporting
Business development and improvement

Legal Obligation (Article 6(1)(c) UK GDPR):

Tax reporting and record keeping
Anti-money laundering (AML) compliance
Financial services regulatory reporting
Court orders and legal process compliance
Regulatory investigation cooperation

Consent (Article 6(1)(a) UK GDPR):

Marketing communications to prospects
Non-essential cookies and tracking
Optional data collection for personalization
Third-party data sharing for marketing
Special category data processing (where applicable)

5.2 Legitimate Interest Assessments

Balancing Test Framework:

Necessity assessment for legitimate interest
Impact evaluation on data subject rights
Reasonable expectations consideration
Less intrusive alternatives evaluation
Safeguards and mitigation measures implementation

Documented Assessments:

Purpose and benefit identification
Necessity and proportionality evaluation
Data subject impact assessment
Balancing test conclusion and justification
Regular review and reassessment procedures

6. DATA SUBJECT RIGHTS

6.1 Individual Rights Under UK GDPR

Right of Access (Article 15):

Confirmation of personal data processing
Copy of personal data being processed
Information about processing purposes and legal basis
Data recipients and transfer information
Retention period and deletion criteria

Right to Rectification (Article 16):

Correction of inaccurate personal data
Completion of incomplete personal data
Timely processing of rectification requests
Third-party notification of corrections
Verification procedures for data accuracy

Right to Erasure (Article 17):

Deletion when data no longer necessary
Withdrawal of consent processing
Unlawful processing rectification
Public interest and freedom of expression balance
Technical and legal feasibility assessment

Right to Restrict Processing (Article 18):

Processing limitation during accuracy disputes
Unlawful processing objection accommodation
Legitimate interest objection pending verification
Legal claims data preservation
Data subject preference accommodation

Right to Data Portability (Article 20):

Structured, machine-readable format provision
Direct transmission to another controller
Technical feasibility and security considerations
Third-party rights protection
Automated processing limitation

Right to Object (Article 21):

Legitimate interest processing objection
Direct marketing communication objection
Profiling and automated decision-making objection
Public interest task balance consideration
Compelling legitimate grounds assessment

6.2 Rights Response Procedures

Request Processing Framework:

Identity Verification: Confirm data subject identity and authority
Request Assessment: Evaluate request validity and scope
Information Gathering: Collect relevant personal data and information
Response Preparation: Prepare comprehensive and accurate response
Response Delivery: Provide response within regulatory timeframes
Follow-up Actions: Implement requested actions and monitor compliance

Response Timelines:

Standard Response: Within one month of request receipt
Complex Requests: Extension up to three months with notification
Identity Verification: Reasonable time for identity confirmation
Fee Assessment: Consideration for manifestly unfounded or excessive requests

7. DATA PROCESSING ACTIVITIES

7.1 Personal Data Categories

Identity and Contact Data:

Full name and preferred name
Email addresses and phone numbers
Postal addresses and geographic location
Date of birth and age verification
Government-issued identification numbers
Professional titles and company information

Account and Profile Data:

Username and account identifiers
Profile pictures and biographical information
Account preferences and settings
Communication preferences and consent records
Account security information (encrypted)

Transaction and Financial Data:

Payment method information (tokenized)
Transaction history and amounts
Billing addresses and tax information
Commission and payout records
Refund and dispute information
Financial verification documents

Technical and Usage Data:

IP addresses and device identifiers
Browser and operating system information
Website usage patterns and navigation data
API usage and integration data
Performance and error logs
Security and audit trail information

Communication Data:

Customer support interactions
Email communications and responses
Platform notifications and messages
Survey responses and feedback
Marketing communication engagement

7.2 Special Category Data

Sensitive Data Minimization:

No intentional collection of special category data
Incidental collection identification and deletion
Enhanced protection for any inadvertent collection
Explicit consent requirements for legitimate collection
Regular audit and monitoring for special category data

