GDPR Compliance

Effective Date : 13 June 2025

1. Introduction and Scope

This document outlines Connekit-eo Inc.'s commitment to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. As a Delaware-incorporated digital marketing agency operating AI-powered tools and e-wallet services, we process personal data of EU residents and are therefore subject to GDPR requirements.

Scope of Application :

All personal data processing activities conducted by Connekit-eo Inc.
Data processing through our AI marketing tools and algorithms
Financial data processing via our integrated e-wallet platform
Marketing campaigns and client data management
Employee and contractor data processing

2. Data Controller Information

Data Controller : Connekit-eo Inc.
Registered Address : 1111B S Governors Ave STE 29396, Dover DE 19904
Contact Email : infocompte@connekit-eo.io

3. Lawful Basis for Processing

3.1 Contract Performance (Article 6-1-b)

Client onboarding and service delivery
E-wallet account creation and management
Payment processing and transaction execution
Digital marketing campaign management

3.2 Legitimate Interests (Article 6-1-f)

AI algorithm training and improvement
Marketing analytics and performance optimization
Fraud prevention and security monitoring
Business development and client communication

3.3 Consent (Article 6-1-a)

Marketing communications to prospects
Non-essential cookies and tracking technologies
Data sharing with third-party marketing platforms
AI-powered personalization features

3.4 Legal Obligation (Article 6-1-c)

Anti-money-laundering (AML) compliance for e-wallet services
Tax reporting and financial record keeping
Regulatory compliance for financial services

4. Categories of Personal Data Processed

4.1 Client and Customer Data

Identity : name, username, date of birth, nationality
Contact : email, phone, physical address
Financial : bank details, card info, transaction history
Technical : IP, device, browser, usage patterns
Marketing : preferences, engagement metrics, behavioral data

4.2 E-Wallet Specific Data

Wallet ID, balance, transaction limits
Payment history, recipient details, amounts, timestamps
Identity documents, proof of address, KYC information
Authentication credentials, access logs, security questions

4.3 AI-Generated Data

Behavioral profiles and predictions
Automated customer segmentation
Campaign effectiveness scores, engagement predictions
AI-powered content and product recommendations

5. Data Processing Activities

5.1 Digital Marketing Services

Purpose : deliver targeted campaigns for clients
Recipients : client organizations, advertising platforms, analytics providers
Retention : 3 years post-campaign or client relationship termination

5.2 AI Tool Operations

Purpose : AI-powered marketing insights and automation
Retention : aggregated data indefinitely; personal data 2 years

5.3 E-Wallet Services

Purpose : digital payments and transactions
Retention : 7 years for financial records; 5 years for transaction data

6. International Data Transfers

6.1 Transfer Mechanisms

EU-US Data Privacy Framework certification
Standard Contractual Clauses (SCCs)
Adequacy decisions from EU authorities

6.2 Key Transfer Recipients

AWS, Google Cloud (with appropriate safeguards)
AI Providers : OpenAI, Anthropic (with data processing agreements)
Payment Processors : Stripe, PayPal (under Privacy Shield successor frameworks)

7. Data Subject Rights

Connekit-eo Inc. facilitates the following rights for EU data subjects:

7.1 Right of Access (Article 15)

Online portal for requests
Response within 30 days of verified request
Provision of data processing details and copies of personal data

7.2 Right to Rectification (Article 16)

Online profile management tools
Correction of inaccurate or incomplete data
Notification to third parties where applicable

7.3 Right to Erasure (Article 17)

Account deletion functionality
Data removal from AI training datasets where technically feasible
Exceptions for legal compliance and financial record keeping

7.4 Right to Restrict Processing (Article 18)

Temporary suspension of non-essential processing
Maintained during dispute resolution periods

7.5 Right to Data Portability (Article 20)

Export functionality for personal data
Structured, machine-readable formats (JSON, CSV)
Direct transfer to other controllers where technically feasible

7.6 Right to Object (Article 21)

Opt-out mechanisms for direct marketing
Objection to AI profiling and automated decision-making
Override of legitimate interests where appropriate

8. Automated Decision-Making and Profiling

8.1 AI-Powered Marketing Decisions

Purpose : Optimize campaign targeting and content personalization
Logic: Machine learning algorithms analyzing behavioral patterns
Consequences: Customized marketing experiences, campaign inclusion/exclusion
Safeguards: Human review options, algorithmic transparency reports

8.2 E-Wallet Risk Assessment

Purpose: Fraud prevention and compliance screening
Logic: Transaction pattern analysis and risk scoring algorithms
Consequences: Account restrictions, transaction limits, enhanced verification
Safeguards: Appeal process, human review, regular algorithm auditing

8.3 Customer Segmentation

Purpose: Targeted marketing and service personalization
Logic: Demographic and behavioral clustering algorithms
Consequences: Tailored product offerings and communication strategies
Safeguards: Opt-out options, segment transparency, regular bias testing

9. Data Security Measures

9.1 Technical Safeguards

Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
Access Controls: Role-based access control (RBAC) and multi-factor authentication
Monitoring: 24/7 security monitoring and incident response procedures

9.2 Organizational Measures

Staff Training: Annual GDPR and data security training programs
Background Checks: Enhanced screening for personnel with data access
Policies: Comprehensive data protection and security policies
Auditing: Regular security assessments and penetration testing

9.3 E-Wallet Specific Security

PCI DSS Compliance: Payment Card Industry Data Security Standard adherence
Tokenization: Sensitive payment data tokenization
Tokenization: Sensitive payment data tokenization
Fraud Detection: Real-time transaction monitoring and anomaly detection
Secure APIs: OAuth 2.0 and API rate limiting

10. Data Retention

10.1 General Retention Policy

Marketing Data: 3 years post-campaign or client relationship termination
AI Training Data: Anonymized data retained indefinitely; personal identifiers removed after 2 years
System Logs: 13 months for security and troubleshooting purposes

10.2 E-Wallet Data Retention

Transaction Records: 7 years for regulatory compliance
Account Information: Duration of account plus 5 years
KYC Documentation: 5 years post-account closure
Fraud Investigation Data: 7 years or resolution of investigation

10.3 Legal Hold Exceptions

Data retention extended during legal proceedings
Regulatory investigation preservation requirements
Court order compliance

11. Data Breach Procedures

11.1 Incident Response Plan

Detection: Automated monitoring and staff reporting procedures
Assessment: Risk evaluation within 12 hours of detection
Containment: Immediate threat mitigation and system isolation
Documentation: Comprehensive incident logging and evidence preservation

11.2 Regulatory Notification

Supervisory Authority: Notification within 72 hours to lead supervisory authority
Data Subjects: Individual notification when high risk to rights and freedoms
Documentation: Breach register maintenance and impact assessments

11.3 Communication Protocol

Internal Escalation: DPO and executive team notification procedures
Client Notification: Contractual breach notification requirements
Public Communication: Media and stakeholder communication guidelines

12. Vendor and Third-Party Management

12.1 Data Processing Agreements

AI Service Providers: Comprehensive DPAs with algorithmic transparency clauses
Cloud Infrastructure: Standard contractual clauses and security addendums
Payment Processors: PCI DSS compliant agreements with liability allocation

12.2 Due Diligence Process

Security Assessments: Annual vendor security evaluations
Compliance Verification: GDPR compliance certification requirements
Regular Auditing: Quarterly review of high-risk vendor relationships

13. Employee and Contractor Data

13.1 HR Data Processing

Recruitment: Resume processing, background checks, interview records
Employment: Personnel files, performance reviews, payroll information
Training: Learning management system data, certification records

13.2 Contractor Management

Onboarding: Identity verification, tax forms, contract execution
Project Data: Work product, communication records, payment information
Access Management: System permissions, security credentials, usage logs

14. Children’s Data Protection

14.1 Age Verification

Minimum Age: Services restricted to users 16 years and older
Verification Process: Age declaration and document verification for e-wallet services
Parental Consent: Procedures for users aged 13-16 where applicable

14.2 Special Protections

Data Minimization: Enhanced data minimization for young users
Marketing Restrictions: No behavioral advertising to users under 18
Retention Limits: Reduced retention periods for minor's data

15. Privacy by Design and Default

15.1 System Development

Data Protection Impact Assessments: Mandatory for new AI features and e-wallet enhancements
Privacy Engineering: Built-in privacy controls and user consent mechanisms
Regular Reviews: Quarterly privacy impact assessments for ongoing operations

15.2 Default Settings

Minimal Data Collection: Opt-in requirements for non-essential data processing
Privacy-Friendly Defaults: Restrictive privacy settings as default configuration
User Control: Granular privacy controls and preference management

16. Training and Awareness

16.1 Staff Training Program

Initial Training: Comprehensive GDPR training for all new employees
Annual Refresher: Updated training on regulation changes and best practices
Role-Specific Training: Specialized training for marketing, development, and finance teams

16.2 Awareness Initiatives

Internal Communications: Regular privacy updates and policy changes
Incident Simulations: Quarterly data breach response drills
Privacy Champions: Departmental privacy advocates and liaison network

17. Monitoring and Compliance

17.1 Regular Auditing

Internal Audits: Quarterly compliance assessments and gap analyses
External Audits: Annual third-party privacy and security audits
Continuous Monitoring: Real-time compliance monitoring through automated tools

17.2 Performance Metrics

Response Times: Data subject request response time tracking
Breach Statistics: Incident frequency and resolution time metrics
Training Completion: Staff training completion rates and effectiveness measures

18. Document Control

18.1 Version Management

Effective Date: June 13, 2025
Review Schedule: Annual review and update process
Approval Authority: Chief Privacy Officer and Legal Counsel

18.2 Distribution

Internal Distribution: All staff with data access responsibilities
Client Access: Available upon request to business clients
Public Availability: Summary version published on company website

19. Regulatory Information

19.1 Supervisory Authority

Registration: Data processing registration completed where required
Communication: Formal communication channel established

19.2 Legal Framework

Primary Regulation: GDPR (EU) 2016/679
Supplementary Laws: E-Privacy Directive, national data protection laws
Industry Standards: PCI DSS, SOC 2, ISO 27001

This GDPR compliance statement was last reviewed and approved by the leadership team of Connekit-eo Inc. on 13 June 2025.
For any questions regarding this compliance overview, please contact our Data Protection Officer at infocompte@connekit-eo.io.

This page outlines our public commitment to data protection and GDPR compliance. Connekit-eo Inc. continuously updates its practices to meet evolving privacy standards and regulatory expectations.