GDPR Compliance
Last updated: 2 April 2026
EloDtx is built with privacy at its core. We are fully committed to compliance with the EU General Data Protection Regulation (GDPR) and extend equivalent protections to all users regardless of location. This page outlines how we meet our obligations under GDPR.
Our Role as Data Controller & Processor
- Data Controller — for data collected through our website, waitlist, and direct customer relationships.
- Data Processor — when processing end-user data on behalf of our platform customers (B2B API clients). In this capacity, we act strictly under the instructions of the data controller (our customer).
Lawful Basis for Processing
| Purpose | Lawful Basis |
|---|---|
| Delivering the EloDtx platform | Contractual necessity |
| Billing and invoicing | Contractual necessity |
| Platform security and fraud prevention | Legitimate interest |
| Anonymised model training | Legitimate interest |
| Proximity / location features | Explicit consent |
| Marketing communications | Consent |
| Legal and regulatory compliance | Legal obligation |
Your Rights Under GDPR
As a data subject, you have the following rights. We respond to all requests within 30 days.
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data.
Right to Restrict Processing
Limit how we process your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interest.
Right to Withdraw Consent
Withdraw consent at any time for consent-based processing.
Right to Lodge a Complaint
File a complaint with your local supervisory authority.
Data Processing Agreements
All EloDtx customers on paid plans receive a GDPR-compliant Data Processing Agreement (DPA) as part of their subscription. The DPA covers the scope of processing, security measures, sub-processor obligations, and breach notification procedures. Enterprise customers may request a custom DPA.
Sub-processors
We use a limited number of sub-processors to deliver the platform. All sub-processors are bound by data processing agreements that meet GDPR requirements.
| Provider | Purpose | Location |
|---|---|---|
| Cloud hosting provider | Infrastructure & compute | EU / UK |
| Payment processor | Billing & subscriptions | EU |
| Transactional email provider | Service notifications | EU |
International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure protection through EU Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms. Mauritius is recognised for having comprehensive data protection legislation under the Data Protection Act 2017.
Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Affected data subjects will be notified without undue delay where the breach poses a high risk to their rights and freedoms.
Privacy by Design
GDPR’s principles are embedded in our architecture:
- Data minimisation — we only collect what is necessary to deliver the service.
- Pseudonymisation — compatibility profiles use anonymised identifiers, not personal identifiers.
- Geohash privacy — our Proximity feature uses geohash regions, never precise GPS coordinates.
- Encryption — all data encrypted in transit (TLS 1.3) and at rest (AES-256).
- Access controls — role-based access with audit logging.
Data Protection Officer
For any GDPR-related enquiries or to exercise your data subject rights, contact our Data Protection Officer:
dpo@elodtx.comUrban Space Web Technologies Ltd
Mauritius