GDPR Compliance
Last updated: January 27, 2026
Our Commitment to GDPR
TesterPayKit is fully committed to complying with the General Data Protection Regulation (GDPR). As a company headquartered in Germany, we have implemented comprehensive data protection measures to ensure your personal data is processed lawfully, fairly, and transparently.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union, regardless of where the organization is located.
GDPR establishes strict requirements for how personal data must be collected, stored, processed, and protected, and grants individuals significant rights over their personal data.
Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data:
Right to Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is processed.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and to have incomplete data completed.
Right to Erasure (Article 17)
Also known as the "right to be forgotten," you can request deletion of your personal data when it is no longer necessary for the purposes it was collected, or when you withdraw consent.
Right to Restriction (Article 18)
You can request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21)
You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
Right Against Automated Decisions (Article 22)
You have the right not to be subject to decisions based solely on automated processing that significantly affect you, with certain exceptions.
Legal Bases for Processing
We process your personal data based on the following legal grounds:
Contractual Necessity (Article 6(1)(b))
Processing necessary for the performance of our contract with you, including:
- Account creation and management
- Providing access to testing campaigns
- Processing payments and distributing rewards
- Customer support and communication
Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, balanced against your rights:
- Improving and developing our services
- Fraud prevention and security
- Analytics to understand usage patterns
- Business communications about service updates
Consent (Article 6(1)(a))
Where we rely on your consent for processing:
- Marketing communications and newsletters
- Analytics cookies and tracking
- Optional profile information sharing with clients
You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Legal Obligation (Article 6(1)(c))
Processing required to comply with legal obligations:
- Tax and financial reporting requirements
- Responding to valid legal requests
- Anti-money laundering compliance
International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:
Transfer Mechanisms
- Adequacy Decisions: Transfers to countries with adequate data protection (e.g., UK, Switzerland)
- Standard Contractual Clauses: EU-approved contracts with service providers in other countries
- Binding Corporate Rules: For transfers within our corporate group
Sub-Processors
We use the following categories of sub-processors who may process your data:
- Cloud infrastructure providers (EU data centers)
- Payment processors (PCI DSS compliant)
- Email service providers (GDPR compliant)
- Analytics providers (anonymized data only, self-hosted)
A complete list of our sub-processors is available upon request.
Technical and Organizational Measures
We have implemented comprehensive measures to protect your personal data:
Technical Measures
- Encryption in transit and at rest
- Regular security testing
- Access controls and authentication
- Secure development practices
- Regular backups with encryption
Organizational Measures
- Data protection policies
- Employee training programs
- Access on need-to-know basis
- Incident response procedures
- Regular compliance audits
Data Retention Periods
We retain personal data only for as long as necessary for the purposes it was collected:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account Data | Duration of account + 3 years | Contract performance, legal claims |
| Payment Records | 7 years | Tax and accounting requirements |
| Bug Reports | 2 years after campaign | Contract performance, disputes |
| Support Tickets | 3 years | Service improvement, legal claims |
| Marketing Consent | Until withdrawal + 1 year | Compliance documentation |
| Server Logs | 90 days | Security, troubleshooting |
How to Exercise Your Rights
You can exercise your GDPR rights through the following methods:
Self-Service Options
- Access and download your data from your account settings
- Update your profile information directly in the app
- Manage your communication preferences
- Delete your account through the settings page
Submit a Request
For rights requests that cannot be handled through self-service:
- Email dpo@testerpaykit.com with your request
- Specify the right you wish to exercise
- Provide sufficient information for us to verify your identity
- We will respond within 30 days (extendable by 60 days for complex requests)
Note: We provide these services free of charge. For manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and compliance. You can contact our DPO for any data protection inquiries:
Email: dpo@testerpaykit.com
Address:
Data Protection Officer
TesterPayKit
Hamburg, Germany
Right to Lodge a Complaint
If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Der Hamburgische Beauftragte fur Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str 22, 7. OG
20459 Hamburg, Germany
https://datenschutz-hamburg.de
You may also lodge a complaint with the supervisory authority in your country of residence or place of work.
Updates to This Page
We may update this GDPR compliance page from time to time. When we make significant changes, we will notify you via email or through our platform. We encourage you to review this page periodically.
Contact Us
For any questions about GDPR or our data protection practices:
Data Protection Officer: dpo@testerpaykit.com
Privacy Team: privacy@testerpaykit.com
Address:
TesterPayKit
Privacy and Data Protection
Hamburg, Germany