Really Real Work

GDPR Compliance

Last updated: January 1, 2025

Really Real Work is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland. This page outlines how we comply with the General Data Protection Regulation (GDPR) and describes the rights available to you as a data subject.

Our Commitment to GDPR

We recognize the importance of the GDPR and its role in protecting the fundamental rights of individuals. Our commitment extends beyond mere compliance — we strive to embed privacy-by-design and privacy-by-default principles into every aspect of our platform. We regularly review our data processing activities, update our internal policies, and train our team to ensure that personal data is handled responsibly and transparently.

We have implemented comprehensive technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, regular security assessments, access controls, and incident response procedures. Our data protection practices are documented and auditable, and we maintain records of all processing activities as required by Article 30 of the GDPR.

Data Controller Information

For the purposes of the GDPR, the data controller responsible for your personal data is:

Really Real Work

548 Market Street, Suite 35000

San Francisco, CA 94104, United States

Email: [email protected]

Phone: +1 (555) 123-4567

As the data controller, we determine the purposes and means of processing your personal data. We are responsible for ensuring that your data is processed in compliance with the GDPR and for responding to any requests you may have regarding your data.

Legal Basis for Processing

Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases depending on the specific processing activity:

  • Consent (Article 6(1)(a)): Where you have given clear and explicit consent for us to process your personal data for a specific purpose, such as subscribing to our newsletter or opting into our model improvement program.
  • Contractual Necessity (Article 6(1)(b)): Where processing is necessary for the performance of a contract with you, such as creating and managing your account, processing your uploaded images, and delivering our AI enhancement services.
  • Legitimate Interest (Article 6(1)(f)): Where processing is necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights. This includes fraud prevention, platform security, service improvement through anonymized analytics, and responding to support requests.
  • Legal Obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation, such as maintaining records for tax and accounting purposes or responding to lawful requests from public authorities.

Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

1

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format within 30 days of your request.

2

Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. You can update most of your account information directly through your profile settings.

3

Right to Erasure

Also known as the "right to be forgotten," you can request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected, or when you withdraw your consent.

4

Right to Restrict Processing

You have the right to request that we limit how we use your personal data in certain circumstances, such as when you contest the accuracy of your data or when you have objected to processing based on legitimate interests.

5

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from us.

6

Right to Object

You have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds.

To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days. In certain circumstances, we may need to verify your identity before processing your request.

Data Processing Activities

The following table summarizes our key data processing activities, the types of data involved, and the applicable retention periods.

Processing Activity
Data Categories
Retention Period
Account Registration
Name, email, profile image
Duration of account + 30 days
Image Processing
Uploaded images, processed results, metadata
Until deleted by user or account closure + 90 days
Payment Processing
Billing info, transaction records
7 years (legal obligation)
Analytics
Usage data, IP address, browser info
26 months (anonymized after)
Support Requests
Name, email, message content
3 years from resolution

International Data Transfers

Really Real Work is based in the United States. If you are accessing our Service from the European Economic Area (EEA), the United Kingdom, or Switzerland, please be aware that your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

To ensure adequate protection of your personal data during international transfers, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) with all sub-processors
  • Technical measures including encryption in transit and at rest
  • Regular assessments of the legal frameworks in recipient countries

Our key sub-processors (AWS, OpenAI, Stripe, Vercel) all maintain their own GDPR compliance programs and have entered into appropriate data processing agreements with us.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with the GDPR. You can contact our DPO for any questions or concerns related to our data processing practices or to exercise your rights:

Data Protection Officer

Really Real Work

Email: [email protected]

Phone: +1 (555) 123-4567

Complaints

If you believe that we have not complied with your data protection rights, we encourage you to first contact our Data Protection Officer at [email protected] so we can address your concerns directly. We take all complaints seriously and will work to resolve any issues promptly.

You also have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, where you work, or where the alleged infringement took place. A list of EU data protection authorities and their contact information can be found on the European Data Protection Board website.

For UK residents, you can contact the Information Commissioner's Office (ICO) at ico.org.uk.