GDPR Compliance

1. PURPOSE & EXTRA-TERRITORIAL SCOPE

  • This policy demonstrates how Creative Tech Worx (Pty) Ltd complies with the EU General Data Protection Regulation (GDPR) in accordance with Article 3(2), where services are offered to data subjects located in the European Union, European Economic Area (EEA), and the United Kingdom.

  • The Company adheres to the GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

2. DATA CONTROLLER & EU/UK REPRESENTATIVE (ARTICLE 27)

2.1 Data Controller

Creative Tech Worx (Pty) Ltd Republic of South Africa Legal Department

2.2 EU / UK Representative

  • As the Company is not established in the EU or UK, it has appointed an EU/UK Representative in accordance with Article 27 of the GDPR.

EU/UK Representative:

  • [To be appointed – e.g. VeraSafe, GDPRLocal, or equivalent GDPR Article 27 service]

The Representative acts as the Company’s point of contact for:

  • EU supervisory authorities

  • EU/UK data subjects exercising GDPR rights

3. LAWFUL BASES FOR PROCESSING (ARTICLE 6)

Personal data is processed on one or more of the following lawful bases:

  • Consent – waitlists, marketing communications, optional features

  • Contractual necessity – provision of SaaS and mobile application services

  • Legal obligation – regulatory and compliance requirements

  • Legitimate interests – platform security, fraud prevention, service optimisation

4. RECORD OF PROCESSING ACTIVITIES (ARTICLE 30)

The Company maintains an internal Record of Processing Activities (RoPA) documenting:

  • Categories of personal data processed

  • Purposes of processing

  • Data subject categories

  • Retention periods

  • Security measures

  • Sub-processors and international transfers

  • This record is maintained digitally and updated as systems and services evolve.

5. INTERNATIONAL DATA TRANSFERS (ARTICLE 46)

  • Personal data is transferred from the EU/EEA/UK to servers located in South Africa, which is currently classified as a third country without an EU adequacy decision.

To ensure an equivalent level of protection, the Company implements the following safeguards:

5.1 Standard Contractual Clauses (SCCs)

The Company executes EU Standard Contractual Clauses with:

  • EU-based clients

  • EU-based partners

  • Relevant sub-processors

5.2 Transfer Impact Assessments (TIAs)

Transfer Impact Assessments are conducted to evaluate:

  • Local legal risks

  • Government access considerations

  • Effectiveness of encryption and access controls

6. SPECIAL CATEGORIES & CHILDREN’S DATA

6.1 Children’s Data (Article 8)

For applications such as LifeArk, which process personal data relating to minors:

  • Verified parental or guardian consent is mandatory

  • Reasonable measures are implemented to confirm the identity of the competent person

  • Consent may be withdrawn at any time

6.2 High-Risk Processing & DPIAs (Article 35)

The Company conducts Data Protection Impact Assessments (DPIAs) where processing is likely to result in high risk, including:

  • Processing children’s personal data at scale

  • AI-driven profiling or behavioural analysis

  • Processing sensitive or health-related data

  • DPIAs are reviewed by the Information Officer prior to deployment.

7. AI & AUTOMATED DECISION-MAKING (ARTICLE 22)

Where Artificial Intelligence is used (e.g. Lucia, PawScore):

  • Users are informed when interacting with AI

  • No decision producing legal or similarly significant effects is made solely by automated means

Users may:

  • Request human intervention

  • Object to profiling

  • Obtain an explanation of automated outputs where applicable

8. SUB-PROCESSORS

The Company engages only sub-processors that provide sufficient guarantees of GDPR compliance, including:

  • Cloud infrastructure providers (e.g. AWS, Supabase)

  • AI service providers (e.g. OpenAI, Anthropic)

  • All sub-processors are bound by Data Processing Agreements (DPAs) incorporating GDPR-compliant obligations.

9. DATA SUBJECT RIGHTS

EU/UK data subjects may exercise their rights to:

  • Access

  • Rectification

  • Erasure (“Right to be Forgotten”)

  • Restriction

  • Data portability

  • Objection

  • Withdrawal of consent

  • Requests may be submitted to our Legal Department and are handled within 30 days.

10. DATA BREACH NOTIFICATION (ARTICLES 33 & 34)

In the event of a personal data breach:

  • The relevant EU Supervisory Authority will be notified within 72 hours, where required

  • Affected data subjects will be informed without undue delay

  • Remedial and preventative actions will be implemented

11. POLICY REVIEW

This GDPR Compliance Policy is reviewed:

  • Annually

  • Upon material legal or technical change

  • Following any significant data incident