Processing Safeguards:

Additional technical and organizational measures
Enhanced access controls and encryption
Specialized staff training and awareness
Regular compliance monitoring and assessment
Incident response procedures for sensitive data

8. DATA RETENTION AND DELETION

8.1 Retention Framework

Retention Principles:

Data minimization and purpose limitation
Legal and regulatory requirement compliance
Business need and operational requirement assessment
Regular review and deletion scheduling
Secure deletion and destruction procedures

8.2 Retention Periods by Data Category

Data Category	Retention Period	Legal Basis
Account Information	Until account deletion + 7 years	Contract, Legal Obligation
Transaction Records	7 years from transaction date	Legal Obligation (Tax)
Communication Logs	3 years from last contact	Legitimate Interest
Marketing Data	Until consent withdrawn	Consent
Technical Logs	12 months from creation	Legitimate Interest
Security Incident Data	7 years from incident	Legitimate Interest, Legal Obligation
Customer Support Records	3 years from case closure	Contract, Legitimate Interest
Financial Records	7 years from creation	Legal Obligation

8.3 Deletion Procedures

Automated Deletion:

Scheduled deletion processes for expired data
System-wide data purging and cleanup
Backup and archive data deletion
Third-party system deletion coordination
Deletion verification and audit trails

Manual Deletion:

Data subject request processing
Legal hold and litigation consideration
Business requirement evaluation
Technical feasibility assessment
Secure deletion method implementation

9. INTERNATIONAL DATA TRANSFERS

9.1 Transfer Mechanisms

Adequacy Decisions:

Transfers to countries with UK adequacy decisions
Regular monitoring of adequacy decision status
Alternative mechanism preparation for changes
Impact assessment for adequacy modifications

Standard Contractual Clauses (SCCs):

EU Commission and UK SCCs implementation
Controller-to-controller and controller-to-processor clauses
Regular review and update of SCC agreements
Transfer impact assessment (TIA) completion
Local law and government access evaluation

Binding Corporate Rules (BCRs):

Multinational organization transfer rules
Comprehensive data protection standard implementation
Regular compliance monitoring and enforcement
Data subject rights and remedy provision
Supervisory authority approval and recognition

9.2 Transfer Impact Assessments

Assessment Requirements:

Local law and surveillance program evaluation
Government access risk and impact assessment
Additional safeguard necessity and implementation
Regular reassessment and monitoring procedures
Documentation and decision rationale recording

Risk Mitigation Measures:

Technical measures (encryption, pseudonymization)
Contractual measures (data minimization, purpose limitation)
Organizational measures (staff training, access controls)
Regular monitoring and compliance verification
Incident response and breach notification procedures

10. TECHNICAL AND ORGANIZATIONAL MEASURES

10.1 Technical Safeguards

Data Security Measures:

End-to-end encryption for data in transit (TLS 1.3)
AES-256 encryption for data at rest
Advanced key management and rotation procedures
Multi-factor authentication and access controls
Regular security testing and vulnerability assessment

System Security:

Network segmentation and firewall protection
Intrusion detection and prevention systems
Regular security updates and patch management
Backup and disaster recovery procedures
Security monitoring and incident response capability

10.2 Organizational Safeguards

Access Controls:

Role-based access control (RBAC) implementation
Principle of least privilege enforcement
Regular access reviews and certifications
Staff background checks and security clearance
Confidentiality agreements and training

Governance and Training:

Data protection impact assessment procedures
Regular staff training and awareness programs
Privacy by design and default implementation
Vendor management and third-party oversight
Incident response and breach notification procedures

11. DATA PROTECTION IMPACT ASSESSMENTS

11.1 DPIA Requirements

High-Risk Processing Triggers:

Large-scale systematic monitoring
Extensive processing of special category data
Systematic evaluation or scoring
Automated decision-making with legal effects
Processing of vulnerable individuals’ data
Innovative technology use with privacy implications
Public area surveillance or tracking

11.2 DPIA Process

Assessment Framework:

Scope Definition: Processing operation description and necessity
Stakeholder Consultation: Data subject and expert input gathering
Risk Assessment: Privacy risk identification and evaluation
Mitigation Measures: Risk reduction and safeguard implementation
Residual Risk Evaluation: Remaining risk assessment and acceptability
Review and Monitoring: Ongoing assessment and improvement

Documentation Requirements:

Comprehensive processing description
Necessity and proportionality assessment
Risk identification and impact evaluation
Mitigation measure specification and effectiveness
Review schedule and monitoring procedures

12. DATA BREACH MANAGEMENT

12.1 Breach Detection and Response

Detection Capabilities:

Automated monitoring and alert systems
Staff reporting and escalation procedures
Third-party notification and cooperation
Customer and data subject reporting channels
Regular security assessment and testing

Response Procedures:

Detection and Verification: Incident identification and confirmation
Containment and Assessment: Risk evaluation and impact assessment
Investigation and Documentation: Root cause analysis and evidence gathering
Notification and Communication: Regulatory and stakeholder notification
Remediation and Recovery: Corrective action and system restoration
Review and Improvement: Lessons learned and prevention enhancement

12.2 Breach Notification

Supervisory Authority Notification:

72-hour notification requirement to ICO
Comprehensive breach description and impact assessment
Technical and organizational measures taken
Risk mitigation and prevention recommendations
Regular update and follow-up communication

Data Subject Notification:

High-risk breach notification requirement
Clear and plain language communication
Practical remediation advice and guidance
Contact information for additional support
Regular update and status communication

13. VENDOR AND THIRD-PARTY MANAGEMENT

13.1 Data Processor Agreements

Processor Selection:

Due diligence and security assessment
Technical and organizational measure evaluation
Compliance certification and audit verification
References and reputation evaluation
Contract negotiation and agreement execution

Processing Agreements:

Article 28 UK GDPR compliance requirements
Processing instruction specification and limitation
Data security and protection measure requirements
Sub-processor authorization and management
Audit rights and compliance verification

13.2 Sub-Processor Management

Sub-Processor Authorization:

Written authorization for sub-processor engagement
Due diligence and compliance verification
Equivalent data protection obligation imposition
Regular monitoring and performance assessment
Change notification and objection procedures

Current Sub-Processors:

Sub-Processor	Service	Location	Safeguards
Stripe	Payment Processing	Ireland/US	Article 28 Agreement, SCCs
Amazon Web Services	Cloud Infrastructure	UK/Ireland	Article 28 Agreement, Certification
Mailgun	Email Services	US	Article 28 Agreement, SCCs
Google Analytics	Website Analytics	US	Data Processing Amendment

14. PRIVACY BY DESIGN AND DEFAULT

14.1 Design Principles

Privacy by Design Implementation:

Privacy impact assessment for new systems
Data minimization and purpose limitation
Privacy-enhancing technology deployment
User control and transparency features
Regular privacy review and optimization

Privacy by Default:

Most privacy-friendly settings as default
Opt-in consent for non-essential processing
Granular privacy control and management
Clear and accessible privacy information
Regular default setting review and improvement

14.2 System Development

Development Lifecycle:

Privacy requirement integration in design
Privacy impact assessment for new features
Security and privacy testing procedures
Privacy review and approval processes
Post-deployment monitoring and assessment

15. TRANSPARENCY AND ACCOUNTABILITY

15.1 Transparency Measures

Privacy Notice Provision:

Clear and comprehensive privacy information
Accessible and user-friendly presentation
Regular review and update procedures
Multiple language availability where appropriate
Specific notice for sensitive processing

Data Subject Communication:

Proactive privacy information provision
Regular privacy update and communication
Educational resources and guidance
Responsive customer support and assistance
Feedback and suggestion incorporation

