Legal
GDPR Policy
Last updated: February 28, 2026
1. Overview
InsightEdit is committed to compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR. This policy explains how we handle personal data of individuals in the European Economic Area (EEA) and the United Kingdom, in addition to our general Privacy Policy.
2. Data Controller
InsightEdit acts as the data controller for personal data collected through insightedit.com. For data processing enquiries, contact our Data Protection officer at [email protected].
3. Legal Bases for Processing
We rely on the following legal bases under GDPR Article 6 to process your personal data:
Contractual necessity – to provide the Service you have signed up for (e.g. account management, payment processing).
Legitimate interests – to improve our Service, prevent fraud, and ensure security, where those interests are not overridden by your rights.
Consent – for marketing emails and non-essential cookies. You may withdraw consent at any time.
Legal obligation – where processing is required to comply with applicable law.
4. Your Rights Under GDPR
As an EEA or UK data subject, you have the following rights:
Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction (Art. 18): Request that we restrict processing of your personal data in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format and transmit it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
Right not to be subject to automated decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce significant legal or similar effects.
To exercise any of these rights, submit a request to [email protected]. We will respond within 30 days.
5. International Data Transfers
Your personal data may be transferred to and processed in countries outside the EEA, including the United States, where our infrastructure providers (e.g. Supabase, Stripe) operate. Where we transfer data outside the EEA we put in place appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR), to ensure your data receives an adequate level of protection.
6. Data Processing Agreements
We have Data Processing Agreements (DPAs) in place with all sub-processors that handle personal data on our behalf. A list of current sub-processors is available on request at [email protected].
7. Data Breach Notification
In the event of a personal data breach, InsightEdit will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR. Affected individuals will be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements. In general, account data is deleted within 90 days of account closure.
9. Supervisory Authority
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find contact details for your national authority at ec.europa.eu/justice/data-protection/. In the UK, the supervisory authority is the ICO (ico.org.uk).
10. Contact
Data Protection Officer: [email protected]
General privacy enquiries: [email protected]