GDPR Compliance

How we protect your data and respect your privacy rights under the General Data Protection Regulation.

Last updated: January 2025

Our Commitment to Data Protection

At PCI DSS Dashboard, we are committed to protecting your personal data and respecting your privacy. As a platform that helps organizations manage their PCI DSS compliance, we understand the critical importance of data security and privacy.

Data Controller: Oneiric d.o.o., operating PCI DSS Dashboard, is the data controller for personal data collected through our platform. We process your data in accordance with the GDPR and applicable data protection laws.

What Data We Collect

Account Information

When you register for PCI DSS Dashboard, we collect:

  • Name and email address
  • Organization name and role
  • Password (stored securely using industry-standard hashing)

Usage Data

We automatically collect certain information when you use our platform:

  • IP address and browser information
  • Pages visited and features used
  • Date and time of access
  • Actions performed within the platform (audit logs)

Compliance Data

Data you enter into the platform for compliance management:

  • System and asset inventories
  • Policy documents and evidence files
  • Assessment notes and compliance status
  • Team member assignments and comments

How We Use Your Data

We process your personal data for the following purposes:

  • Service Delivery: To provide and maintain the PCI DSS Dashboard platform
  • Account Management: To manage your account and provide customer support
  • Communication: To send service updates, security alerts, and task reminders
  • Security: To protect against unauthorized access and maintain audit logs
  • Improvement: To analyze usage patterns and improve our services
  • Legal Compliance: To comply with applicable laws and regulations

Legal Basis for Processing

We process your personal data based on:

  • Contract Performance: Processing necessary to provide our services to you
  • Legitimate Interests: For security, fraud prevention, and service improvement
  • Legal Obligations: Where required by applicable laws
  • Consent: For optional communications and marketing (where applicable)

Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

Right to Access

Request a copy of your personal data we hold.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restrict

Request limitation of processing in certain circumstances.

Right to Portability

Receive your data in a portable, machine-readable format.

Right to Object

Object to processing based on legitimate interests.

To exercise any of these rights, please contact us using the information below. We will respond to your request within 30 days.

Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication with password hashing
  • Role-based access controls
  • Regular security assessments and updates
  • Audit logging of all system access
  • Secure hosting infrastructure with redundancy

Data Retention

We retain your personal data for as long as necessary to provide our services and fulfill the purposes outlined in this notice. Specifically:

  • Account Data: Retained while your account is active, plus 30 days after deletion request
  • Compliance Data: Retained according to your organization's settings and legal requirements
  • Audit Logs: Retained for 7 years to support compliance requirements
  • Backup Data: Retained for up to 90 days after deletion from production systems

International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Transfers to countries with adequate data protection (adequacy decisions)

Third-Party Services

We use carefully selected third-party services to operate our platform. These include:

  • Hosting Provider: For secure infrastructure and data storage
  • Email Service: For transactional emails and notifications
  • Analytics: For understanding platform usage (anonymized data)

All third-party processors are bound by data processing agreements that ensure GDPR compliance.

Cookies

We use essential cookies required for the platform to function, including:

  • Session cookies for authentication
  • Security cookies (CSRF protection)

We use Google Analytics for understanding how visitors interact with our marketing pages. You can opt out of analytics tracking by using browser settings or ad-blocking tools.

Changes to This Notice

We may update this GDPR notice from time to time. We will notify you of any material changes by posting the updated notice on this page and updating the "Last updated" date. For significant changes, we may also notify you by email.

Questions or Requests?

If you have any questions about our GDPR compliance or wish to exercise your data protection rights, please contact our Data Protection team.

privacy@oneiric.me