GDPR Compliance

PantoSource ("Company," "we," "us," or "our") is committed to protecting the personal data of individuals in the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), and Switzerland. This page summarizes how we comply with the General Data Protection Regulation (GDPR), the UK GDPR, and related laws.

Quick Summary

• Our role: PantoSource acts as a data processor for our Customers; Customers are the data controllers.

• Legal bases: We rely on contractual necessity, consent, legitimate interests, and legal obligations.

• Data subject rights: Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.

• International transfers: We use Standard Contractual Clauses (SCCs) for transfers to the United States.

• DPA available: Customers can request a Data Processing Agreement at privacy@pantosource.com.

1. Our Role Under GDPR

1.1 Controller vs. Processor

The GDPR distinguishes between two roles:

• Controller: The entity that determines the purposes and means of processing personal data.

• Processor: The entity that processes personal data on behalf of the controller.

PantoSource generally acts as:

• Processor when our Customers (e-commerce merchants) use our Services to process data about their end-users (website visitors, customers, leads). The Customer is the controller in this scenario.

• Controller when we collect data directly from individuals interacting with us (e.g., when you sign up for a PantoSource account, contact our support, or visit pantosource.com).

2. Lawful Bases for Processing

Under GDPR Article 6, we rely on the following lawful bases for processing personal data:

• Contractual Necessity (Article 6(1)(b)): To provide and maintain the Services you have subscribed to.

• Legitimate Interests (Article 6(1)(f)): For fraud prevention, security, analytics, and business improvement, balanced against your rights and freedoms.

• Consent (Article 6(1)(a)): For non-essential cookies, direct marketing communications, and other activities where consent is required.

• Legal Obligations (Article 6(1)(c)): For compliance with applicable laws, including tax, accounting, and lawful requests from authorities.

3. Data Subject Rights

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR:

• Right of Access (Article 15): Receive a copy of your personal data and information about how it is processed.

• Right to Rectification (Article 16): Correct inaccurate or incomplete personal data.

• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").

• Right to Restriction of Processing (Article 18): Limit how your data is processed in certain circumstances.

• Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format.

• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.

• Right to Withdraw Consent (Article 7): Withdraw consent at any time where processing is based on consent.

• Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise these rights, please visit https://pantosource.com/dsar-opt-out or email privacy@pantosource.com.

3.1 End-Users vs. PantoSource Customers

If you are an end-user of a website that uses PantoSource (rather than a direct PantoSource Customer), please contact the website owner first. They act as the data controller and are responsible for responding to your request. PantoSource will assist them as a processor.

4. International Data Transfers

4.1 Where Your Data Is Processed

PantoSource processes personal data primarily in the United States.

4.2 Transfer Mechanisms

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs), Module Two (Controller to Processor), and equivalent mechanisms for UK and Swiss transfers.

4.3 Supplementary Measures

In addition to SCCs, we implement supplementary safeguards including:

• Encryption of personal data in transit and at rest

• Strict access controls and authentication

• Contractual obligations on Sub-processors

• Regular review of legal and regulatory requirements

5. Data Processing Agreement (DPA)

Customers processing personal data of EU, UK, or Swiss residents through our Services can enter into our Data Processing Agreement (DPA), which sets out the parties' responsibilities under GDPR Article 28.

To request our DPA, email privacy@pantosource.com with the subject line "DPA Request," or visit https://pantosource.com/dpa.

6. Sub-processors

A current list of our Sub-processors, including their location and purpose, is available at https://pantosource.com/sub-processors. Customers can subscribe to notifications of changes through that page.

7. Security

We implement appropriate technical and organizational measures to protect personal data, as described on our Security page at https://pantosource.com/security. This includes encryption, access controls, monitoring, and incident response procedures.

In the event of a personal data breach, we will notify affected Customers within seventy-two (72) hours, in accordance with GDPR Article 33.

8. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. See our Privacy Policy at https://pantosource.com/privacy-policy for retention periods.

9. Children's Data

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data about a minor, please contact privacy@pantosource.com.

10. . Customer Responsibilities

If you are a PantoSource Customer using our Services to process personal data of EU/UK/Swiss residents, you are the data controller and have responsibilities under GDPR, including:

• Obtaining a lawful basis (typically consent) for processing

• Providing clear privacy notices to your end-users

• Implementing appropriate consent mechanisms (cookie banners, opt-in checkboxes)

• Responding to data subject requests

• Notifying your end-users of breaches affecting their data

PantoSource provides tools and support to help you meet these obligations but cannot fulfill them on your behalf.

11. . EU Representative

PantoSource currently does not maintain an EU-based representative under GDPR Article 27. If you are an EU resident and wish to exercise your rights, please contact privacy@pantosource.com directly.

12. . Contact

For GDPR-related inquiries:

Address: 2333 Brickell ave D1 #36 Miami FL 33129

Email: privacy@pantosource.com

13. . Disclaimer

This page is provided for informational purposes and does not constitute legal advice. For specific legal questions about your rights under GDPR, please consult a qualified attorney.