Skip to main content

GDPR Compliance

Last updated: 18 May 2026. If you are in the European Economic Area, the United Kingdom, or any jurisdiction that adopts GDPR-equivalent rules, this page explains the rights you have when Dcrayons Consultancy Private Limited (India) or Dcrayons Inc (USA) processes your personal data, and the safeguards we have in place. It supplements our Privacy Policy.

1. Who is the data controller

For data collected through dcrayons.app and through our marketing activities targeted at the EEA / UK, the controller is Dcrayons Consultancy Private Limited, registered in India. We do not currently maintain an establishment in the EEA. We have appointed an internal Data Protection lead who can be reached at info@dcrayons.app with the subject "GDPR request".

2. Legal bases we rely on

Under Articles 6 and 9 of the GDPR (and the UK GDPR), we process personal data only when at least one lawful basis applies:

  • Consent (Art. 6(1)(a)) -- marketing emails, marketing / analytics cookies, optional fields on forms. Always opt-in, never pre-ticked.
  • Contract (Art. 6(1)(b)) -- delivering the services in a SoW you have signed, or steps you have asked for prior to a contract (proposal, scope, pricing).
  • Legitimate interests (Art. 6(1)(f)) -- site security, fraud prevention, narrow B2B prospecting where the contact is acting in a professional capacity, aggregated analytics. Balanced against your rights via a documented Legitimate Interests Assessment; we stop on objection.
  • Legal obligation (Art. 6(1)(c)) -- responding to lawful regulatory requests, retaining records as required by Indian / US / EU law.

We do not collect special-category data (Art. 9) through the Site under normal circumstances. If a project would require us to handle it, a separate written agreement covers the safeguards.

3. Your rights in detail

  • Right of access (Art. 15) -- a free copy of the personal data we hold about you, plus context: purpose, categories, recipients, retention, source.
  • Right to rectification (Art. 16) -- correction of inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17) -- deletion in the cases listed in Article 17(1). Subject to overriding legal-retention obligations (tax, audit, defense of legal claims).
  • Right to restriction (Art. 18) -- pause processing while a dispute is investigated.
  • Right to portability (Art. 20) -- structured, commonly-used, machine-readable export of data you have provided to us, where processing is based on consent or contract.
  • Right to object (Art. 21) -- to processing based on legitimate interests, and at any time to direct marketing (no ifs, no buts).
  • Right not to be subject to automated decision-making (Art. 22) -- we do not currently use solely-automated decision-making that produces legal or similarly-significant effects.
  • Right to withdraw consent -- whenever we rely on consent, you can withdraw at any time, without affecting the lawfulness of past processing.
  • Right to lodge a complaint -- with your local supervisory authority (UK ICO, your EU member state DPA, EDPS, etc.).

4. How to exercise your rights

Email info@dcrayons.app with "GDPR request" in the subject line. Tell us:

  1. Which right you are exercising.
  2. Enough information for us to identify you (the email address you used with us is usually enough).
  3. Your preferred contact method for the response.

We respond within 30 days. In genuinely complex cases we may extend by up to 60 days and will tell you within the first 30 days if we need to. There is no fee unless your request is manifestly unfounded or excessive (we have rarely if ever charged a fee).

5. International transfers

When you contact Dcrayons from the EEA or UK, your personal data is transferred to India, where our primary operations and AWS production environment are located. India is not currently subject to an EU adequacy decision. To make these transfers lawful we rely on:

  • EU Standard Contractual Clauses (SCCs) as amended by Commission Implementing Decision (EU) 2021/914 for EEA-to-India transfers.
  • UK International Data Transfer Addendum (IDTA) for UK-to-India transfers.
  • Supplementary safeguards recommended by the EDPB after Schrems II: encryption at rest, encryption in transit, role-based access control, audit logging, mandatory two-factor authentication on staff accounts, and a documented procedure for responding to government access requests.

You can request a copy of the SCCs / IDTA we use by emailing info@dcrayons.app.

6. Sub-processors

We use a small, audited set of sub-processors (hosting, email delivery, analytics, CRM, e-signature, payment). Each is bound by a DPA + applicable transfer mechanism. A current list and the country of processing for each is available on request from info@dcrayons.app.

7. Breach notification

If a personal-data breach is likely to result in a risk to your rights, we notify your supervisory authority within 72 hours of becoming aware, per GDPR Article 33. If the breach is likely to result in a HIGH risk to you, we notify you directly without undue delay, per GDPR Article 34.

8. Children

Dcrayons services target businesses and adults. We do not knowingly process personal data of children under 16 (or the relevant local age threshold). If you believe we have done so, write to info@dcrayons.app and we delete the data promptly.

9. Supervisory authorities

  • United Kingdom: Information Commissioner's Office (ICO) -- ico.org.uk
  • European Union: the EDPB list of national DPAs -- edpb.europa.eu

10. Updates

We update this GDPR statement when our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes are emailed to active subscribers and clients at least 30 days in advance.

GDPR Compliance | Dcrayons | Dcrayons