GDPR Compliance

ObserveOps is committed to complying with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains our approach to GDPR compliance, your rights as a data subject, and how to exercise those rights.

We act as a data controller in respect of personal data we collect from visitors to our website and clients who engage our services. In cases where we process personal data on behalf of our clients as part of service delivery, we act as a data processor under a Data Processing Agreement (DPA).

We process personal data on the following legal bases under Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing necessary to perform our service agreement with you, including account management and service delivery.
• Legitimate interests (Art. 6(1)(f)): Processing for our legitimate interests such as improving our services, fraud prevention, and security — where these interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Processing for marketing communications, where you have explicitly opted in. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including tax and accounting regulations.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you and information about how it is used.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format and have it transferred to another controller.
• Right to object (Art. 21): Object to processing of your personal data for direct marketing or based on legitimate interests.
• Right to restrict processing (Art. 18): Request restriction of processing in certain circumstances (e.g., while accuracy is contested).

To exercise any of these rights, email dpo@observeops.com. We will respond within 30 days.

We retain personal data only for as long as necessary for the purpose for which it was collected:

• Client account data: Duration of the contract plus 90 days.
• Financial records: 7 years (statutory requirement).
• Marketing consent records: Until consent is withdrawn plus 1 year.
• Support communications: 3 years from date of last communication.
• Website analytics: 26 months (Google Analytics default), aggregated indefinitely.

ObserveOps is based in the United States. When we transfer personal data from the European Economic Area (EEA) to the US, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all sub-processors that include appropriate transfer mechanisms
• Use of service providers certified under the EU-US Data Privacy Framework where applicable

We have appointed a Data Protection Officer (DPO) responsible for overseeing our GDPR compliance. You can contact our DPO directly:

• Email: dpo@observeops.com
• Response time: Within 30 days of receipt.

If you believe we have not complied with your data protection rights, you have the right to lodge a complaint with a supervisory authority. In the EU, this is typically the data protection authority in your country of residence.

We encourage you to contact us first at dpo@observeops.com so we can resolve your concern directly. We take all complaints seriously and will investigate promptly.