15.2 Accountability Framework

Compliance Documentation:

Records of processing activities maintenance
Data protection impact assessment records
Staff training and awareness documentation
Vendor and third-party agreement records
Breach incident and response documentation

Regular Compliance Review:

Annual privacy compliance assessment
Quarterly risk and control review
Regular staff training and certification
Third-party audit and verification
Continuous improvement and optimization

16. DATA SUBJECT SUPPORT

16.1 Rights Exercise Support

Support Services:

Dedicated privacy and data protection contact
Clear guidance on rights exercise procedures
Assistance with request completion and submission
Regular status updates and communication
Escalation procedures for complex issues

Educational Resources:

Privacy rights explanation and guidance
Request submission templates and examples
Frequently asked questions and answers
Video tutorials and step-by-step guides
Regular privacy awareness communication

16.2 Complaint Resolution

Internal Complaint Process:

Dedicated privacy complaint procedures
Fair and timely complaint investigation
Regular status update and communication
Satisfactory resolution and remedy provision
Follow-up and satisfaction verification

External Complaint Rights:

Information Commissioner’s Office (ICO) complaint procedures
Clear guidance on supervisory authority contact
Assistance with complaint preparation and submission
Cooperation with regulatory investigation
Implementation of regulatory recommendations

17. INTERNATIONAL CONSIDERATIONS

17.1 Cross-Border Compliance

Multi-Jurisdictional Operations:

EU GDPR compliance for European operations
Local data protection law compliance assessment
Cultural and linguistic consideration integration
Professional legal advice for complex issues
Regular regulatory monitoring and update

17.2 Brexit Impact Management

UK-EU Data Flows:

Adequacy decision monitoring and compliance
Standard contractual clause implementation
Brexit transition impact assessment
Alternative mechanism preparation and implementation
Regular legal and regulatory update monitoring

18. CONTINUOUS IMPROVEMENT

18.1 Performance Monitoring

Compliance Metrics:

Data subject rights response timeliness
Privacy training completion rates
Breach detection and response effectiveness
Vendor compliance and performance assessment
Customer satisfaction and feedback analysis

18.2 Enhancement Programs

Improvement Initiatives:

Regular privacy program assessment and enhancement
Industry best practice research and implementation
Technology advancement integration and adoption
Staff suggestion and feedback incorporation
Customer and stakeholder input integration

19. CONTACT INFORMATION

19.1 Data Protection Contact

Primary Contact:

Email: info@bittenpay.com
Subject: “Data Protection Inquiry”
Response time: Within 72 hours

19.2 Data Subject Rights

Rights Requests:

Email: info@bittenpay.com
Subject: “Data Subject Rights Request – [Type of Request]”
Response time: Within one month

19.3 Privacy Complaints

Complaint Submission:

Email: info@bittenpay.com
Subject: “Privacy Complaint”
External: Information Commissioner’s Office (ico.org.uk)

20. SUPERVISORY AUTHORITY

20.1 UK Information Commissioner’s Office

Contact Information:

Website: ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Online Complaint Form: Available on ICO website

21. POLICY UPDATES

21.1 Regular Review

Review Schedule:

Annual comprehensive compliance review
Quarterly regulatory update assessment
Immediate updates for legal or regulatory changes
User feedback integration and improvement
Industry best practice benchmarking

21.2 Change Communication

Update Notification:

30 days advance notice for material changes
Clear explanation of modifications and impacts
Training and education on updated requirements
Transition periods for compliance implementation
Ongoing support during policy updates

22. GOVERNING LAW

This GDPR Compliance Statement operates under UK data protection law and demonstrates compliance with UK GDPR, Data Protection Act 2018, and related privacy regulations.

23. EFFECTIVE DATE

This GDPR Compliance Statement is effective as of 15 September 2025 and demonstrates DIGIFABRICA’s ongoing commitment to data protection compliance.