GDPR Compliance | Data Protection | UpSwitch

UpSwitch is fully committed to compliance with the General Data Protection Regulation (GDPR) and protecting the privacy rights of all users within the European Union and European Economic Area.

Our GDPR Commitment

As a European M&A platform, we take data protection seriously and have implemented comprehensive measures to ensure full GDPR compliance. We process personal data lawfully, transparently, and for specific, legitimate purposes only.

Your Rights Under GDPR

Right to be Informed

You have the right to know how your personal data is collected, used, stored, and shared. This information is detailed in our Privacy Policy and data processing notices.

Right of Access

You can request a copy of the personal data we hold about you, including information about how it's processed. We'll provide this information in a commonly used electronic format.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected. You can update most information directly through your account settings.

Right to Erasure

Also known as the "right to be forgotten," you can request that we delete your personal data in certain circumstances, such as when it's no longer necessary for the original purpose.

Right to Restrict Processing

You can request that we limit how we use your personal data in specific circumstances, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

You can request that we transfer your personal data to another service provider in a structured, commonly used, and machine-readable format.

Right to Object

You can object to the processing of your personal data for direct marketing purposes or when processing is based on legitimate interests. You can opt out of marketing communications at any time.

How We Protect Your Data

Technical Measures

• End-to-end encryption for sensitive data
• Secure cloud infrastructure (AWS/Azure)
• Regular security audits and penetration testing
• Multi-factor authentication
• Automated backup and disaster recovery

Organizational Measures

• Staff training on data protection
• Data processing agreements with vendors
• Privacy by design and by default
• Regular compliance reviews
• Incident response procedures

Legal Basis for Processing

We process personal data based on one or more of the following legal bases:

• Contract: To fulfill our contractual obligations to you
• Consent: Where you have explicitly agreed to specific processing
• Legitimate Interest: For our business operations and service improvement
• Legal Obligation: To comply with applicable laws and regulations
• Vital Interest: To protect your vital interests or those of others

Data Transfers

When we transfer personal data outside the EU/EEA, we ensure adequate protection through:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Certification schemes and codes of conduct
• Binding Corporate Rules (BCRs) where applicable

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Account data: Until account deletion + 30 days
• Transaction records: 7 years (legal requirement)
• Marketing data: Until consent withdrawal + 30 days
• Support tickets: 3 years after case closure
• Analytics data: 26 months (anonymized)

Exercising Your Rights

To exercise any of your GDPR rights, you can:

Contact Our Data Protection Officer

dpo@upswitch.com

Use Your Account Settings

Access, update, or delete much of your personal data directly through your account dashboard.

Submit a Formal Request

Send us a detailed request via email. We'll respond within 30 days and may need to verify your identity for security purposes.

Complaints and Supervisory Authority

If you believe we have not complied with GDPR requirements, you have the right to:

• Contact us directly to resolve the issue
• Lodge a complaint with your local supervisory authority
• Contact the Belgian Data Protection Authority (our lead supervisory authority)

Belgian Data Protection Authority

Website: autoriteprotectiondonnees.be

Address: Rue de la Presse, 35, 1000 Brussels, Belgium

Phone: +32 (0)2 274 48 00

Updates to Our GDPR Compliance

We continuously review and update our data protection practices to ensure ongoing GDPR compliance. Any material changes will be communicated through our website and directly to affected users.

View Privacy Policy Contact DPO

Your Rights Under GDPR

Right to be Informed

You have the right to know how your personal data is collected, used, stored, and shared. This information is detailed in our Privacy Policy and data processing notices.

Right of Access

You can request a copy of the personal data we hold about you, including information about how it's processed. We'll provide this information in a commonly used electronic format.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to have it corrected. You can update most information directly through your account settings.

Right to Erasure

Also known as the "right to be forgotten," you can request that we delete your personal data in certain circumstances, such as when it's no longer necessary for the original purpose.

Right to Restrict Processing

You can request that we limit how we use your personal data in specific circumstances, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

You can request that we transfer your personal data to another service provider in a structured, commonly used, and machine-readable format.

Right to Object

You can object to the processing of your personal data for direct marketing purposes or when processing is based on legitimate interests. You can opt out of marketing communications at any time.

How We Protect Your Data

Technical Measures

• End-to-end encryption for sensitive data
• Secure cloud infrastructure (AWS/Azure)
• Regular security audits and penetration testing
• Multi-factor authentication
• Automated backup and disaster recovery

Organizational Measures

• Staff training on data protection
• Data processing agreements with vendors
• Privacy by design and by default
• Regular compliance reviews
• Incident response procedures

Legal Basis for Processing

We process personal data based on one or more of the following legal bases:

• Contract: To fulfill our contractual obligations to you

• Consent: Where you have explicitly agreed to specific processing

• Legitimate Interest: For our business operations and service improvement

• Legal Obligation: To comply with applicable laws and regulations

• Vital Interest: To protect your vital interests or those of others

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Account data: Until account deletion + 30 days
• Transaction records: 7 years (legal requirement)
• Marketing data: Until consent withdrawal + 30 days
• Support tickets: 3 years after case closure
• Analytics data: 26 months (anonymized)

Exercising Your Rights

To exercise any of your GDPR rights, you can:

Contact Our Data Protection Officer

dpo@upswitch.com

Use Your Account Settings

Access, update, or delete much of your personal data directly through your account dashboard.

Submit a Formal Request

Send us a detailed request via email. We'll respond within 30 days and may need to verify your identity for security purposes.

Complaints and Supervisory Authority

If you believe we have not complied with GDPR requirements, you have the right to:

• Contact us directly to resolve the issue

• Lodge a complaint with your local supervisory authority

• Contact the Belgian Data Protection Authority (our lead supervisory authority)

Belgian Data Protection Authority

Website: autoriteprotectiondonnees.be

Address: Rue de la Presse, 35, 1000 Brussels, Belgium

Phone: +32 (0)2 274 48 00