NOTOXIC Universe
Back to Legal Documentation

GDPR Statement

Last updated: June 4, 2026

NOTOXIC® Universe is committed to full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This statement outlines our comprehensive GDPR compliance framework, your rights as a data subject, and how we protect your personal data.

GDPR applies to our processing of personal data of individuals located in the European Economic Area (EEA), regardless of where our services are provided from.

1. GDPR Compliance Framework

1.1 Data Protection Principles

We adhere to GDPR's core data protection principles:

  • Lawfulness, Fairness, and Transparency: Processing personal data lawfully, fairly, and transparently
  • Purpose Limitation: Collecting data only for specified, explicit, and legitimate purposes
  • Data Minimization: Processing only data that is adequate, relevant, and necessary
  • Accuracy: Keeping personal data accurate and up-to-date
  • Storage Limitation: Retaining data only as long as necessary
  • Integrity and Confidentiality: Ensuring appropriate security of personal data
  • Accountability: Demonstrating compliance with GDPR principles

1.2 Data Protection by Design and by Default

We implement data protection by design and by default through:

  • Privacy impact assessments (PIAs) for new projects and features
  • Technical and organizational measures to protect data
  • Default privacy settings that minimize data collection
  • Encryption and pseudonymization where appropriate
  • Regular security audits and assessments

1.3 Lawful Basis for Processing

We process personal data based on one or more lawful bases:

  • Consent: Explicit consent for marketing, cookies, and optional features
  • Contract: Processing necessary for contract performance (orders, services)
  • Legal Obligation: Compliance with legal requirements (tax, fraud prevention)
  • Vital Interests: Protecting life or physical safety
  • Public Task: Performing tasks in the public interest
  • Legitimate Interests: Our legitimate business interests (security, fraud prevention, analytics) balanced against your rights

1.4 Transparency and Privacy Notices

We provide transparent information about data processing through:

  • Comprehensive Privacy Policy with detailed information
  • Clear consent mechanisms and cookie banners
  • Just-in-time notices for specific data collection
  • Regular updates and notifications of policy changes

1.5 Data Processing Agreements

We enter into GDPR-compliant data processing agreements (DPAs) with:

  • Third-party processors (payment, logistics, cloud, analytics)
  • Sub-processors with appropriate safeguards
  • International transfers with Standard Contractual Clauses (SCCs)

2. Data Protection Officer (DPO)

2.1 DPO Role and Responsibilities

Our Data Protection Officer (DPO) is responsible for:

  • Monitoring GDPR compliance and data protection practices
  • Providing advice on data protection impact assessments
  • Acting as a point of contact for data subjects and supervisory authorities
  • Training staff on data protection obligations
  • Conducting audits and compliance reviews

2.2 Contacting the DPO

For GDPR-related inquiries, data protection requests, or to exercise your rights:

Data Protection Officer
NOTOXIC® Universe
Email: [email protected]
Subject: "GDPR Inquiry" or "Data Protection Request"

The DPO will respond to your inquiry within 30 days (or sooner for urgent matters).

3. Your Rights Under GDPR

3.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and access to that data, including:

  • Purposes of processing
  • Categories of personal data
  • Recipients or categories of recipients
  • Retention periods
  • Your rights to rectification, erasure, restriction, and objection

3.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

3.3 Right to Erasure "Right to be Forgotten" (Article 17)

You have the right to request erasure of your personal data when:

  • Data is no longer necessary for the original purpose
  • You withdraw consent and there is no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • Data has been unlawfully processed
  • Erasure is required for legal compliance

Exceptions: We may retain data if required by law, for legal claims, or for public interest reasons.

3.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing when:

  • You contest data accuracy (during verification period)
  • Processing is unlawful, but you oppose erasure
  • We no longer need the data, but you need it for legal claims
  • You have objected to processing (pending verification)

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. To request your data:

  1. Contact DPO at [email protected]
  2. Specify "Data Portability Request" in subject line
  3. Provide account verification information
  4. Specify preferred format (JSON, CSV, XML, etc.)

Data will be provided within 30 days in a portable format. This right applies to data you provided and that is processed based on consent or contract.

3.6 Right to Object (Article 21)

You have the right to object to processing of your personal data:

  • Direct Marketing: Unconditional right to object to direct marketing
  • Legitimate Interests: Right to object to processing based on legitimate interests (we will stop unless we demonstrate compelling legitimate grounds)
  • Scientific/Historical Research: Right to object to processing for these purposes

3.7 Right to Withdraw Consent (Article 7)

When processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

3.8 Automated Decision-Making and Profiling (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produces legal or similarly significant effects. We do not make such decisions without human intervention.

4. Exercising Your Rights

4.1 How to Exercise Your Rights

To exercise any of your GDPR rights:

  1. Contact our DPO at [email protected]
  2. Specify the right you wish to exercise in the subject line
  3. Provide sufficient information to verify your identity
  4. Include any relevant details (account information, specific data, etc.)

4.2 Response Timeline

We will respond to your request:

  • Within 30 days: Standard response time for most requests
  • Within 3 months: Complex requests may take up to 3 months (we will inform you within 30 days if extension is needed)
  • Free of charge: No fee for exercising your rights (except manifestly unfounded or excessive requests)

4.3 Identity Verification

We may request additional information to verify your identity before processing requests to protect your data from unauthorized access.

5. Data Breach Notification

5.1 Breach Notification to Supervisory Authority

In case of a personal data breach that poses a risk to rights and freedoms:

  • Within 72 hours: We will notify the relevant supervisory authority (where feasible)
  • Breach Details: Nature of breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed

5.2 Breach Notification to Data Subjects

If a breach poses a high risk to your rights and freedoms:

  • We will notify you without undue delay
  • Notification will include clear information about the breach and recommended measures
  • We will use clear and plain language

6. International Data Transfers

6.1 Transfer Safeguards

When transferring personal data outside the EEA, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs): EU-approved SCCs with processors
  • Adequacy Decisions: Transfers to countries with adequacy decisions
  • Binding Corporate Rules: Where applicable
  • Additional Safeguards: Technical and organizational measures to protect data

6.2 Transfer Transparency

Information about international transfers is disclosed in our Privacy Policy.

7. Supervisory Authority

7.1 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. You can lodge a complaint with:

  • The supervisory authority in your country of residence
  • The supervisory authority in your country of work
  • The supervisory authority in the country where the alleged violation occurred

7.2 Lead Supervisory Authority

Our lead supervisory authority is determined based on our main establishment in the EEA. Contact details for supervisory authorities can be found on the European Data Protection Board website.

8. Contact Us

For GDPR inquiries or to exercise your rights:

NOTOXIC® Universe
Email: [email protected]

Questions about GDPR Statement?

We're here to help. Contact us with any questions or clarifications.

Contact Legal Team