Coming Soon — TesterPayKit is in public preview. Pricing and features may still change before launch.

GDPR Compliance

Last updated: January 27, 2026

Our Commitment to GDPR

TesterPayKit is fully committed to complying with the General Data Protection Regulation (GDPR). As a company headquartered in Germany, we have implemented comprehensive data protection measures to ensure your personal data is processed lawfully, fairly, and transparently.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union, regardless of where the organization is located.

GDPR establishes strict requirements for how personal data must be collected, stored, processed, and protected, and grants individuals significant rights over their personal data.

Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is processed.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your personal data when it is no longer necessary for the purposes it was collected, or when you withdraw consent.

Right to Restriction (Article 18)

You can request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21)

You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

Right Against Automated Decisions (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you, with certain exceptions.

Legal Bases for Processing

We process your personal data based on the following legal grounds:

Contractual Necessity (Article 6(1)(b))

Processing necessary for the performance of our contract with you, including:

  • Account creation and management
  • Providing access to testing campaigns
  • Processing payments and distributing rewards
  • Customer support and communication

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests, balanced against your rights:

  • Improving and developing our services
  • Fraud prevention and security
  • Analytics to understand usage patterns
  • Business communications about service updates

Consent (Article 6(1)(a))

Where we rely on your consent for processing:

  • Marketing communications and newsletters
  • Analytics cookies and tracking
  • Optional profile information sharing with clients

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

  • Tax and financial reporting requirements
  • Responding to valid legal requests
  • Anti-money laundering compliance

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

Transfer Mechanisms

  • Adequacy Decisions: Transfers to countries with adequate data protection (e.g., UK, Switzerland)
  • Standard Contractual Clauses: EU-approved contracts with service providers in other countries
  • Binding Corporate Rules: For transfers within our corporate group

Sub-Processors

We use the following categories of sub-processors who may process your data:

  • Cloud infrastructure providers (EU data centers)
  • Payment processors (PCI DSS compliant)
  • Email service providers (GDPR compliant)
  • Analytics providers (anonymized data only, self-hosted)

A complete list of our sub-processors is available upon request.

Technical and Organizational Measures

We have implemented comprehensive measures to protect your personal data:

Technical Measures

  • Encryption in transit and at rest
  • Regular security testing
  • Access controls and authentication
  • Secure development practices
  • Regular backups with encryption

Organizational Measures

  • Data protection policies
  • Employee training programs
  • Access on need-to-know basis
  • Incident response procedures
  • Regular compliance audits

Data Retention Periods

We retain personal data only for as long as necessary for the purposes it was collected:

Data Category Retention Period Justification
Account Data Duration of account + 3 years Contract performance, legal claims
Payment Records 7 years Tax and accounting requirements
Bug Reports 2 years after campaign Contract performance, disputes
Support Tickets 3 years Service improvement, legal claims
Marketing Consent Until withdrawal + 1 year Compliance documentation
Server Logs 90 days Security, troubleshooting

How to Exercise Your Rights

You can exercise your GDPR rights through the following methods:

Self-Service Options

  • Access and download your data from your account settings
  • Update your profile information directly in the app
  • Manage your communication preferences
  • Delete your account through the settings page

Submit a Request

For rights requests that cannot be handled through self-service:

  1. Email dpo@testerpaykit.com with your request
  2. Specify the right you wish to exercise
  3. Provide sufficient information for us to verify your identity
  4. We will respond within 30 days (extendable by 60 days for complex requests)

Note: We provide these services free of charge. For manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and compliance. You can contact our DPO for any data protection inquiries:

Email: dpo@testerpaykit.com

Address:
Data Protection Officer
TesterPayKit
Hamburg, Germany

Right to Lodge a Complaint

If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Der Hamburgische Beauftragte fur Datenschutz und Informationsfreiheit

Ludwig-Erhard-Str 22, 7. OG
20459 Hamburg, Germany
https://datenschutz-hamburg.de

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

Updates to This Page

We may update this GDPR compliance page from time to time. When we make significant changes, we will notify you via email or through our platform. We encourage you to review this page periodically.

Contact Us

For any questions about GDPR or our data protection practices:

Data Protection Officer: dpo@testerpaykit.com

Privacy Team: privacy@testerpaykit.com

Address:
TesterPayKit
Privacy and Data Protection
Hamburg, Germany