Data Protection

This Data Protection Policy explains how Pristren processes personal data in compliance with the General Data Protection Regulation (GDPR) and applicable national data protection laws. It supplements our Privacy Policy and provides a more detailed view of our legal bases, data subject rights, and organisational safeguards.

1. Data Controller

Pristren is the Data Controller for all personal data processed through the Zlyqor platform. As Data Controller, Pristren determines the purposes and means of processing your personal data and is responsible for ensuring that processing is lawful, fair, and transparent. For data protection enquiries, contact our Data Protection Officer at dpo@zlyqor.com.

2. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

• Contractual necessity (Art. 6(1)(b)): processing necessary to provide the Service you signed up for, including account management, project functionality, and time tracking
• Legitimate interest (Art. 6(1)(f)): to improve the Service, prevent fraud, ensure security, and send service-related communications — subject to your right to object
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws including tax, financial, and data retention regulations
• Consent (Art. 6(1)(a)): for optional analytics and marketing communications — you may withdraw consent at any time without affecting the lawfulness of prior processing

3. Data Subject Rights

Under GDPR, you have the following rights with respect to your personal data:

• Right of Access (Art. 15): obtain a copy of all personal data we hold about you
• Right to Rectification (Art. 16): request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): request deletion of your personal data — the "right to be forgotten"
• Right to Data Portability (Art. 20): receive your personal data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller
• Right to Object (Art. 21): object to processing based on legitimate interest or for direct marketing
• Right to Restrict Processing (Art. 18): request that we limit how we process your data in certain circumstances

To exercise any of these rights, submit a request to privacy@zlyqor.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g., the ICO in the UK or your local DPA in the EU) if you believe your data protection rights have been violated.

4. Data Transfers

Zlyqor is hosted on servers located within the European Economic Area (EEA). We prefer EEA-based infrastructure for all primary data storage and processing. Where any personal data is transferred outside the EEA — for example, to a US-based sub-processor — we ensure appropriate safeguards are in place via Standard Contractual Clauses (SCCs) as approved by the European Commission (Art. 46(2)(c) GDPR), or via other approved transfer mechanisms such as adequacy decisions.

5. Sub-Processors

We use a limited number of trusted third-party service providers (sub-processors) who process personal data on our behalf. Key categories include: cloud infrastructure and hosting, transactional email delivery, and payment processing. All sub-processors have signed Data Processing Agreements (DPAs) and are bound by data protection obligations equivalent to our own. We assess sub-processors for security and compliance before onboarding them and review existing agreements periodically. You may request an up-to-date list of our sub-processors by contacting dpo@zlyqor.com.

6. Data Retention Schedule

We retain personal data only for as long as necessary for the stated purpose:

• User account data: retained for the lifetime of your account, then deleted within 30 days of account closure
• Audit logs: 12 months from the date of the event
• Backup snapshots: rotated on a 90-day cycle
• Payment records: 7 years (required by financial and tax regulations)
• Customer support tickets: 3 years

When a retention period expires, data is permanently deleted or irreversibly anonymised.

7. Breach Notification

In the event of a personal data breach, we follow the notification obligations set out in GDPR Articles 33 and 34. We will notify the competent supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. If the breach poses a high risk to affected individuals, we will notify them directly without undue delay, including information about the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or intend to take to address it.

8. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with GDPR and applicable data protection law. The DPO is the primary point of contact for all data protection matters, including exercising your data subject rights, filing complaints, and raising questions about our processing activities. You can reach the DPO directly at dpo@zlyqor.com.