Overview
The General Data Protection Regulation (GDPR) applies to all processing of personal data of individuals in the European Economic Area (EEA), regardless of where the data controller is established. OctoHex processes personal data of EU-based business users and is fully committed to GDPR compliance.
Our approach follows the core principles of GDPR:
- Lawfulness, fairness and transparency — we process data only on a valid legal basis and are transparent about how we use it
- Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not processed further in incompatible ways
- Data minimisation — we collect only what is strictly necessary for the service
- Accuracy — we take reasonable steps to ensure data is accurate and up to date
- Storage limitation — data is retained only for as long as necessary (see our retention schedule)
- Integrity and confidentiality — appropriate technical and organisational measures protect data against unauthorised access, loss, and destruction
- Accountability — we maintain records of processing activities and can demonstrate compliance
Data Controller
For the purposes of GDPR, the data controller is:
Professional ECU Immobilizer Service
Email: privacy@octohex.com
Data Protection Contact: dpo@octohex.com
Where we act as a data processor on your behalf (e.g. processing vehicle data you upload), we commit to processing that data only on your documented instructions and in accordance with Art. 28 GDPR.
Lawful Basis for Processing
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of a contract | Art. 6(1)(b) |
| Processing ECU orders | Performance of a contract | Art. 6(1)(b) |
| Sending transactional emails (order status, verification) | Performance of a contract | Art. 6(1)(b) |
| Maintaining order audit logs | Legal obligation + Legitimate interests | Art. 6(1)(c) + 6(1)(f) |
| Fraud detection and abuse prevention | Legitimate interests | Art. 6(1)(f) |
| Responding to legal orders or law enforcement requests | Legal obligation | Art. 6(1)(c) |
We do not rely on consent as a legal basis for any core processing activity. Where consent is obtained (e.g. optional marketing communications, if introduced in the future), it will be separately documented, freely given, specific, informed, and unambiguous — and can be withdrawn at any time without affecting service access.
Data Subject Rights
You can exercise any of the following rights by contacting us at privacy@octohex.com. We will acknowledge your request within 72 hours and respond within 30 calendar days. Complex or multiple requests may be extended by a further two months with prior notice.
| Right | What it means | Limitations |
|---|---|---|
| Access (Art. 15) | Obtain a copy of all personal data we hold about you, along with details of how it is processed | We may redact data relating to third parties |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Cannot alter legally required audit records |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") | Order audit logs retained for legal compliance; financial records retained for 5 years |
| Restriction (Art. 18) | Request that we limit processing while a dispute is resolved | Active account functionality may be affected |
| Portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) | Applies to data you provided to us and processed by automated means |
| Objection (Art. 21) | Object to processing based on legitimate interests | We will cease processing unless we can demonstrate compelling legitimate grounds |
| Withdraw Consent (Art. 7) | Withdraw consent where it is the legal basis for processing | Does not affect lawfulness of prior processing |
How to Submit a Request
- Email privacy@octohex.com with subject line: "GDPR Request — [Your registered email]"
- State clearly which right you are exercising
- We may ask you to verify your identity before processing the request
- Requests are free of charge unless manifestly unfounded or excessive
Right to Lodge a Complaint
If you believe we have not handled your data in compliance with GDPR, you have the right to lodge a complaint with your national supervisory authority. In France, this is the CNIL (cnil.fr). In Germany, contact your relevant Datenschutzbeauftragter. A full list of EU supervisory authorities is available at edpb.europa.eu.
International Data Transfers
We aim to store and process all personal data within the European Economic Area (EEA). Where we use infrastructure or sub-processors outside the EEA (e.g. US-based cloud services), we ensure adequate protection through one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- EU-US Data Privacy Framework certification where applicable
- Adequacy decisions issued by the European Commission
You may request a copy of the relevant transfer safeguards by contacting privacy@octohex.com.
Sub-Processors
We engage the following sub-processors who may process personal data on our behalf:
| Sub-Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Cloud hosting provider | Server infrastructure, database hosting | EU (primary) | DPA / SCCs |
| PayPal (Europe) S.à r.l. | Payment processing | Luxembourg / EU | EU entity — GDPR applies directly |
| NOWPayments | Cryptocurrency payment processing | International | SCCs + DPA |
| Email delivery service | Transactional email (account verification, order notifications) | EU / EEA | DPA |
We conduct due diligence on all sub-processors before engagement and maintain written Data Processing Agreements (DPAs) with each. We will notify you of any new sub-processor additions that may materially affect your data.
Data Breach Policy
In the event of a personal data breach, we follow the procedures required by Art. 33–34 GDPR:
- Detection: We maintain monitoring and alerting to detect potential breaches promptly
- Assessment: Breaches are assessed for severity, scope, and likelihood of harm within 24 hours of discovery
- Notification to supervisory authority: Where required, we notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms
- Notification to data subjects: Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, describing the nature of the breach, likely consequences, and measures taken
- Documentation: All breaches, including those not requiring notification, are documented internally
To report a suspected security incident, contact security@octohex.com immediately.
Data Protection Impact Assessment (DPIA)
We have conducted a Data Protection Impact Assessment for our core processing activities, specifically regarding the processing of ECU binary files, which may be considered sensitive technical data relating to vehicle security systems.
Key findings and mitigations from our DPIA:
- Risk: ECU files could theoretically be used to identify a specific vehicle
Mitigation: Files are deleted immediately after processing; only a SHA-256 hash is retained for audit purposes - Risk: Audit logs containing IP addresses and vehicle details
Mitigation: Access strictly limited to authorized personnel; logs retained only for the minimum period required by law - Risk: Payment data interception
Mitigation: No card data stored on our servers; all payment handling delegated to certified PCI-DSS compliant processors
Data Protection Officer
Although not legally required for all organisations, OctoHex has designated a Data Protection contact for all GDPR-related enquiries:
Email: dpo@octohex.com
Subject line: "GDPR — [nature of enquiry]"
Response time: Within 5 business days
For general privacy questions, see our Privacy Policy. For questions about your rights, see the Data Subject Rights section above.