GDPR Compliance & Your Rights
We are committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This page explains your rights and how to exercise them.
Last Updated:
Quick Actions
Table of Contents
1. Introduction to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, across the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK).
As an AI-powered Amazon PPC and SEO automation platform that serves users globally, including those in the EU/EEA/UK, we are fully committed to GDPR compliance. This means we:
- Process your personal data lawfully, fairly, and transparently
- Collect data only for specified, explicit, and legitimate purposes
- Limit data collection to what is necessary for our services
- Ensure accuracy and keep data up to date
- Store data only for as long as necessary
- Implement appropriate security measures to protect your data
- Respect your rights regarding your personal information
Who Does GDPR Apply To?
GDPR applies to you if you are located in the EU, EEA, or UK, regardless of your citizenship. It also applies to processing of personal data of EU/EEA/UK residents by organizations outside these regions (like us) if we offer goods or services to people in these areas.
What is Personal Data?
Under GDPR, personal data is any information relating to an identified or identifiable natural person. This includes:
- Name, email address, and contact information
- Login with Amazon profile information (User ID, Amazon customer ID)
- IP addresses and device identifiers
- Amazon Advertising account data and PPC campaign information
- Usage data and behavioral analytics
- Any other information that can identify you directly or indirectly
2. Legal Basis for Processing Your Data
Under GDPR, we must have a legal basis to process your personal data. We rely on the following legal bases:
Contractual Necessity
What it means: Processing is necessary to perform our contract with you (Terms of Service)
When we use it:
- Authenticating you via Login with Amazon
- Providing Amazon PPC optimization and bid management services
- Accessing your Amazon Advertising API data with your authorization
- Generating SEO content and recommendations
- Processing payments and maintaining your account
- Providing customer support
Consent
What it means: You have given clear, affirmative consent for specific processing activities
When we use it:
- Marketing communications and newsletters
- Non-essential cookies and analytics
- Sharing data with third-party integrations you authorize
- Using your data for case studies or testimonials
Important: You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Legitimate Interests
What it means: Processing is necessary for our legitimate business interests, provided your rights don't override those interests
When we use it:
- Improving our AI algorithms and platform features
- Fraud prevention and security monitoring
- Analyzing usage patterns to enhance user experience
- Internal research and development
- Network and information security
- Detecting and preventing abuse of our services
Legal Obligation
What it means: Processing is necessary to comply with legal requirements
When we use it:
- Retaining financial records for tax compliance (7 years)
- Responding to lawful requests from authorities
- Complying with accounting and auditing requirements
- Maintaining records for legal disputes
Note: We do not rely on "vital interests" or "public task" as legal bases for processing your data, as these are not applicable to our business operations.
3. Your Data Rights Under GDPR
GDPR grants you comprehensive rights over your personal data. Here are all eight rights explained:
Right to Access
Obtain a copy of your personal data we process
You have the right to request access to your personal information and receive a copy in a commonly used electronic format.
Right to Rectification
Correct inaccurate or incomplete data
You can request that we update or correct any personal information that is inaccurate or incomplete.
Right to Erasure
Request deletion of your personal data
Also known as the "right to be forgotten", you can request deletion of your personal data under certain circumstances.
Right to Restriction
Limit how we process your data
You can request that we restrict processing of your personal data in certain situations.
Right to Data Portability
Receive your data in a structured format
You have the right to receive your personal data in a structured, machine-readable format and transfer it to another controller.
Right to Object
Object to certain processing activities
You can object to processing of your data for direct marketing, scientific research, or legitimate interests.
Automated Decision-Making
Challenge automated decisions
You have the right not to be subject to decisions based solely on automated processing that significantly affects you.
Withdraw Consent
Revoke your consent at any time
Where processing is based on consent, you have the right to withdraw that consent at any time.
Important Limitations
These rights are not absolute. In some cases, we may need to refuse or limit your request if:
- We have a legal obligation to retain the data
- The data is needed for legal claims or defenses
- The request is manifestly unfounded or excessive
- Complying would adversely affect the rights of others
We will always explain our reasoning if we cannot fully comply with your request.
4. How to Exercise Your Rights
We make it easy to exercise your GDPR rights. You have multiple options:
Email Our Data Protection Officer
Send your request to our dedicated Data Protection Officer:
info@mirox.ptUse Your Account Settings
For certain actions, you can manage your data directly through your account:
- Update your profile information
- Manage communication preferences
- Download your data exports
- Revoke Amazon Login access
- Delete your account
Submit a Formal Request Form
Use our official GDPR request form for documented requests:
Request Form via EmailSend Postal Mail
Write to our Data Protection Officer at:
Mirox LDAAttn: Data Protection Officer
Rua Poco do Moleiro 241, 1 Esq-frt, 6000-412 Castelo Branco, Portugal
What to Include in Your Request
To help us process your request efficiently, please include:
- Your full name and the email address associated with your account
- Clear description of which right you want to exercise
- Specific details about the data or processing activity (if applicable)
- Proof of identity (we may request this to verify you are the data subject)
- Preferred format for data delivery (if requesting data portability)
Our Response Timeline
Standard Response
We will respond to your request within 1 month (30 days) of receiving it.
Complex Requests
For complex requests, we may extend this by an additional 2 months, and we'll inform you.
No Cost to You
Exercising your GDPR rights is free of charge. We will only charge a reasonable fee if your request is clearly unfounded, excessive, or repetitive.
Identity Verification
To protect your privacy and prevent unauthorized access, we may ask you to verify your identity before processing your request. This may involve:
- Logging into your account to confirm access
- Providing additional identification documents
- Answering security questions about your account
- Confirming access to your registered email address
5. Data Protection Officer (DPO)
We have appointed a Data Protection Officer to oversee our GDPR compliance and serve as your primary point of contact for all data protection matters.
Postal Address
Mirox LDAData Protection Officer
Rua Poco do Moleiro 241, 1 Esq-frt, 6000-412 Castelo Branco, Portugal
Responsibilities
Our DPO is responsible for:
- Monitoring GDPR compliance across our organization
- Processing and responding to data subject requests
- Conducting data protection impact assessments
- Serving as the point of contact with supervisory authorities
- Training staff on data protection obligations
- Investigating data breaches and coordinating responses
When to Contact Our DPO
- To exercise any of your GDPR rights
- To ask questions about how we process your data
- To raise concerns about our data protection practices
- To report a suspected data breach
- To request information about data transfers or security measures
- Before filing a complaint with a supervisory authority
Direct Line of Communication: You can contact our DPO at any time, and we guarantee a response within 48 hours for urgent matters and 5 business days for standard inquiries.
6. International Data Transfers
As a global platform, we may transfer your personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland to countries that may not provide the same level of data protection.
Where We Transfer Data
Your data may be transferred to and processed in:
- United States: Our primary servers and data centers (AWS, Google Cloud)
- Amazon Web Services (AWS) regions: Including US-East, US-West, and other regions
- Service Provider Locations: Where our third-party processors operate
Safeguards We Implement
To ensure your data receives adequate protection during international transfers, we rely on:
Standard Contractual Clauses (SCCs)
We use the European Commission's Standard Contractual Clauses (also known as Model Clauses) with all third-party processors outside the EEA. These are pre-approved contract templates that provide legally binding data protection obligations.
Adequacy Decisions
Where available, we rely on the European Commission's adequacy decisions, which recognize certain countries as providing adequate data protection (e.g., UK under the UK GDPR, Switzerland).
Data Processing Agreements (DPAs)
All our service providers sign comprehensive Data Processing Agreements that include GDPR-compliant terms, security obligations, and sub-processor requirements.
Privacy Shield (Historical)
Note: We previously relied on the EU-US Privacy Shield, which was invalidated in 2020 (Schrems II decision). We have since transitioned all transfers to Standard Contractual Clauses with supplementary measures.
Supplementary Measures
In addition to legal mechanisms, we implement technical and organizational measures:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Pseudonymization: Where possible, we pseudonymize data to reduce identification risks
- Data Minimization: We only transfer data that is strictly necessary
- Access Controls: Strict authentication and authorization for data access
- Regular Audits: We conduct regular assessments of transfer risks and safeguards
- Transparency: We maintain clear documentation of all data transfers
Third-Party Transfers
We transfer data to the following types of recipients outside the EEA:
| Recipient Type | Location | Safeguard |
|---|---|---|
| Cloud Infrastructure | USA (AWS, Google Cloud) | SCCs + Encryption |
| Amazon Services | USA (Login with Amazon, Advertising API) | SCCs + Amazon DPA |
| Payment Processors | USA (Stripe) | SCCs + PCI DSS |
| Analytics Providers | USA (Google Analytics) | SCCs + IP Anonymization |
Your Rights Regarding Transfers
You have the right to request information about the safeguards we use for international data transfers. You can also object to transfers in certain circumstances. Contact our DPO at info@mirox.pt for more information or to obtain copies of the relevant safeguard documents.
7. Data Retention Schedules
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
Retention Periods by Data Type
Account Data
| Active Account Data | Duration of account + 30 days |
| Closed Account Data | 90 days after closure |
| Login with Amazon Tokens | Until revoked or account deleted |
| Profile Information | Duration of account + 30 days |
Amazon PPC & Advertising Data
| Campaign Performance Data | 2 years or until account deleted |
| Keyword & Bid History | 2 years for analytics |
| AI Optimization Recommendations | 1 year |
| API Access Logs | 90 days |
Financial & Billing Records
| Invoices & Receipts | 7 years (tax law requirement) |
| Payment Method Details | Until updated or account deleted |
| Transaction History | 7 years (accounting requirement) |
| Subscription Records | 7 years after termination |
Technical & Usage Data
| Server Logs | 90 days |
| Analytics Data | 26 months (Google Analytics default) |
| Cookie Data | Varies (1-24 months, see cookie policy) |
| Device & Browser Info | Duration of session + 90 days |
Communications
| Customer Support Tickets | 3 years after resolution |
| Marketing Communications | Until consent withdrawn |
| Email Correspondence | 3 years |
| Chat Transcripts | 1 year |
Legal & Compliance
| GDPR Requests & Responses | 6 years (statutory limitation period) |
| Legal Hold Data | Duration of legal matter + 1 year |
| Audit Logs | 7 years |
| Consent Records | Duration of consent + 3 years |
Anonymized & Aggregated Data
We may retain anonymized or aggregated data indefinitely for the following purposes:
- Statistical analysis and research
- Improving our AI algorithms and machine learning models
- Industry benchmarking and trend analysis
- Product development and feature enhancement
Note: Anonymized data cannot be used to identify you personally and is therefore not subject to GDPR data subject rights.
Secure Deletion Process
When retention periods expire or you request deletion, we ensure data is securely destroyed using:
- Database Purging: Complete removal from production and backup databases
- Secure Wiping: Overwriting data on storage media to prevent recovery
- Cryptographic Erasure: Destroying encryption keys to render data unreadable
- Third-Party Notification: Instructing processors to delete data
- Audit Trail: Documenting deletion for compliance verification
Exceptions to Deletion
In certain cases, we may be required or permitted to retain data beyond normal retention periods:
- Legal or regulatory obligations (e.g., 7-year tax record retention)
- Ongoing legal proceedings or disputes
- Fraud prevention and security investigations
- Exercise or defense of legal claims
- Compliance with law enforcement requests
8. Security Measures
Under GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including protection against unauthorized access, accidental loss, destruction, or damage.
Technical Security Measures
Encryption
- • TLS 1.3 for data in transit
- • AES-256 encryption at rest
- • End-to-end encryption for sensitive data
- • Encrypted database fields
- • HTTPS-only connections
Access Controls
- • OAuth 2.0 authentication
- • Multi-factor authentication (MFA)
- • Role-based access control (RBAC)
- • Least privilege principle
- • Regular access reviews
Infrastructure Security
- • SOC 2 Type II certified infrastructure
- • Isolated network environments
- • Firewall protection
- • DDoS mitigation
- • Intrusion detection systems (IDS)
Monitoring & Logging
- • 24/7 security monitoring
- • Comprehensive audit logs
- • Anomaly detection
- • Real-time alerts
- • Security incident tracking
Data Protection
- • Automated daily backups
- • Geographically distributed replicas
- • Data pseudonymization
- • Secure data deletion
- • Data loss prevention (DLP)
Application Security
- • Secure coding practices
- • Regular security testing (SAST/DAST)
- • Penetration testing (quarterly)
- • Vulnerability scanning
- • Dependency management
Organizational Security Measures
Employee Training & Awareness
- Mandatory GDPR and data protection training for all employees
- Annual security awareness refresher courses
- Phishing simulation exercises
- Incident response training and drills
- Secure coding training for developers
Policies & Procedures
- Information Security Policy
- Data Protection Impact Assessment (DPIA) procedures
- Incident response and breach notification plan
- Data retention and deletion policy
- Third-party vendor security requirements
- Business continuity and disaster recovery plans
Access Management
- Strict need-to-know and least privilege policies
- Quarterly access reviews and recertification
- Immediate access revocation upon termination
- Segregation of duties for critical functions
- Background checks for employees with data access
Vendor Management
- Thorough security assessments before onboarding
- Contractual security obligations (DPAs with SCCs)
- Regular vendor security reviews
- Sub-processor approval requirements
- Vendor incident notification requirements
Security Certifications & Compliance
SOC 2 Type II
Audited annually
ISO 27001
In progress (2025)
GDPR Compliant
Verified by DPO
Regular Security Testing
| Security Activity | Frequency | Last Performed |
|---|---|---|
| Penetration Testing | Quarterly | October 2025 |
| Vulnerability Scanning | Weekly | Ongoing |
| Security Audits | Annually | September 2025 |
| Code Security Review | Per release | Ongoing |
| Disaster Recovery Test | Semi-annually | August 2025 |
No System is 100% Secure
While we implement industry-leading security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to protecting your data using best practices and continuously improving our security posture. If you have security concerns, please contact our security team at info@mirox.pt.
9. Data Breach Notification Procedures
Under GDPR Articles 33 and 34, we are required to notify the relevant supervisory authority and affected individuals in the event of a personal data breach that poses a risk to your rights and freedoms.
What is a Personal Data Breach?
A personal data breach is a security incident that leads to:
- Confidentiality breach: Unauthorized or accidental disclosure or access to personal data
- Integrity breach: Unauthorized or accidental alteration of personal data
- Availability breach: Accidental or unauthorized loss of access to or destruction of personal data
Our Breach Response Process
Detection & Containment (0-24 hours)
Our security team immediately investigates any suspected breach, contains the incident to prevent further data exposure, and preserves evidence for forensic analysis.
Assessment & Documentation (24-48 hours)
We assess the nature, scope, and severity of the breach, document all findings, determine the likelihood and severity of risk to affected individuals, and identify the legal basis for processing the breached data.
Notification to Supervisory Authority (Within 72 hours)
If the breach poses a risk to rights and freedoms, we notify the relevant supervisory authority within 72 hours of becoming aware of the breach, providing all required information under Article 33.
Notification to Affected Individuals (Without undue delay)
If the breach poses a high risk to your rights and freedoms, we will notify you directly via email or in-app notification, providing clear information about the breach and recommended protective measures.
Remediation & Lessons Learned (Ongoing)
We implement remediation measures to prevent recurrence, conduct a post-incident review, update security policies and procedures, and provide follow-up communications to affected parties.
Information We Provide in Breach Notifications
When we notify you of a data breach, we will include:
- Nature of the breachWhat happened, when it occurred, and how it was discovered
- Categories and volume of data affectedTypes of personal data involved and approximate number of affected individuals
- Likely consequencesPotential risks and impact to you
- Measures taken or proposedSteps we've taken to address the breach and mitigate harm
- Recommended actions for youSteps you can take to protect yourself (e.g., password reset, monitor accounts)
- Contact informationHow to reach our Data Protection Officer for questions or concerns
When We May Not Notify You
Individual notification is not required if:
- We have implemented appropriate technical and organizational protection measures that rendered the data unintelligible (e.g., strong encryption)
- We have taken subsequent measures ensuring the high risk to your rights and freedoms is no longer likely to materialize
- Individual notification would involve disproportionate effort (in which case we make a public communication instead)
Note: Even if we don't notify you individually, we will still notify the supervisory authority if required.
How to Report a Suspected Breach
If you suspect a data breach or security incident involving your data, please contact us immediately:
Emergency Security Contact
Email: info@mirox.pt (monitored 24/7)
Phone: +4915735964940 (emergency security line)
Subject Line: Use "SECURITY INCIDENT - URGENT" for immediate attention
Our Commitment
We take data breaches seriously and are committed to transparency. We maintain comprehensive breach notification procedures, regularly test our incident response plan, and continuously improve our security measures to prevent breaches. Your trust is paramount, and we will always prioritize your safety and privacy.
10. Complaints & Supervisory Authorities
Under GDPR Article 77, you have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.
Before Filing a Complaint
We encourage you to contact us first so we can try to resolve your concerns directly:
Contact Our Data Protection Officer
Email: info@mirox.pt
We will acknowledge your concern within 48 hours and work diligently to resolve it within 30 days.
How to File a Complaint
If you're not satisfied with our response or wish to file a complaint directly, you can contact the supervisory authority in:
- The EU/EEA member state of your habitual residence
- The member state of your place of work
- The member state where the alleged infringement occurred
EU/EEA/UK Data Protection Authorities
Below is a comprehensive list of supervisory authorities you can contact. Click on the website link to file a complaint or learn more about their process.
| Country | Authority | Website |
|---|---|---|
| Austria | Austrian Data Protection Authority | Visit |
| Belgium | Belgian Data Protection Authority | Visit |
| Bulgaria | Commission for Personal Data Protection | Visit |
| Croatia | Croatian Personal Data Protection Agency | Visit |
| Cyprus | Commissioner for Personal Data Protection | Visit |
| Czech Republic | Office for Personal Data Protection | Visit |
| Denmark | Danish Data Protection Agency | Visit |
| Estonia | Estonian Data Protection Inspectorate | Visit |
| Finland | Office of the Data Protection Ombudsman | Visit |
| France | Commission Nationale de l'Informatique et des Libertés (CNIL) | Visit |
| Germany | Federal Commissioner for Data Protection and Freedom of Information | Visit |
| Greece | Hellenic Data Protection Authority | Visit |
| Hungary | Hungarian National Authority for Data Protection and Freedom of Information | Visit |
| Ireland | Data Protection Commission | Visit |
| Italy | Garante per la Protezione dei Dati Personali | Visit |
| Latvia | Data State Inspectorate | Visit |
| Lithuania | State Data Protection Inspectorate | Visit |
| Luxembourg | National Commission for Data Protection | Visit |
| Malta | Office of the Information and Data Protection Commissioner | Visit |
| Netherlands | Dutch Data Protection Authority | Visit |
| Poland | Office of the Personal Data Protection | Visit |
| Portugal | Portuguese Data Protection Authority | Visit |
| Romania | Romanian National Supervisory Authority | Visit |
| Slovakia | Office for Personal Data Protection of the Slovak Republic | Visit |
| Slovenia | Information Commissioner | Visit |
| Spain | Spanish Data Protection Agency | Visit |
| Sweden | Swedish Authority for Privacy Protection | Visit |
| United Kingdom | Information Commissioner's Office (ICO) | Visit |
What Information to Include in Your Complaint
When filing a complaint with a supervisory authority, include:
- Your contact information and the country you're based in
- Details of the alleged GDPR violation
- Evidence supporting your complaint (emails, screenshots, etc.)
- Description of how you've been affected
- Any correspondence with us regarding the issue
- The outcome you're seeking
Your Right to Judicial Remedy
In addition to filing a complaint with a supervisory authority, you also have the right to seek a judicial remedy:
- Against a supervisory authority (Article 78): If the authority dismisses or fails to handle your complaint
- Against us directly (Article 79): If you believe we have violated GDPR, you can bring legal proceedings in the courts of the member state where you reside, where we are established, or where the infringement occurred
No Retaliation
We respect your right to file a complaint and will never retaliate against you for exercising this right. Your ability to use our services will not be affected by filing a complaint with a supervisory authority or pursuing legal remedies.
Our Cooperation with Authorities
We are committed to cooperating fully with supervisory authorities. If you file a complaint, we will work constructively with the authority to resolve the matter, provide all requested information and documentation, and implement any corrective measures required.
Your Data, Your Rights
We are committed to respecting your privacy and protecting your personal data in full compliance with GDPR. If you have any questions about this policy or want to exercise your rights, we're here to help.
This GDPR compliance page was last updated on
This page supplements our Privacy Policy and provides GDPR-specific information for EU/EEA/UK users.