GDPR Rights
Overview
This page summarizes the rights you have under the privacy laws that apply to you, and how to exercise them with ONC Inc. ("REST Countries"). It complements the Privacy Policy; that document explains what we collect and why, while this page focuses on what you can do about it.
EU, EEA, UK, and Switzerland (GDPR)
If you're located in the EU, the European Economic Area (Iceland, Liechtenstein, Norway), the United Kingdom, or Switzerland, you have the rights set out below under the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP) respectively. The same rights are described in our Privacy Policy and our Data Processing Agreement.
1. Right of access
You can request a copy of every piece of personal data we hold about you, along with information about how we use it, who we share it with, how long we keep it, and the legal basis for processing. Most of this is available directly in your account dashboard via the data-export feature; for anything beyond that, contact support.
2. Right to rectification
If your personal data is inaccurate or incomplete, you can correct it directly from your account settings (name, email, billing details, timezone) or via support for anything else. We pass the correction on to relevant sub-processors where applicable.
3. Right to erasure ("right to be forgotten")
You can delete your account at any time from your account settings. On deletion, all personal data is purged from production systems within thirty (30) days. Encrypted backups age out within ninety (90) days of the underlying record being deleted. We may retain a limited subset (typically invoices and account-closure metadata) for the period required by tax law; that retention is itself anonymized where possible.
4. Right to restriction of processing
You can ask us to pause processing your data while a complaint, correction, or objection is investigated. Contact support with the request and any relevant context. While restriction is in force we will store your data but not actively use it (except where law requires).
5. Right to data portability
You can export your account data and request logs in a machine-readable format (JSON) from your account settings, or request a one-time export by contacting support. We aim to support direct controller-to-controller transmission where technically feasible.
6. Right to object
You can object to processing based on our legitimate interests at any time. Since we don't use your data for marketing, profiling, or advertising, in practice this rarely applies, but the right is yours to invoke and we'll honour any valid objection unless we have compelling legitimate grounds that override it.
7. Right to withdraw consent
Where processing is based on your consent (e.g. optional product-update emails), you can withdraw that consent at any time from your account settings or by following the unsubscribe link in any email. Withdrawing consent doesn't affect the lawfulness of processing carried out beforehand.
8. Right not to be subject to automated decision-making
We don't make automated decisions with legal or similarly significant effects on you. Rate-limiting, plan-quota enforcement, and abuse signals are operational controls (not legal decisions about you), and you can always reach a human via support if you believe one has been mis-applied.
9. Right to lodge a complaint with a supervisory authority
You have the right to complain to your local supervisory authority. We'd appreciate the chance to address your concerns first, but you don't have to come to us first. Common starting points:
- Ireland: Data Protection Commission (DPC).
- United Kingdom: Information Commissioner's Office (ICO).
- France: Commission Nationale de l'Informatique et des Libertés (CNIL).
- Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), or your state DPA.
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC).
For other jurisdictions, the European Data Protection Board maintains a directory of national authorities.
Canada (PIPEDA, provincial laws)
REST Countries is a Canadian company, so Canadian privacy law applies to everyone whose personal data we process, alongside any other regime that applies to you. The federal framework is the Personal Information Protection and Electronic Documents Act (PIPEDA), with provincial laws taking precedence in Quebec, Alberta, and British Columbia.
10. Access and correction
You have the right to know whether we hold personal information about you, what it is, how we use it, and to whom we have disclosed it; and the right to challenge the accuracy and completeness of that information and have it amended as appropriate. Most of this is available directly in your account dashboard; for anything beyond that, contact support. We respond within thirty (30) days.
11. Withdrawal of consent
You can withdraw consent for any processing based on consent, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent for processing that's necessary to deliver the Service may end your access to it.
12. Quebec residents (Law 25)
If you are a Quebec resident, you additionally have the right to data portability, the right to know about and contest decisions made exclusively by automated processing (we don't make any), and the right to be informed of cross-border transfers and the protections in place. Quebec residents may direct complaints to the Commission d'accès à l'information du Québec.
13. Alberta and British Columbia (PIPA)
Alberta and BC residents have rights substantially equivalent to PIPEDA's, exercised through the same mechanisms above. Complaints may be directed to the Office of the Information and Privacy Commissioner of Alberta or of British Columbia, respectively.
14. Federal complaints (rest of Canada)
For all other provinces, complaints may be directed to the Office of the Privacy Commissioner of Canada (OPC). As above, we'd appreciate the chance to resolve concerns first, but you don't have to come to us first.
Other jurisdictions
15. California (CCPA / CPRA)
California residents have the right to know what personal information we collect, why, and with whom we share it; the right to delete; the right to correct; the right to portability; and the right to limit the use and disclosure of sensitive personal information. We don't "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA, so opting out of sale or sharing has no effect, but the right is yours and you can confirm by submitting a request via support.
16. Brazil (LGPD), Australia (Privacy Act), and others
We honour equivalent rights under any comprehensive privacy regime that applies to you. Contact support with the regime and the right you'd like to invoke; we'll route it appropriately.
How requests work
17. How long we'll take
We respond to all rights requests within thirty (30) days. For complex or high-volume requests we may extend by an additional sixty (60) days, with notice of the extension within the original thirty-day window. Where the law sets a tighter timeline, we follow that.
18. Identity verification
To protect your data, we'll verify your identity (typically by sending a confirmation link to the email on file) before fulfilling any rights request. For more sensitive requests we may ask for additional information; we ask for the minimum necessary and delete the verification material afterwards.
19. Authorized representatives
You can authorize someone to make a request on your behalf. We'll typically need a written authorization from you and proof of the representative's identity. Where applicable law specifies a particular authorization mechanism, we follow it.
20. No retaliation
We will not retaliate against you for exercising any privacy right by closing your account, degrading the Service, raising your price, or taking any other adverse action. Where applicable law requires a non-retaliation statement (e.g. CCPA/CPRA), this serves as that statement.
Contact
Contact our privacy team with the right you'd like to invoke and any context that helps us locate your records. We aim to acknowledge every privacy enquiry within five (5) business days.