GDPR Compliance

The General Data Protection Regulation (GDPR), effective May 25, 2018, is a European Union regulation designed to protect the personal data and privacy of EU residents. It applies to any organization processing personal data of individuals in the EU, regardless of the organization’s location.

Postly Technologies, Inc. ("Onu," "we," "us," or "our") is committed to full compliance with GDPR for our Services, including the Onu app and website (heyonu.com). This page outlines how we align with GDPR principles, including transparency, accountability, and data subject rights.

The GDPR establishes strict rules for how personal data is collected, processed, stored, and shared. Its key principles include:

• Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and clear to users.
• Purpose Limitation: Data is collected for specific, legitimate purposes.
• Data Minimization: Only necessary data is collected.
• Accuracy: Data must be accurate and kept up to date.
• Storage Limitation: Data is retained only as long as needed.
• Integrity and Confidentiality: Data is protected with appropriate security measures.
• Accountability: Organizations must demonstrate compliance.

GDPR applies to:

• Organizations based in the EU that process personal data.
• Organizations outside the EU that offer goods or services to EU residents or monitor their behavior (e.g., through analytics or tracking).

As Onu serves EU users, we comply with GDPR for all personal data processing, regardless of our U.S.-based operations.

We process personal data under the following GDPR-compliant lawful bases:

• Consent: We obtain your explicit consent for processing sensitive data, such as voice recordings or financial data via APIs (e.g., Plaid).
• Contract: Processing is necessary to fulfill our contract with you, such as providing app functionality or financial insights.
• Legitimate Interests: We process data for purposes like improving the Services or ensuring security, where these interests do not override your rights.
• Legal Obligation: We may process data to comply with legal requirements, such as tax reporting or responding to authorities.

You can withdraw consent at any time via app settings or by contacting Email us.

Under GDPR, EU residents have the following rights regarding their personal data:

• Right to Access: Request a copy of your personal data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data ("right to be forgotten").
• Right to Restriction: Limit processing of your data in certain cases.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to data processing based on legitimate interests or for marketing.
• Right to Withdraw Consent: Revoke consent for data processing at any time.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, contact us at Email us. We will respond within 30 days, as required by GDPR.

We embed privacy into our Services through:

• Data Minimization: Collecting only the data necessary for specific purposes (e.g., name, email, voice recordings for functionality).
• Encryption: Using TLS 1.3 for data in transit and AES-256 for data at rest.
• Access Controls: Implementing Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) for internal systems.
• Transparency: Providing clear information in our Privacy Policy and Terms of Service.
• Regular Audits: Conducting independent security audits and Data Protection Impact Assessments (DPIAs) for high-risk processing.

We implement robust security measures to protect your personal data, including:

• End-to-end encryption for voice and financial data.
• Secure third-party integrations (e.g., Plaid, AWS SES).
• Regular penetration testing and vulnerability scans.
• 24/7 monitoring by our Security Operations Center (SOC).
• Compliance with SOC 2 Type II standards for security and confidentiality.

While we strive to ensure security, no system is infallible. We recommend enabling MFA and using strong passwords to enhance your account protection.

We work with trusted third-party providers (e.g., Plaid for financial data, Google Cloud for hosting) that comply with GDPR. These providers act as data processors and are bound by Data Processing Agreements (DPAs) that ensure:

• Processing only as instructed by us.
• Implementing appropriate technical and organizational measures.
• Assisting with GDPR obligations, such as data subject requests.

For details, see third-party privacy policies, such as Plaid’s Privacy Policy.

As a U.S.-based company, we process and store data in the United States. For EU residents, this involves international data transfers. We ensure compliance with GDPR through:

• Standard Contractual Clauses (SCCs): Legally binding agreements to safeguard data transferred outside the EU.
• Supplementary Measures: Additional encryption and anonymization to enhance data protection.
• Transparency: Clear notice of data transfers in our Privacy Policy.

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance. You can contact our DPO at:

📧 [email protected]

If you believe your GDPR rights have been violated, you may lodge a complaint with us at Email us. You also have the right to file a complaint with your local data protection authority, such as:

• European Data Protection Supervisor (EDPS): For EU-wide issues.
• National Data Protection Authorities: Contact the authority in your EU country (e.g., CNIL in France, ICO in the UK).

A list of EU data protection authorities is available at edpb.europa.eu.

For questions about GDPR compliance or how we handle your data, please contact us:

📧 Email us

🌐 https://heyonu.com