Data Protection

GDPR Statement

Importance of data protection laws with GDPR — our commitment to protecting your privacy and personal data.

GDPR Compliant Data Subject Rights Data Security EEA Transfers
GDPR Statement

At CAOA, we are committed to protecting the privacy and personal data of our users and clients. We understand the importance of complying with data protection laws, including the General Data Protection Regulation (GDPR).

This GDPR Statement outlines how we handle and process personal data in accordance with the GDPR's principles and requirements.

GDPR
Data Privacy
Compliance
Data Security
Lawful Basis for Processing

We only collect and process personal data when we have a lawful basis to do so. This includes:

  • Explicit Consent — obtaining clear and informed consent from the data subject.
  • Contractual Obligation — fulfilling contractual obligations to which the data subject is a party.
  • Legal Requirements — complying with a legal obligation to which CAOA is subject.
  • Vital Interests — protecting the vital interests of the data subject or another person.
  • Public Interest — performing a task carried out in the public interest.
  • Legitimate Interests — pursuing legitimate interests that are not overridden by the rights and freedoms of the data subject.
Data Collection and Usage

We collect and process personal data for specified and legitimate purposes. We clearly communicate the purposes of data collection and obtain consent when required.

Personal data is collected only to the extent necessary for fulfilling the specified purposes and is used solely for those purposes unless further consent is obtained or required by law.

Data Minimization

We practice data minimization by limiting the collection and retention of personal data to what is necessary for the intended purposes.

We ensure that the personal data we process is relevant, accurate, and up-to-date. We do not store personal data longer than necessary or for purposes other than those specified.

Our principle: Collect only what is needed, retain only as long as required, and use only for the stated purpose.

Data Security

We have implemented appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure.

We regularly assess and update our security practices to ensure the ongoing confidentiality, integrity, and availability of personal data.

Encryption
Access Controls
Regular Audits
Data Sharing and Third Parties

We may share personal data with trusted third-party service providers and partners who assist us in delivering our products and services. These parties are bound by contractual obligations to handle personal data in accordance with applicable data protection laws.

We do not sell, rent, or trade personal data to third parties for marketing purposes.

Data Subject Rights

We respect the rights of data subjects as defined by the GDPR. We provide mechanisms for data subjects to exercise these rights and respond promptly to such requests.

Right to Access
Right to Rectify
Right to Erase
Restrict Processing
Object to Processing
Data Portability
No Automated Decisions
International Data Transfers

If personal data is transferred to countries outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place to protect the data. This may include:

  • Standard Contractual Clauses — implementing EU-approved standard contractual clauses.
  • Privacy Shield Framework — relying on the Privacy Shield framework where applicable.
  • Explicit Consent — obtaining explicit consent from the data subject for the transfer.
Data Breach Notification

In the event of a data breach that poses a risk to individuals' rights and freedoms, we have procedures in place to promptly detect, investigate, and mitigate the breach.

If required by law, we will notify the relevant supervisory authority and affected individuals in a timely manner following the detection of a breach.

Data Protection Officer (DPO)

We have appointed a Data Protection Officer who oversees our data protection efforts and ensures compliance with applicable laws and regulations. The DPO serves as a point of contact for data subjects and supervisory authorities regarding privacy-related matters.

Updates to the GDPR Statement

We regularly review and update our GDPR Statement to reflect any changes in our data processing activities, legal requirements, or best practices.

We encourage users and clients to review this statement periodically to stay informed about how we handle personal data.

Last Updated: June 2026
Questions About Our GDPR Practices?

At CAOA, we are committed to maintaining the highest standards of data protection and privacy. If you have any questions, concerns, or requests regarding our GDPR practices, please contact our Data Protection Officer.

Contact the DPO

Please note: This statement covers our GDPR-specific practices. For general information about our overall privacy practices, please refer to our Privacy Policy.

GDPR Compliance

Your Data, Your Rights —
Protected by CAOA

Have questions about your data rights or our GDPR practices? Our Data Protection Officer is available to assist you.