1. Roles Under GDPR

• Controller: We determine how personal data such as customer contact details, billing information, and account settings are used.
• Processor: We process personal data strictly on documented instructions from our customers when they use R360 Solutions for device diagnostics, validation, or certified data erasure.

In both roles, we follow GDPR principles including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability.

2. Lawful Bases for Processing

• Consent (for optional marketing activities)
• Contract (to provide and support our software and services)
• Legal obligation (regulatory and tax requirements)
• Legitimate interests (service security, abuse prevention, and feature improvement), balanced against user rights

3. Personal Data We Process

“Personal data” means information that identifies or can identify a person. Typical categories include:

• Identification & contact data (name, email, company, role, phone)
• Account data (login credentials, settings, preferences)
• Operational data: device identifiers and diagnostics information when linked to a person or organisation, log files, IP addresses, and technical identifiers.

We do not intentionally collect special categories of data (e.g., health, religion, biometrics).

4. Purpose Limitation & Data Minimisation

We collect only what we need, for clear purposes:

• Operating and improving our software
• Running device diagnostics, validation, and secure data erasure
• Producing audit-ready certificates and reports
• Providing customer support and training
• Meeting legal, security, and compliance obligations

We do not use personal data for purposes that are incompatible with these goals.

5. Data Retention

We keep personal data only as long as necessary for the purposes above or as required by law and contracts. When data is no longer needed, we delete or anonymise it following GDPR-compliant retention procedures. Customers can configure retention for certain Processor activities in line with their policies.

6. Your GDPR Rights

Subject to conditions in the GDPR, you can:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase data (“right to be forgotten”).
• Restrict certain processing.
• Port your data in a machine-readable format.
• Object to processing based on legitimate interests or direct marketing.
• Withdraw consent at any time (where consent is the basis).

Requests can be made by contacting us at the email address below. We aim to respond within 30 days.

7. International Data Transfers

When data is transferred outside the EEA/UK, we use appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO, and/or
• Adequacy decisions were available.

We also assess local laws and implement additional measures where needed.

8. Security Measures

We apply layered technical and organisational controls to guard personal data against unauthorised access, alteration, loss, or misuse, including:

• Encryption in transit and at rest, secure key management.
• Role-based access control and multi-factor authentication.
• Segmented networks and hardened infrastructure.
• Regular security reviews, audits, and vulnerability management.
• Use of reputable, security-compliant data centres (e.g., ISO 27001).

Customers can request our most recent security overview and sub-processor list.

9. Data Breaches

If a personal-data breach occurs:

• We will notify the relevant supervisory authority within 72 hours when required.
• We will inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• We will cooperate with customers and authorities and document the incident.

10. Sub-Processors

To provide our services, we may engage vetted third-party providers (“sub-processors”) for hosting, email delivery, analytics, and support. Each sub-processor is bound by written data-protection terms that meet GDPR standards. A current list is available on request at (email address).

11. Children’s Data

Our services are not intended for children, and we do not knowingly process children’s personal data.

12. Cookies & Similar Technologies

For details about cookies and similar technologies used on our websites and portals, please see our Cookie Policy. You can manage preferences through our cookie banner or your browser settings.

13. Data Protection Officer (DPO) / Contact

Data Protection Contact
Email: dpo@r360solutions.com

14. Supervisory Authority

You may complain to your local data protection authority. A list of EU authorities is available from the European Data Protection Board (EDPB).