DPP Studio

GDPR Compliance

Last updated: 2026-03-09

Our Commitment to GDPR

DPP Studio is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). As a platform designed for EU regulatory compliance (ESPR), data protection is at the core of our architecture and operations.

ARCHIGENIUS, UNIPESSOAL LDA
NIF: 519232526
Rua Elias Garcia, 45, 3.ΒΊ Dto Frente
4430-091 Mafamude, Vila Nova de Gaia, Portugal
Email: support@archigenius.ai

EU Data Residency

All customer data is stored and processed within the European Union:

  • Database & authentication: Supabase (Frankfurt, Germany)
  • Application hosting: Vercel (EU edge network)
  • Backups: encrypted, retained within the EU

Legal Basis for Processing

  • Contract performance (Art. 6(1)(b)) β€” processing necessary to provide the DPP Studio service
  • Legitimate interest (Art. 6(1)(f)) β€” platform analytics, security monitoring
  • Legal obligation (Art. 6(1)(c)) β€” ESPR record-keeping, tax compliance
  • Consent (Art. 6(1)(a)) β€” optional marketing communications

Sub-Processors

We use the following sub-processors, all with appropriate Data Processing Agreements (DPA):

ProcessorPurposeLocation
SupabaseDatabase, auth, storageEU (Frankfurt)
VercelHosting, edge functionsEU
StripePayment processingEU/US (SCC)
ResendTransactional emailsUS (SCC)

Data Subject Rights

Under GDPR Articles 15–22, you have the following rights:

  • Access (Art. 15) β€” Request a copy of all personal data we hold about you
  • Rectification (Art. 16) β€” Correct any inaccurate personal data
  • Erasure (Art. 17) β€” Request deletion of your personal data (subject to legal retention requirements)
  • Restriction (Art. 18) β€” Restrict processing of your data while a dispute is resolved
  • Portability (Art. 20) β€” Receive your data in a structured, machine-readable format (JSON/CSV)
  • Objection (Art. 21) β€” Object to processing based on legitimate interest

To exercise any right, email support@archigenius.ai. We respond within 30 days as required by GDPR.

Security Measures

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row Level Security (RLS) for multi-tenant data isolation
  • Immutable audit logs for all data changes
  • Automated encrypted backups with point-in-time recovery

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority (CNPD) within 72 hours as required by GDPR Article 33. Affected users will be notified without undue delay if the breach poses a high risk to their rights and freedoms.

Data Protection Contact

For any data protection questions, requests, or complaints, contact us at:
support@archigenius.ai

Supervisory Authority

You have the right to lodge a complaint with the Portuguese data protection authority:

CNPD β€” ComissΓ£o Nacional de Proteção de Dados
www.cnpd.pt