BetterFlow Header Component
Get Demo

GDPR

GDPR Compliance Documentation – BetterFlow

Last Updated: 01.07.2025
Document Version: 1.0

1. Introduction

This document outlines how BetterFlow complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Better Quality Assurance S.R.L. takes data protection seriously and has implemented comprehensive measures to ensure full GDPR compliance.

2. Data Controller Information

Company: Better Quality Assurance S.R.L.
Address: Str. Transilvaniei 202, Baciu, Cluj County, 407055, Romania
Registration: ROONRC.J2018003363123
VAT: RO39687318
Data Protection Officer: dpo@betterflow.eu
Representative: Not required (established in EU)

3. GDPR Principles Compliance

3.1 Lawfulness, Fairness, and Transparency

  • Clear Privacy Policy: Comprehensive, plain-language privacy information
  • Transparent Processing: Users informed of all data processing activities
  • Legal Basis Identified: Each processing activity has documented legal basis
  • Fair Processing: No hidden data collection or deceptive practices

3.2 Purpose Limitation

  • Specified Purposes: Data collected only for:
    • Service provision (project management, time tracking)
    • Legal compliance
    • Legitimate business interests
    • User support and communication
  • No Repurposing: Data not used beyond stated purposes
  • New Purpose Consent: Explicit consent for any new processing purposes

3.3 Data Minimization

  • Necessary Data Only: Collection limited to service requirements
  • Optional Fields Marked: Clear distinction between required/optional data
  • Regular Reviews: Periodic assessment of data collection necessity
  • Automatic Purging: Activity logs deleted after 30 days

3.4 Accuracy

  • User Control: Users can update their information directly
  • Admin Corrections: Administrators can correct team member data
  • Verification Processes: Email verification for critical changes
  • Update Mechanisms: Clear processes for data correction requests

3.5 Storage Limitation

  • Defined Retention Periods:
    • Active accounts: Duration of service
    • Deleted accounts: Immediate purging
    • Backups: 30-day retention
    • Logs: 30-day automatic deletion
    • Financial records: Legal requirement (7 years)
  • Automatic Deletion: Systematic purging of expired data
  • Retention Review: Annual review of retention policies

3.6 Integrity and Confidentiality

  • Technical Measures: Encryption, access controls, secure infrastructure
  • Organizational Measures: Training, policies, procedures
  • ISO 27001 Certification: Verified security management system
  • Regular Testing: Penetration tests and security audits

3.7 Accountability

  • Documentation: Comprehensive records of processing activities
  • Privacy by Design: Data protection built into system architecture
  • DPIAs: Data Protection Impact Assessments for high-risk processing
  • Compliance Monitoring: Regular audits and reviews

4. Legal Bases for Processing

4.1 Contract Performance (Article 6(1)(b))

  • Account creation and management
  • Time tracking and reporting
  • Project management services
  • Leave management
  • Service delivery

4.2 Legal Obligations (Article 6(1)(c))

  • Financial record keeping
  • Tax compliance
  • Legal dispute resolution
  • Regulatory requirements

4.3 Legitimate Interests (Article 6(1)(f))

  • Security and fraud prevention
  • Service improvement
  • Internal analytics (anonymized)
  • Direct marketing (with opt-out)

Legitimate Interests Assessment (LIA) conducted for:

  • Client view tracking (transparency and project management)
  • Automated compliance reminders (operational efficiency)
  • Usage analytics (service improvement)

4.4 Consent (Article 6(1)(a))

  • Marketing communications
  • Optional features
  • Cookies (non-essential)
  • Beta feature participation

5. Data Subject Rights Implementation

5.1 Right of Access (Article 15)

  • Implementation: User dashboard with data visibility
  • Process: Email request to privacy@betterflow.eu
  • Response Time: Within 30 days
  • Format: Structured, downloadable format
  • Verification: Identity verification required

5.2 Right to Rectification (Article 16)

  • Self-Service: Direct profile editing
  • Admin Support: Administrator can update user data
  • API Updates: Programmatic updates available
  • Cascade Updates: Changes propagate throughout system

5.3 Right to Erasure (Article 17)

  • Implementation: GDPR-compliant deletion feature
  • Immediate Effect: Instant access revocation
  • Complete Removal: All personal data expunged
  • Exceptions: Legal retention requirements
  • Admin Capability: Both self-service and admin-initiated

5.4 Right to Restriction (Article 18)

  • Account Suspension: Temporary processing halt
  • Selective Restriction: Specific processing activities
  • Dispute Resolution: During accuracy verification
  • Clear Marking: Restricted data clearly identified

5.5 Right to Data Portability (Article 20)

  • Export Features: CSV/Excel export capabilities
  • API Access: Programmatic data retrieval
  • Machine-Readable: Structured data formats
  • Direct Transfer: Support for service-to-service transfer

5.6 Right to Object (Article 21)

  • Marketing Opt-Out: One-click unsubscribe
  • Processing Objection: Clear objection mechanisms
  • Legitimate Interests: Balance test documentation
  • Automated Decisions: Human review available

5.7 Rights Related to Automated Decision-Making (Article 22)

  • Current State: No fully automated decision-making
  • Future AI Features:
    • Human oversight required
    • Opt-in basis only
    • Clear explanations provided
    • Manual review options

6. Technical and Organizational Measures

6.1 Technical Measures

  • Encryption: TLS 1.2+ (transit), AES-256 (rest)
  • Access Controls: RBAC, MFA available
  • Pseudonymization: Where applicable
  • System Security: Firewalls, IDS, DDoS protection
  • Testing: Regular penetration testing
  • Monitoring: 24/7 security monitoring

6.2 Organizational Measures

  • Staff Training: Annual GDPR training
  • Confidentiality: NDAs for all staff
  • Access Management: Need-to-know basis
  • Incident Response: Documented procedures
  • Vendor Management: DPAs with processors
  • Privacy by Design: Development methodology

7. Data Processing Records (Article 30)

7.1 Controller Records Include

  • Processing purposes
  • Data categories
  • Data subject categories
  • Recipient categories
  • International transfers
  • Retention periods
  • Security measures

7.2 Processor Records Include

  • Processing activities
  • Categories of processing
  • International transfers
  • Security measures
  • Sub-processor details

8. Data Protection Impact Assessments (DPIAs)

8.1 DPIA Triggers

  • AI/ML feature implementation
  • Large-scale monitoring (client view tracking)
  • New technology adoption
  • Significant system changes

8.2 DPIA Process

  1. Necessity and proportionality assessment
  2. Risk identification and assessment
  3. Mitigation measures
  4. Stakeholder consultation
  5. Review and approval
  6. Ongoing monitoring

9. International Data Transfers

9.1 Within EU/EEA

  • Primary data storage in EU
  • EU-based service providers preferred
  • No additional safeguards required

9.2 Outside EU/EEA

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Supplementary measures assessment
  • Transfer impact assessments

10. Data Breach Management

10.1 Breach Response Plan

  • Detection: Monitoring and alerting systems
  • Assessment: Severity and impact evaluation
  • Containment: Immediate mitigation steps
  • Notification: 72-hour regulatory timeline
  • Documentation: Comprehensive breach records

10.2 Notification Procedures

  • Supervisory Authority: Within 72 hours
  • Data Subjects: Without undue delay (high risk)
  • Content: Nature, impact, measures, contacts
  • Records: All breaches documented

11. Third-Party Processing

11.1 Processor Requirements

  • Written Data Processing Agreements (DPAs)
  • Security guarantee requirements
  • Audit rights inclusion
  • Sub-processor restrictions
  • Data return/deletion obligations

11.2 Current Processors

  • Cloud hosting provider (EU-based)
  • Email service provider
  • Payment processor
  • Backup service provider
  • DeskTime (integration partner)

12. Privacy Governance

12.1 Roles and Responsibilities

  • Data Protection Officer: Strategic oversight
  • Security Team: Technical implementation
  • Legal Team: Compliance monitoring
  • Development Team: Privacy by design
  • Management: Resource allocation

12.2 Governance Activities

  • Monthly privacy reviews
  • Quarterly compliance assessments
  • Annual policy updates
  • Ongoing training programs
  • Regular audit schedule

13. Cookie Compliance

13.1 Cookie Categories

  • Essential: Authentication, security
  • Functional: User preferences
  • Analytics: Usage statistics (consent required)
  • Marketing: Not currently used

13.2 Consent Management

  • Clear cookie banner
  • Granular consent options
  • Easy withdrawal mechanism
  • Consent records maintained

14. Special Category Data

14.1 Current Processing

  • Sick Leave Data: Health-related (special category)
  • Legal Basis: Employment law obligations
  • Extra Safeguards:
    • Limited access
    • Enhanced encryption
    • Strict retention limits
    • No automated processing

15. Children’s Data

  • Age Limit: 16 years minimum
  • Verification: Terms acceptance required
  • No Targeted Processing: No child-specific features
  • Discovery Response: Immediate deletion

16. GDPR Compliance Checklist

✅ Privacy Policy published and accessible
✅ Legal bases documented for all processing
✅ Data Subject Rights implemented
✅ DPO appointed and contactable
✅ Processing records maintained
✅ Security measures implemented
✅ Breach procedures established
✅ DPAs with all processors
✅ Staff training completed
✅ Consent mechanisms operational
✅ Retention policies enforced
✅ DPIA process established
✅ International transfer safeguards
✅ Cookie compliance achieved
✅ Accountability demonstrated

17. Contact Information

Data Protection Queries

Data Protection Officer
Email: dpo@betterflow.eu
Phone: +40 751 289 399

Privacy Requests

Privacy Team
Email: privacy@betterflow.eu

Complaints

Users have the right to lodge complaints with:

Romanian National Supervisory Authority
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro

18. Document Management

  • Review Frequency: Quarterly
  • Update Authority: DPO and Legal Team
  • Version Control: Git repository
  • Distribution: All relevant stakeholders
  • Training: Upon significant updates

This document demonstrates BetterFlow’s comprehensive GDPR compliance program and our commitment to protecting personal data rights.