PRAIVON
This document is currently in review with our legal counsel. Final version pending. Last updated: May 2026.

Legal · Praivon

GDPR & Data Processing Agreement

Last updated: May 2026

Praivon is built in the EU, for the EU. We treat the General Data Protection Regulation (GDPR) not as a checkbox, but as the foundation of our service. This page summarizes our GDPR commitments and serves as a Data Processing Agreement (DPA) for our B2B clients (Companies tier).

1. Roles under GDPR

  • Individual clients (B2C) — Praivon is the data controller for your account data. For biometric data, you consent to processing under Article 9(2)(a).
  • Business clients (B2B) — Praivon is a data processor acting on your instructions. You remain the controller of your end users' data.

2. Data Processing Agreement (B2B)

For business clients, the following terms apply to data we process on your behalf:

Subject matter and purpose

Praivon processes the personal data you provide solely to deliver identity protection services as defined in our service agreement.

Categories of data and data subjects

  • Personal identifiers (names, usernames, email addresses)
  • Biometric data (face, voice fingerprints) — only with explicit consent of the data subject
  • Data subjects: your employees, executives, public figures, or other identities you have authorization to protect

Sub-processors

We use the following sub-processors. You will be notified before any change.

  • Vercel (EU regions) — application hosting
  • Stripe (Ireland) — payment processing
  • Resend (EU regions) — transactional email
  • Additional sub-processors disclosed in your dashboard at /app/settings/security

Security measures

  • AES-256 encryption at rest and in transit
  • Strict access controls, role-based permissions, audit logging
  • Regular penetration testing and security review
  • 72-hour breach notification per Article 33
  • Sub-processor agreements binding equivalent obligations

Data subject rights

We assist you in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within 30 days, at no additional charge.

International transfers

We do not transfer personal data outside the EU/EEA except as required to perform takedowns on non-EU platforms (limited metadata only) or with explicit instruction from you.

Audit rights

On reasonable notice (no more than once per year unless required by regulator), you may audit our processing through review of our compliance documentation, or through an independent auditor.

Term and deletion

Upon termination of services, we will delete or return all personal data within 30 days, except where retention is required by law.

3. Your rights as an individual

See our Privacy Policy for the full list of rights and how to exercise them. The key rights — access, deletion, export, and consent withdrawal — are available as self-service options in your dashboard.

4. Data Protection Officer

Praivon has appointed a Data Protection Officer (DPO). Contact: dpo@praivon.com

5. Supervisory authority

You have the right to lodge a complaint with your national data protection authority. The lead supervisory authority for Praivon is the Romanian National Authority for the Supervision of Personal Data Processing (ANSPDCP).

6. Standard Contractual Clauses

For business clients requiring formal SCCs (e.g., for transfers outside the EU/EEA), we provide the European Commission's approved SCCs as a supplement to this DPA. Contact legal@praivon.com.

Questions about this document? Contact us at legal@praivon.com

Take it back

Reclaim what's yours.

Most takedowns start within 24 hours of signup. The sooner you seal it, the less of you they have.