GDPR Compliance Statement

1. Our commitment

ResultsAIx is operated from Portugal — inside the EU — so the General Data Protection Regulation (GDPR) isn't a foreign add-on for us; it's home law. We design our products and data flows around data minimisation: collect the least, keep it the shortest time, and never trade in it.

2. When we are the controller

We act as data controller for:

• Customer purchase and license records (name, email, transaction ID).
• Support tickets and correspondence.
• Newsletter subscriptions (consent-based, via AWeber).
• Logs generated by visits to our sites and calls to our license/update endpoints.

Full detail — categories, purposes, legal bases, retention, recipients — is in the Privacy Policy.

3. When YOU are the controller (important for plugin users)

Our WordPress plugins run on your server, in your WordPress database. Data they process about your visitors and buyers — clicks, conversions, subscriber records, support conversations on your site — is stored on your infrastructure and never transmitted to us. For that data:

• You are the controller (and your hosting company is typically your processor).
• We are not a recipient — the only thing our servers ever receive from your installation is the license-validation ping: your site's domain, the plugin version, and the license key. No visitor data, no content, no analytics.
• That means using our plugins does not by itself create a controller–processor relationship with us, and in most setups you don't need a DPA with us to be GDPR-compliant. If your compliance team wants one anyway, we offer a standard Data Processing Addendum.

Your obligations as controller when using tracking/marketing plugins on your own site typically include: disclosing the tracking in your own privacy policy, honouring your visitors' rights, and configuring data-retention options appropriately. Our docs include guidance per product.

4. Data subject rights — how we deliver them

• One contact point: info@onlineimsupport.com. No forms, no portals, no friction.
• Identity verification: we match requests against the purchase email; if you write from a different address we'll ask for proof of purchase.
• Response time: within one month (GDPR Art. 12(3)), usually much faster.
• Free of charge.
• All eight rights honoured: access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right not to be subject to solely automated decisions (we don't make any).

5. Security measures (Art. 32)

• TLS encryption for all data in transit, including plugin license pings.
• Least-privilege database access; the license system's migration accounts are read-only where possible.
• Timing-safe key comparison, rate limiting, and signature verification on payment notifications.
• Separated production environments per product line, limiting blast radius.
• Audit logging of administrative changes on the license server.
• Vendor due diligence: processors are listed in the Privacy Policy with their roles.

6. International transfers

Where data is processed by US providers (payments, email, AI), transfers rely on the EU–US Data Privacy Framework adequacy decision for certified companies, or Standard Contractual Clauses with supplementary measures. Copies of safeguards are available on request.

7. Personal-data breach process

• Contain and assess immediately on discovery.
• Notify the supervisory authority within 72 hours where the breach is likely to result in a risk to individuals (Art. 33).
• Notify affected individuals without undue delay where the risk is high (Art. 34).
• Document everything, including breaches that didn't meet the notification threshold.

8. Records & accountability

We maintain records of processing activities appropriate to the scale of the business (Art. 30), review this statement and the Privacy Policy when systems change, and apply privacy-by-design when building new features — the default for every new plugin feature is "no data leaves the customer's site".

9. Supervisory authority

Our lead supervisory authority is the Portuguese data-protection authority, CNPD — Comissão Nacional de Proteção de Dados (cnpd.pt). You may also complain to the authority in your own country; the EDPB maintains the full list of EU data-protection authorities.

10. UK & Swiss data protection

We extend equivalent treatment to individuals covered by the UK GDPR and the Swiss FADP. UK transfers rely on the UK Extension to the EU–US DPF / UK IDTA where applicable.

11. Related documents

• Privacy Policy — the full controller disclosure.
• Cookie Policy — what runs in your browser on this site.
• Data Processing Addendum — for business customers who need one.

12. Contact

GDPR questions, rights requests, or compliance documentation requests: info@onlineimsupport.com.