Data Processing Policy

Effective Date: January 15, 2025
Jurisdiction: European Union / United States
Applicable Law: GDPR (EU) 2016/679, CCPA

1. Data Processing Principles

We adhere to GDPR principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

2. Categories of Data Subjects

• Website visitors
• Customers and prospects
• Suppliers and business partners
• Employees and contractors

3. Types of Personal Data

3.1. Customer Data:

• Identity data (name, title, date of birth)
• Contact data (address, email, telephone)
• Financial data (payment details, credit information)
• Transaction data (purchase history, preferences)
• Technical data (IP address, browser data)
• Profile data (account settings, preferences)

3.2. Marketing Data:

• Communication preferences
• Marketing response data
• Website behavior analytics

4. Processing Activities

4.1. Customer Management:

• Purpose: Order processing, customer service
• Legal Basis: Contract performance, legitimate interest
• Recipients: Internal teams, payment processors, shipping partners
• Retention: 7 years for financial records, 3 years for customer data

4.2. Marketing:

• Purpose: Direct marketing, product recommendations
• Legal Basis: Consent, legitimate interest
• Recipients: Internal marketing team, email service providers
• Retention: Until consent withdrawn or 3 years of inactivity

5. International Transfers

Data may be transferred to:

• United States: Under adequacy decision or standard contractual clauses
• Other countries: Only with appropriate safeguards

6. Data Subject Rights Procedures

6.1. Access Requests:

• Respond within 1 month
• Verify identity before disclosure
• Provide data in structured format

6.2. Rectification:

• Correct inaccurate data promptly
• Notify third parties if applicable

6.3. Erasure:

• Delete data when legally required
• Consider legitimate interests
• Notify third parties if applicable

7. Security Measures

7.1. Technical Measures:

• Encryption (AES-256)
• Access controls and authentication
• Network security and firewalls
• Regular security testing

7.2. Organizational Measures:

• Staff training and authorization
• Data protection impact assessments
• Incident response procedures
• Vendor security assessments

8. Data Protection Impact Assessments (DPIA)

DPIAs conducted for:

• High-risk processing activities
• New technologies implementation
• Large-scale systematic monitoring
• Processing special category data

9. Breach Notification

• Breaches assessed within 72 hours
• Authorities notified if required
• Individuals notified if high risk
• Incident response plan activated

10. Data Protection Officer

Name: [DPO Name]
Email: work@mattest.store
Phone: +7 (918) 017-00-11
Address: [DPO Address]

11. Supervisory Authority

EU: Your local data protection authority
UK: Information Commissioner's Office (ICO)
US: State attorneys general for CCPA compliance

Contact Information:
Company: Mattest Instrument Ltd.
Email: work@mattest.store
Address: [Company Address]