GDPR Compliance
Learn how HomilyWriterAI complies with the European Union's General Data Protection Regulation (GDPR) and how we protect the rights of EU data subjects.
Last Updated: July 1, 2024
Table of Contents
1. Introduction
This GDPR Compliance Notice explains how HomilyWriterAI ("we", "our", or "us") processes personal data in accordance with the European Union's General Data Protection Regulation (GDPR) for users accessing our services from the European Economic Area (EEA), United Kingdom, and Switzerland.
The GDPR enhances and unifies data protection for individuals within the EU. While HomilyWriterAI is based in the United States, we are committed to ensuring that our data processing activities comply with GDPR requirements for users in the EU.
This notice supplements our main Privacy Policy and provides specific information about our GDPR compliance measures. If there is any conflict between this GDPR Compliance Notice and our Privacy Policy, this GDPR Compliance Notice will prevail for users subject to the GDPR.
1.1 Data Controller
HomilyWriterAI operates as a data controller for the personal data we collect through our website and services. This means we determine the purposes and means of processing your personal data.
As a data controller, we are responsible for implementing appropriate technical and organizational measures to ensure the security of your personal data and to demonstrate GDPR compliance.
2. Lawful Basis for Processing
Under the GDPR, we must have a valid lawful basis to process your personal data. We rely on the following lawful bases:
2.1 Consent
When you create an account or opt-in to receive marketing communications, we process your personal data based on your consent. You have the right to withdraw your consent at any time by contacting us at privacy@homilywriterai.com or by adjusting your preferences in your account settings.
2.2 Contract
We process your personal data when it is necessary for the performance of a contract with you (such as our Terms of Service) or to take steps at your request before entering into a contract. This includes:
- Creating and managing your account
- Processing payments and subscriptions
- Providing our homily generation services
- Saving and retrieving your homilies
- Providing customer support
2.3 Legitimate Interests
We process some personal data based on our legitimate interests, provided they are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:
- Improving and personalizing our services
- Ensuring the security of our platform
- Analyzing usage patterns to enhance user experience
- Marketing our services to existing customers
- Detecting and preventing fraudulent activities
You have the right to object to processing based on legitimate interests by contacting us at privacy@homilywriterai.com.
2.4 Legal Obligation
We may process your personal data when necessary to comply with a legal obligation, such as financial record-keeping or responding to valid legal requests from public authorities.
For each type of processing activity, we maintain records of the specific lawful basis we rely on. If you have questions about the lawful basis for processing specific categories of data, please contact our Data Protection Officer.
3. EU Data Subject Rights
Under the GDPR, individuals in the EU have enhanced rights regarding their personal data. If you are located in the EU, you have the following rights:
3.1 Right to Access
You have the right to obtain confirmation that your personal data is being processed and to receive a copy of the personal data we hold about you, along with information about how we use it.
3.2 Right to Rectification
You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most of your information directly through your account settings.
3.3 Right to Erasure (Right to be Forgotten)
You have the right to request the deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected or when you withdraw consent.
3.4 Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data in certain situations, such as when you contest the accuracy of your data or when the processing is unlawful but you oppose erasure.
3.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
3.6 Right to Object
You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, or for research and statistical purposes.
3.7 Rights Related to Automated Decision Making
You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you. While our AI services involve automated processing, our homily generation does not produce legal or similarly significant effects as defined under the GDPR.
3.8 How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Officer at privacy@homilywriterai.com or submit a request through our GDPR Request Form below. We will respond to your request within one month, which may be extended by up to two additional months when necessary, taking into account the complexity and number of requests.
There may be circumstances where we cannot fully satisfy your request, such as when it would adversely affect the rights of others or when we are legally permitted to handle the request differently. If we decline to fully act on your request, we will explain our reasons for the decision.
4. Data Transfers
HomilyWriterAI is based in the United States, and our primary data storage servers are located in the US. When you use our services from the EU, your personal data is transferred to and processed in the United States and potentially other countries outside the EU.
4.1 Transfer Safeguards
To ensure adequate protection for international data transfers under the GDPR, we implement the following safeguards:
- Standard Contractual Clauses (SCCs): We incorporate the European Commission's approved Standard Contractual Clauses into our agreements with third-party service providers who process EU user data outside the EU.
- Technical and Organizational Measures: We implement appropriate security measures to protect your data during transfer and storage, including encryption, access controls, and regular security assessments.
- Data Minimization: We transfer only the personal data necessary for the specified purposes.
4.2 Third-Party Transfers
When we share your personal data with third-party service providers, we ensure they provide sufficient guarantees to implement appropriate technical and organizational measures to meet GDPR requirements and protect your rights. Our major service providers include:
- Supabase (Database hosting)
- Payment processors
- Analytics providers
- Email service providers
We maintain a list of all third parties who process personal data on our behalf, including information about the types of data processed, the location of processing, and the safeguards in place for international transfers.
5. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
5.1 Notification to Supervisory Authority
We will notify the relevant EU supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. The notification will include:
- The nature of the personal data breach
- Categories and approximate number of data subjects concerned
- Categories and approximate number of personal data records concerned
- Name and contact details of our Data Protection Officer
- Likely consequences of the breach
- Measures taken or proposed to address the breach
5.2 Notification to Affected Individuals
When a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. The notification will describe in clear and plain language the nature of the breach and include at minimum:
- Contact details of our Data Protection Officer
- Description of the likely consequences of the breach
- Description of the measures taken or proposed to address the breach
- Recommendations for individuals to mitigate potential adverse effects
5.3 Documentation
We maintain a record of all personal data breaches, including the facts surrounding the breach, its effects, and the remedial action taken. This documentation allows supervisory authorities to verify our compliance with the GDPR's breach notification requirements.
6. Data Protection by Design
We implement data protection by design and by default into our products and services. This means we integrate data protection into our processing activities from the earliest stages of design and include safeguards to protect data subject rights.
6.1 Technical and Organizational Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Process for regularly testing, assessing, and evaluating the effectiveness of security measures
- Measures to restore availability and access to personal data in the event of a physical or technical incident
6.2 Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals, particularly when implementing new technologies or when processing sensitive data on a large scale.
6.3 Records of Processing Activities
We maintain records of our processing activities, including:
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- Information about international transfers
- Envisaged time limits for erasure
- Description of security measures
7. Data Protection Officer
While not legally required to do so under the GDPR for our scale of operations, we have voluntarily appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure GDPR compliance.
7.1 DPO Responsibilities
Our DPO's responsibilities include:
- Informing and advising us and our employees about GDPR obligations
- Monitoring compliance with the GDPR and other data protection laws
- Providing advice on Data Protection Impact Assessments
- Cooperating with supervisory authorities
- Acting as a contact point for data subjects and supervisory authorities
7.2 Contact Information
You can contact our Data Protection Officer at:
Email: privacy@homilywriterai.com
Address: 1234 Church Street, Boston, MA 02108, United States
8. How to Submit GDPR Requests
If you wish to exercise your rights under the GDPR, you can do so by completing the form below, emailing our Data Protection Officer, or using the contact information provided above.
GDPR Request Form
Note: We may require additional information to verify your identity before processing your request.
We aim to respond to all requests within one month. However, in some cases, we may need to extend this period by up to two additional months, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay.