Data Protection & GDPR Compliance

1. Introduction

FindaHost is committed to protecting your personal data and respecting your privacy rights. This Data Protection Policy explains how we comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

This policy supplements our Privacy Policy and provides detailed information about our data protection practices and your rights.

2. Data Controller Information

FindaHost acts as the data controller for personal data processed through our Service. Our contact details are:

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

3.1 Consent

Where you have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications, optional data sharing).

3.2 Contract Performance

Processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g., providing our Service, processing payments).

3.3 Legal Obligation

Processing necessary to comply with legal obligations (e.g., tax records, fraud prevention, identity verification requirements).

3.4 Legitimate Interests

Processing necessary for our legitimate interests or those of third parties, provided such interests are not overridden by your rights and freedoms (e.g., service improvement, security, fraud prevention).

4. Your Data Protection Rights

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

4.1 Right of Access

You have the right to obtain confirmation as to whether we process your personal data and to access that data, along with certain supplementary information. You can request a copy of your personal data by contacting us at privacy@findahost.io.

4.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most of your information directly through your account settings.

4.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

You can request account deletion through your account settings or by contacting us. Note that we may retain certain information where required by law or for legitimate business purposes.

4.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing pending verification.

4.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.

4.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

4.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not currently use fully automated decision-making for such purposes.

4.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

5. Exercising Your Rights

To exercise any of your data protection rights, please:

• Use the account settings and privacy controls in your account
• Contact us at privacy@findahost.io
• Contact our Data Protection Officer at dpo@findahost.io

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by up to two additional months, and we will inform you of any extension.

We may request proof of identity before processing certain requests to ensure we are responding to the correct individual.

6. Data Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Access Controls: Role-based access controls and authentication mechanisms
• Regular Security Assessments: Ongoing security audits and vulnerability assessments
• Secure Infrastructure: Data stored with reputable cloud providers with robust security certifications
• Staff Training: Regular data protection training for employees
• Incident Response: Procedures for detecting, reporting, and responding to data breaches

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

• Account Data: Retained while your account is active and for up to 7 years after account closure for legal and tax purposes
• Property Listings: Retained while active and for 2 years after deactivation
• Communication Data: Retained for 3 years from last communication
• Payment Records: Retained for 7 years as required by tax and accounting laws
• Legal Obligations: Retained as required by applicable laws and regulations

When data is no longer needed, we securely delete or anonymise it in accordance with our data retention policy.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the UK and EEA. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries with adequacy decisions by the UK/EU
• Other appropriate safeguards as recognised under GDPR

Our primary data storage is within the UK and EEA. Where we use service providers outside these regions, we ensure they meet GDPR standards.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (ICO in the UK) within 72 hours where feasible
• Notify affected individuals without undue delay where the breach poses a high risk
• Provide clear information about the nature of the breach and steps we are taking
• Advise on measures you can take to protect yourself

10. Children's Data

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.

11. Supervisory Authority

If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

If you are located in the EEA, you may lodge a complaint with your local data protection authority.

12. Updates to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.

13. Contact Us

If you have any questions about this Data Protection Policy or wish to exercise your rights, please contact us: