Legal

GDPR Compliance

Last updated: 29 June 2026  ·  OctoHex
GDPR compliant. OctoHex is designed with privacy by default. We collect the minimum data necessary, apply strict retention limits, and give you full control over your personal data. This page details our compliance posture under Regulation (EU) 2016/679.

Overview

The General Data Protection Regulation (GDPR) applies to all processing of personal data of individuals in the European Economic Area (EEA), regardless of where the data controller is established. OctoHex processes personal data of EU-based business users and is fully committed to GDPR compliance.

Our approach follows the core principles of GDPR:

Data Controller

For the purposes of GDPR, the data controller is:

OctoHex
Professional ECU Immobilizer Service
Email: privacy@octohex.com
Data Protection Contact: dpo@octohex.com

Where we act as a data processor on your behalf (e.g. processing vehicle data you upload), we commit to processing that data only on your documented instructions and in accordance with Art. 28 GDPR.

Lawful Basis for Processing

Processing ActivityLegal BasisGDPR Article
Account creation and management Performance of a contract Art. 6(1)(b)
Processing ECU orders Performance of a contract Art. 6(1)(b)
Sending transactional emails (order status, verification) Performance of a contract Art. 6(1)(b)
Maintaining order audit logs Legal obligation + Legitimate interests Art. 6(1)(c) + 6(1)(f)
Fraud detection and abuse prevention Legitimate interests Art. 6(1)(f)
Responding to legal orders or law enforcement requests Legal obligation Art. 6(1)(c)

We do not rely on consent as a legal basis for any core processing activity. Where consent is obtained (e.g. optional marketing communications, if introduced in the future), it will be separately documented, freely given, specific, informed, and unambiguous — and can be withdrawn at any time without affecting service access.

Data Subject Rights

You can exercise any of the following rights by contacting us at privacy@octohex.com. We will acknowledge your request within 72 hours and respond within 30 calendar days. Complex or multiple requests may be extended by a further two months with prior notice.

RightWhat it meansLimitations
Access (Art. 15) Obtain a copy of all personal data we hold about you, along with details of how it is processed We may redact data relating to third parties
Rectification (Art. 16) Correct inaccurate or incomplete personal data Cannot alter legally required audit records
Erasure (Art. 17) Request deletion of your personal data ("right to be forgotten") Order audit logs retained for legal compliance; financial records retained for 5 years
Restriction (Art. 18) Request that we limit processing while a dispute is resolved Active account functionality may be affected
Portability (Art. 20) Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) Applies to data you provided to us and processed by automated means
Objection (Art. 21) Object to processing based on legitimate interests We will cease processing unless we can demonstrate compelling legitimate grounds
Withdraw Consent (Art. 7) Withdraw consent where it is the legal basis for processing Does not affect lawfulness of prior processing

How to Submit a Request

  1. Email privacy@octohex.com with subject line: "GDPR Request — [Your registered email]"
  2. State clearly which right you are exercising
  3. We may ask you to verify your identity before processing the request
  4. Requests are free of charge unless manifestly unfounded or excessive

Right to Lodge a Complaint

If you believe we have not handled your data in compliance with GDPR, you have the right to lodge a complaint with your national supervisory authority. In France, this is the CNIL (cnil.fr). In Germany, contact your relevant Datenschutzbeauftragter. A full list of EU supervisory authorities is available at edpb.europa.eu.

International Data Transfers

We aim to store and process all personal data within the European Economic Area (EEA). Where we use infrastructure or sub-processors outside the EEA (e.g. US-based cloud services), we ensure adequate protection through one or more of the following mechanisms:

You may request a copy of the relevant transfer safeguards by contacting privacy@octohex.com.

Sub-Processors

We engage the following sub-processors who may process personal data on our behalf:

Sub-ProcessorPurposeLocationSafeguard
Cloud hosting provider Server infrastructure, database hosting EU (primary) DPA / SCCs
PayPal (Europe) S.à r.l. Payment processing Luxembourg / EU EU entity — GDPR applies directly
NOWPayments Cryptocurrency payment processing International SCCs + DPA
Email delivery service Transactional email (account verification, order notifications) EU / EEA DPA

We conduct due diligence on all sub-processors before engagement and maintain written Data Processing Agreements (DPAs) with each. We will notify you of any new sub-processor additions that may materially affect your data.

Data Breach Policy

In the event of a personal data breach, we follow the procedures required by Art. 33–34 GDPR:

To report a suspected security incident, contact security@octohex.com immediately.

Data Protection Impact Assessment (DPIA)

We have conducted a Data Protection Impact Assessment for our core processing activities, specifically regarding the processing of ECU binary files, which may be considered sensitive technical data relating to vehicle security systems.

Key findings and mitigations from our DPIA:

Data Protection Officer

Although not legally required for all organisations, OctoHex has designated a Data Protection contact for all GDPR-related enquiries:

Data Protection Contact — OctoHex
Email: dpo@octohex.com
Subject line: "GDPR — [nature of enquiry]"
Response time: Within 5 business days

For general privacy questions, see our Privacy Policy. For questions about your rights, see the Data Subject Rights section above.