GDPR Privacy Statement

Effective Date: January 1, 2025

Last Updated: August 26, 2025

Introduction

This GDPR Privacy Statement supplements our main Privacy Policy and specifically addresses the rights and protections afforded to individuals in the European Union (EU) and European Economic Area (EEA) under the General Data Protection Regulation (GDPR).

If you are located in the EU/EEA, this statement outlines your specific rights regarding your personal data and how Nuvarez LLC (“we,” “us,” or “our”) processes your information in compliance with GDPR requirements.

Legal Basis for Processing Personal Data

Under the GDPR, we process your personal data only when we have a valid legal basis. Our processing activities are based on:

Article 6(1)(a) – Consent

When you have given explicit consent for specific processing activities, such as:

  • Marketing communications
  • Optional data collection through forms
  • Non-essential cookies and tracking

Article 6(1)(b) – Contract Performance

When processing is necessary for:

  • Fulfilling our consulting services agreement
  • Pre-contractual steps taken at your request
  • Client onboarding and service delivery

Article 6(1)(c) – Legal Obligation

When we must process data to comply with:

  • Financial record-keeping requirements
  • Anti-money laundering regulations
  • Tax and audit obligations
  • Legal discovery requests

Article 6(1)(f) – Legitimate Interests

When we have legitimate business interests that are not overridden by your rights, including:

  • Website security and fraud prevention
  • Business development and marketing to existing clients
  • Internal analytics and service improvement
  • Direct marketing to business contacts (B2B)

We conduct balancing tests to ensure our legitimate interests do not override your fundamental rights and freedoms.

Your Rights Under GDPR

As an EU/EEA data subject, you have the following rights:

Right of Access (Article 15)

You can request:

  • Confirmation that we process your personal data
  • Access to your personal data
  • Information about how we process your data
  • A copy of your personal data in a commonly used format

Right of Rectification (Article 16)

You can request correction of:

  • Inaccurate personal data
  • Incomplete personal data

Right of Erasure/”Right to be Forgotten” (Article 17)

You can request deletion of your personal data when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and no other legal basis exists
  • You object to processing and no overriding legitimate grounds exist
  • The data has been unlawfully processed
  • Deletion is required for legal compliance

Note: This right may be limited by legal retention requirements or other lawful grounds for continued processing.

Right to Restrict Processing (Article 18)

You can request restriction of processing when:

  • You contest the accuracy of the data
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you require it for legal claims
  • You object to processing pending verification of legitimate grounds

Right to Data Portability (Article 20)

When processing is based on consent or contract and carried out by automated means, you can request:

  • Your personal data in a structured, commonly used, machine-readable format
  • Direct transmission of your data to another controller (where technically feasible)

Right to Object (Article 21)

You can object to processing based on:

  • Legitimate interests: You can object at any time, and we must stop unless we demonstrate compelling legitimate grounds
  • Direct marketing: You can object at any time, and we will stop immediately
  • Profiling: Related to direct marketing activities

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently engage in such automated decision-making.

Exercising Your Rights

How to Submit Requests

To exercise your GDPR rights, contact us using:

  • Email: gdpr@nuvarez.com
  • Subject Line: “GDPR Data Subject Request”
  • Include: Your full name, email address, and specific request details

Verification Process

To protect your privacy, we may request additional information to verify your identity before processing your request.

Response Timeframes

We will respond to your request:

  • Within 1 month of receiving a valid request
  • Extended to 3 months for complex requests (with notification of delay and reasons)
  • Free of charge unless requests are manifestly unfounded or excessive

Right to Lodge a Complaint

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

Data Transfers Outside the EU/EEA

When we transfer your personal data outside the EU/EEA, we ensure adequate protection through:

Adequacy Decisions

We may transfer data to countries that have received an adequacy decision from the European Commission, including:

  • Countries deemed to provide adequate protection
  • [List specific countries if applicable to your operations]

Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use:

  • European Commission-approved Standard Contractual Clauses
  • Additional safeguards as required by regulatory guidance
  • Regular monitoring of data protection levels in destination countries

Other Safeguards

Where applicable, we may also rely on:

  • Binding Corporate Rules (BCRs)
  • Certification schemes
  • Codes of conduct
  • Other lawful transfer mechanisms

Special Categories of Personal Data

We do not intentionally collect special categories of personal data (sensitive data) such as:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data
  • Health data
  • Data concerning sex life or sexual orientation

If we inadvertently receive such data, we will delete it unless you provide explicit consent for processing or another GDPR exemption applies.

Data Protection by Design and by Default

We implement data protection principles throughout our operations:

Technical Measures

  • Encryption of personal data in transit and at rest
  • Access controls and authentication systems
  • Regular security assessments and penetration testing
  • Automated data retention and deletion systems

Organizational Measures

  • Privacy impact assessments for new processing activities
  • Staff training on GDPR compliance
  • Data protection policies and procedures
  • Regular compliance audits and reviews

Data Minimization

We collect and process only the personal data that is:

  • Necessary for the specified purpose
  • Relevant and limited to what is needed
  • Accurate and kept up to date
  • Retained only as long as necessary

Data Protection Officer (DPO)

Our Data Protection Officer oversees GDPR compliance and can be contacted at:

  • Email: dpo@nuvarez.com
  • Role: Privacy oversight, data subject rights, regulatory liaison
  • Availability: Monday-Friday, 9 AM – 5 PM CET

Cookies and Consent Management

For EU/EEA visitors, we implement:

  • Cookie consent banners with clear options
  • Granular consent for different cookie categories
  • Easy withdrawal of consent mechanisms
  • Cookie preference centers for ongoing management

Record of Processing Activities

In compliance with Article 30 GDPR, we maintain detailed records of our processing activities, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Recipients of personal data
  • International transfers
  • Retention periods
  • Security measures

These records are available to supervisory authorities upon request.

Data Breach Notification

In the event of a personal data breach:

  • Supervisory Authority: Notified within 72 hours when feasible
  • Data Subjects: Notified without undue delay if high risk to rights and freedoms
  • Documentation: Comprehensive breach records maintained
  • Mitigation: Immediate steps taken to contain and remedy breaches

Updates to This Statement

We will update this GDPR statement as needed to reflect:

  • Changes in data processing activities
  • Regulatory guidance and requirements
  • Technological developments
  • Organizational changes

Material changes will be communicated through:

  • Email notification to registered users
  • Prominent website notices
  • Updated effective dates

Contact Information

GDPR-Specific Inquiries

Primary Contact: gdpr@nuvarez.com
Data Protection Officer: dpo@nuvarez.com
Phone: [Insert EU Contact Number]

EU Representative (if applicable)

If required under GDPR Article 27: [Insert EU Representative Details]

Postal Address

Nuvarez LLC
Attn: GDPR Compliance
[Insert Address]

Document Control

  • Document ID: NUV-GDPR-001
  • Version: 1.0
  • Owner: Data Protection Officer
  • Next Review Date: [Insert Date]
  • Approved by: [Legal Counsel/DPO]