MasEase GDPR Policy

    Last updated: 20th September 2025

    Effective Date: September 25, 2025

    Lawful Basis for Processing

    We process personal data under legitimate bases (Art. 6 GDPR):

    • Consent: For optional features like marketing emails or push notifications—freely given, informed, and withdrawable via Settings.
    • Contract: To deliver core Services (e.g., aggregating leads from social platforms, syncing calendars with Fresha/Calendly webhooks).
    • Legitimate Interests: For security (e.g., fraud detection via IP logs), analytics (anonymized response times), and improvements—balanced against user rights via DPIAs.
    • Legal Obligation: For billing/subscriptions (e.g., tax records).

    Data Protection Principles

    We adhere to GDPR's core principles (Art. 5):

    • Lawfulness, Fairness, Transparency: Clear notices at signup; Privacy Policy linked everywhere.
    • Purpose Limitation: Data used only for stated purposes (e.g., urgency sorting in Inbox, not resale).
    • Data Minimization: Collect only essentials (e.g., email for Staff invites, no unnecessary geo-data).
    • Accuracy: Users can update via profile; we auto-correct via integrations.
    • Storage Limitation: Retain active data 7 years for legal, then delete/anonymize—automated via Supabase triggers.
    • Integrity and Confidentiality: Bank-level security (encryption, RLS, API boundaries per scope doc). Annual audits per ISO 27001-inspired practices.
    • Accountability: Records of processing, DPIAs for AI features (e.g., conflict detection), and vendor contracts with DPAs.

    User Rights (Arts. 15-22)

    EU users have full rights - exercisable via legal@masx.ai (response within 1 month, free unless excessive):

    • Access/export portable data (e.g., leads, analytics).
    • Rectification of inaccuracies.
    • Erasure ("right to be forgotten")—deletes non-essential data, subject to retention needs.
    • Restriction/objection to processing (e.g., stop analytics).
    • Data portability in machine-readable format.
    • Automated decisions: No solely automated profiling; AI (e.g., sorting) includes human oversight.
    • Withdraw consent anytime.

    International Data Transfers

    Data may transfer outside EEA (e.g., US Supabase servers). We use Standard Contractual Clauses (SCCs) and adequacy decisions per EU Commission's 2025 updates. No transfers to high-risk countries without safeguards.

    Data Protection Officer (DPO) and Breach Notification

    DPO: legal@masx.ai - handles queries, oversees compliance. Breaches notified to authorities within 72 hours (if high risk, to users too), per IAB Europe's 2025 playbook.

    Children's Data

    Service for 18+ businesses; no targeted child data. Incidental collection deleted immediately (Art. 8).

    Updates and Oversight

    We review annually or on changes (e.g., new integrations). Supervised by Irish DPC (EU HQ). Questions? legal@masx.ai.

    GDPR Compliance Statement — 2025 Updates

    Storage Limitation & Retention Update

    We retain personal data for periods according to processing purpose and legal requirements:

    • Account data: kept for the active life of the account, plus 12 months for auditing and backup, unless longer retention is required by law.
    • Payment/Transaction records: stored for up to 7 years to satisfy finance and accounting regulations.
    • Lead data/integrations: held for as long as the user chooses or until deleted via dashboard settings; anonymized after deletion or subscription closure.
    • Logs and analytics: purged on rolling 90-day cycle, unless required for security investigation/legal compliance.

    Retention criteria are reviewed annually and always minimize storage consistent with the purpose/principle of data minimization.

    Data Minimization in Practice

    To meet minimization, we routinely and automatically audit datasets, offer users granular controls to delete or export data, and check integrations for only necessary synced fields. Internal reviews flag and remediate unnecessary data or excessive retention.

    Complaint Route Section

    If you are dissatisfied with our response, you have the right under GDPR to lodge a complaint directly with any EU supervisory authority, including but not limited to the Irish Data Protection Commission (lead authority for MasEase), or your local authority where you reside.

    Contact details for EU DPA authorities are available on the official European Commission website and will be provided upon request.

    AI, Profiling, and Automated Decisions (2025 update)

    Automated sorting and recommendations in MasEase are explainable: core algorithms are designed for human interpretability, and key logic is described in Help/FAQ. Our platform does not profile or make legally significant decisions without manual review and categorical opt-out.

    If significant changes to AI or profiling are introduced, the platform and the compliance statement will be updated to provide transparent logic and meaningful explanation per latest EU/CJEU guidance.

    International Transfers: SCC Update Clause

    All international transfers rely on standard contractual clauses, adequacy decisions, and supplementary measures as prescribed by the EU Commission. SCCs and other safeguards are routinely monitored and updated to comply with the latest EU Commission recommendations. Users will be notified in case of changes affecting their rights.