GDPR & CCPA Compliance

Our Commitment

Algorithmic processes personal data in accordance with the General Data Protection Regulation (EU 2016/679) and the California Consumer Privacy Act (Cal. Civ. Code 1798.100 et seq.). We act as both a data controller for our own business operations and as a data processor on behalf of clients whose engagements involve the handling of personal data.

We maintain comprehensive records of processing activities, conduct regular data protection impact assessments, and have appointed a designated point of contact for all privacy-related inquiries.

Lawful Basis for Processing (GDPR)

Under the GDPR, we process personal data only when we have a lawful basis to do so. The bases we rely on include consent (where you have explicitly opted in to receiving communications), contractual necessity (where processing is required to perform a contract with you or to take steps at your request before entering into a contract), legitimate interests (where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights), and legal obligation (where processing is required to comply with applicable law).

We document the lawful basis for each category of processing activity and review these assessments annually to ensure continued compliance.

Individual Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data: the right of access to obtain confirmation of whether we process your personal data and to receive a copy of that data, the right to rectification to have inaccurate data corrected, the right to erasure to request deletion of your personal data under certain circumstances, the right to restrict processing in specific situations, the right to data portability to receive your data in a structured and machine-readable format, the right to object to processing based on legitimate interests or for direct marketing purposes, and rights related to automated decision-making including the right not to be subject to decisions based solely on automated processing.

We will respond to all valid requests within 30 days. In exceptional circumstances, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

Consumer Rights Under CCPA

If you are a California resident, the CCPA grants you the following rights: the right to know what personal information we collect, use, disclose, and sell, the right to delete personal information we have collected from you, the right to opt out of the sale of your personal information, and the right to non-discrimination for exercising your CCPA rights. Algorithmic does not sell personal information as defined by the CCPA.

You may designate an authorized agent to submit requests on your behalf. We will verify the identity of the authorized agent and may require additional documentation to process the request. We will respond to verified requests within 45 days.

International Data Transfers

Algorithmic operates globally with team members across multiple jurisdictions. When personal data is transferred outside of the European Economic Area, we ensure adequate protections are in place through Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement where applicable, or transfer to countries that have received an adequacy decision from the European Commission.

We regularly review our data transfer mechanisms to ensure they remain compliant with evolving regulatory guidance and court decisions.

Data Processing Agreements

When Algorithmic acts as a data processor on behalf of clients, we enter into Data Processing Agreements that specify the nature and purpose of processing, the types of personal data processed, the duration of processing, and the obligations and rights of both the controller and the processor. These agreements include commitments regarding sub-processor management, data breach notification, data return and deletion, and audit rights.

We maintain a current list of sub-processors and notify our clients in advance of any intended changes to that list, providing them with the opportunity to object.

Data Breach Response

Algorithmic maintains an incident response plan for potential data breaches. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

For breaches involving data processed on behalf of clients, we will notify the client without undue delay after becoming aware of the breach, providing sufficient information to enable them to fulfill their own notification obligations.

Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of personal data in transit and at rest, regular testing and evaluation of the effectiveness of our security measures, access controls that limit data access to authorized personnel on a need-to-know basis, regular security training for all team members, and documented processes for ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems.

Submitting a Request

To exercise any of your rights under the GDPR or CCPA, or to ask questions about our data protection practices, please contact us at info@algorithmic.co. Include "Data Protection Request" in the subject line. We may need to verify your identity before processing your request. Verification may require you to provide additional information such as your name and email address associated with our records.

If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.