GDPR Compliance
Last updated: January 1, 2025
Our Commitment to GDPR
ContextX is fully committed to complying with the General Data Protection Regulation (GDPR). Our zero-knowledge architecture goes beyond GDPR requirementsβnot only do we protect your data, we literally cannot access it without your explicit consent and action.
Your Rights Under GDPR
As an EU resident, you have the following rights:
Right to Access (Article 15)
You can request a copy of all personal data we hold about you.
How to exercise: Go to Dashboard β Settings β Export Data
Right to Rectification (Article 16)
You can correct inaccurate personal data.
How to exercise: Edit your profile in Dashboard β Settings β Profile
Right to Erasure (Article 17)
You can request deletion of all your personal data (the "right to be forgotten").
How to exercise: Go to Dashboard β Settings β Delete Account
Right to Data Portability (Article 20)
You can receive your data in a structured, commonly used, machine-readable format.
How to exercise: Export to JSON/CSV via Dashboard β Settings β Export Data
Right to Object (Article 21)
You can object to processing of your data for certain purposes.
How to exercise: Opt out of Marketplace in Dashboard β Earnings β Settings
Right to Restrict Processing (Article 18)
You can request we limit how we use your data.
How to exercise: Contact us at privacy@contextx.ai
Legal Basis for Processing
We process your data under the following legal bases:
- Contract performance - To provide the ContextX service you signed up for
- Consent - For optional features like the Data Marketplace
- Legitimate interests - For security, fraud prevention, and service improvement
- Legal obligation - When required by law
Data Processing
Data Controller
ContextX, Inc. is the data controller for personal data collected through our services.
Data Processors
We use the following sub-processors, all of which are GDPR compliant:
| Processor | Purpose | Location |
|---|---|---|
| Clerk | Authentication | US (SCCs) |
| Railway | Infrastructure | US (SCCs) |
| Cloudflare | Storage (encrypted) | EU/US |
| Stripe | Payments | US (SCCs) |
| PostHog | Analytics | EU |
SCCs = Standard Contractual Clauses for international data transfers
International Data Transfers
While some of our processors are based in the United States, we ensure GDPR compliance through:
- Standard Contractual Clauses (SCCs) with all US-based processors
- Zero-knowledge encryption that protects your data regardless of storage location
- EU-based analytics with PostHog
- Regular assessment of processor compliance
Data Retention
We retain your data only as long as necessary:
- Account data: Until you delete your account
- Connected data: Until you disconnect the source or delete your account
- Payment records: 7 years (legal requirement)
- Audit logs: 2 years
- Post-deletion: All data permanently deleted within 30 days
Data Protection Officer
For GDPR-related inquiries, you can contact our Data Protection Officer:
Email: dpo@contextx.ai
Response time: Within 30 days
Supervisory Authority
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. For EU residents, you can find your local authority at edpb.europa.eu