GDPR Compliance Statement

1. Introduction and Applicability

This GDPR Compliance Statement ("Statement") outlines how Couple Socials (the "Company," functioning solely as a contractual designation for the operator of the Service) complies with the General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679). This Statement applies to users located within the European Economic Area (EEA), the United Kingdom, and any jurisdiction that recognizes GDPR-equivalent protections.

This Statement should be read together with the Company's Privacy Policy, Cookie Policy, Terms of Service, and any additional notices relating to data protection.

The Company is committed to ensuring that personal data is processed lawfully, transparently, securely, and in accordance with GDPR obligations.

2. Legal Bases for Processing Personal Data

The Company processes personal data only when one or more lawful bases under Article 6 GDPR apply. These include:

2.1 Consent

Processing is based on your freely given, specific, informed, and unambiguous consent, particularly for optional features such as marketing communication, use of non-essential cookies, or user-submitted profile content.

2.2 Contractual Necessity

Processing is required to perform the contractual relationship between you and the Company, such as:

• account creation
• subscription management
• enabling platform functionality
• delivering user-requested features

2.3 Legal Obligation

Processing is necessary for compliance with applicable laws, including:

• responding to lawful requests
• maintaining records where required
• complying with regulatory requirements

2.4 Legitimate Interests

Processing is necessary for the Company's legitimate interests, provided such interests are not overridden by your rights. These interests may include:

• maintaining platform security
• preventing fraud, misuse, or unauthorized access
• improving the Service's performance and user experience
• ensuring operational continuity and integrity

The Company conducts balancing assessments where required.

3. Your Rights as a Data Subject Under GDPR

Users located in the EEA or UK have the following rights, subject to applicable conditions and legal limitations:

3.1 Right of Access (Article 15)

You may request confirmation of whether your data is processed and obtain a copy of your personal data.

3.2 Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data.

3.3 Right to Erasure ("Right to Be Forgotten") (Article 17)

You may request deletion of your personal data where:

• data is no longer necessary
• you withdraw consent (where consent is the basis)
• processing is unlawful
• you object and no overriding legitimate interests exist

3.4 Right to Restriction of Processing (Article 18)

You may request restricted processing in certain circumstances, such as during dispute resolution or verification.

3.5 Right to Data Portability (Article 20)

You may request your data in a structured, commonly used, and machine-readable format and request its transfer to another controller where technically feasible.

3.6 Right to Object (Article 21)

You may object to processing based on legitimate interests or processing for direct marketing.

3.7 Rights Related to Automated Decision-Making and Profiling (Article 22)

You have the right not to be subjected solely to automated decision-making that produces legal or significant effects.

The Company does not engage in automated decision-making or profiling that would trigger this right.

4. Exercising Your Rights

To exercise your GDPR rights, contact the Company at:

Examples:

• GDPR Request – Access
• GDPR Request – Erasure
• GDPR Request – Data Portability

The Company will respond within one (1) month of receipt. For complex or high-volume requests, this period may be extended by up to an additional two (2) months, in which case you will be notified.

Proof of identity may be required to prevent unauthorized or fraudulent requests.

5. International Data Transfers

Personal data may be processed or transferred outside the EEA or UK. When such transfers occur, the Company ensures that adequate safeguards are implemented, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for specific jurisdictions
• Contractual and technical safeguards, including encryption and pseudonymization
• Compliance measures consistent with GDPR Articles 44–50

The Company ensures that all transfers are lawful, secure, and compliant with regulatory expectations.

6. Data Protection Officer (DPO)

The Company has designated a Data Protection Officer to oversee GDPR compliance, monitor internal processes, and act as the primary contact for regulatory matters and data subject requests.

7. Personal Data Breach Notification

In accordance with GDPR Articles 33 and 34:

• In the event of a personal data breach that poses a high risk to the rights and freedoms of users, the Company will notify affected individuals without undue delay.
• The Company will notify the appropriate supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in risk to users.

The Company maintains internal protocols for detection, investigation, and mitigation of data breaches.

8. Data Retention Practices

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, including:

• operational service delivery
• compliance with legal and regulatory obligations
• dispute resolution
• fraud prevention
• security and auditing
• subscription and account management

Retention periods are determined by:

• the nature and sensitivity of data
• risk assessments
• applicable legal requirements
• the necessity of maintaining service continuity

When retention requirements expire, data is anonymized or securely deleted.

9. Right to Lodge a Complaint With a Supervisory Authority

If you believe your GDPR rights have been violated, you may lodge a complaint with your national or regional data protection authority.

A list of supervisory authorities can be found on the website of the European Data Protection Board (EDPB).

You may also contact the Company's DPO directly to resolve concerns prior to contacting authorities.

10. Updates to This GDPR Compliance Statement

The Company may update this Statement from time to time to reflect:

• changes in data processing practices
• updates in legal or regulatory frameworks
• operational or organizational changes
• technological advances

Revisions become effective upon posting. Users are encouraged to review this Statement periodically.

11. Contact Information

For inquiries, concerns, or GDPR-related requests, contact: