GDPR Compliance

Last updated: August 2025

1. Our Commitment to GDPR

Miarvo is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This page outlines our comprehensive approach to GDPR compliance and your rights as a data subject.

We have implemented technical and organizational measures to ensure that data protection is integrated into all our processing activities by design and by default, following the principles of data protection by design and by default as required by Article 25 of the GDPR.

2. Data Controller Information

Data Controller: Miarvo LLC.

Address: 303 A St STE 301, San Diego, CA 92101

Email: privacy@miarvo.net

Phone: (619) 252-8126

EU Representative: Miarvo EU Ltd., Dublin, Ireland

3. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

1. Right to Information (Articles 13-14)

You have the right to be informed about the collection and use of your personal data. This includes information about our purposes for processing, retention periods, and your rights.

2. Right of Access (Article 15)

You have the right to access your personal data and receive information about how we process it, including:

  • Confirmation that we are processing your personal data
  • Access to your personal data
  • Information about the purposes of processing
  • Categories of personal data concerned
  • Recipients or categories of recipients
  • Retention period or criteria for determining the period

3. Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete personal data completed. We will respond to rectification requests within one month.

4. Right to Erasure - "Right to be Forgotten" (Article 17)

You have the right to have your personal data erased in certain circumstances:

  • The personal data is no longer necessary for the original purpose
  • You withdraw consent and there is no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • The personal data has been unlawfully processed
  • Erasure is required for compliance with a legal obligation

5. Right to Restrict Processing (Article 18)

You have the right to restrict processing of your personal data in certain circumstances:

  • You contest the accuracy of the personal data
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification of legitimate grounds

6. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller when processing is based on consent or contract and carried out by automated means.

7. Right to Object (Article 21)

You have the right to object to processing of your personal data in certain circumstances:

  • Processing based on legitimate interests or public task
  • Direct marketing (including profiling for direct marketing)
  • Processing for scientific, historical research, or statistical purposes

8. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

Contract Performance (Article 6(1)(b))

  • Providing electronic signature services
  • Processing payments and managing subscriptions
  • Delivering customer support
  • Fulfilling our contractual obligations

Legitimate Interests (Article 6(1)(f))

  • Improving our services and user experience
  • Preventing fraud and ensuring security
  • Analytics and performance monitoring
  • Business development and optimization

We have conducted legitimate interest assessments to ensure our interests do not override your fundamental rights and freedoms.

Consent (Article 6(1)(a))

  • Marketing communications (where applicable)
  • Optional features and enhancements
  • Cookies and tracking technologies (non-essential)
  • Special categories of personal data (if applicable)

Legal Obligation (Article 6(1)(c))

  • Compliance with tax and accounting requirements
  • Responding to lawful requests from authorities
  • Anti-money laundering and KYC requirements
  • Data breach notifications

5. International Data Transfers

We may transfer your personal data to countries outside the European Economic Area (EEA). When we do so, we ensure adequate protection through the following safeguards:

Adequacy Decisions

We transfer data to countries that have been deemed by the European Commission to provide an adequate level of protection for personal data.

Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission, along with additional safeguards where necessary.

Current Transfer Locations

  • United States: Cloud hosting (AWS, Google Cloud) - SCCs and additional safeguards
  • Canada: Data processing services - Adequacy decision
  • United Kingdom: Support services - Adequacy decision

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention periods are based on:

Retention Schedule

Data CategoryRetention PeriodLegal Basis
Account informationActive account + 30 days after closureContract performance
Document data and signatures7 years after completionLegal obligation
Audit logs and security data3 yearsLegitimate interest
Marketing dataUntil consent withdrawnConsent
Support communications2 years after resolutionLegitimate interest
Financial records7 yearsLegal obligation

Secure Deletion

When the retention period expires, we securely delete personal data using industry-standard methods that make recovery impossible. This includes secure deletion from backups and archived systems.

7. Data Protection Measures

Technical Measures

  • End-to-end encryption using AES-256 for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication and access controls
  • Regular security audits and penetration testing
  • Automated backup systems with encryption
  • Intrusion detection and monitoring systems

Organizational Measures

  • Data protection by design and by default
  • Regular staff training on data protection
  • Data processing agreements with all processors
  • Privacy impact assessments for high-risk processing
  • Incident response and breach notification procedures
  • Regular review and update of privacy policies

8. How to Exercise Your Rights

Making a Request

To exercise any of your rights under the GDPR, please contact us using the following methods:

  • Email our privacy team at privacy@miarvo.net
  • Use the data subject request form in your account settings
  • Send a written request to our postal address

Information Required

To process your request efficiently, please provide:

  • Your full name and email address associated with your account
  • Clear description of the right you wish to exercise
  • Proof of identity (copy of ID document)
  • Specific information about the data or processing you're concerned about

Response Times

  • Standard requests: Within 1 month of receipt
  • Complex requests: Up to 3 months (with notification)
  • Urgent requests: We will prioritize based on circumstances

No Fee Policy

We do not charge a fee for processing data subject requests unless they are manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee or refuse to act on the request.

9. Right to Lodge a Complaint

If you are not satisfied with how we have handled your personal data or responded to your request, you have the right to lodge a complaint with a supervisory authority.

EU Supervisory Authorities

You can contact the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred. Some key authorities include:

  • Ireland: Data Protection Commission (DPC)
  • Germany: Federal Commissioner for Data Protection and Freedom of Information
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL)
  • UK: Information Commissioner's Office (ICO)

Our Lead Supervisory Authority

Our lead supervisory authority is the Irish Data Protection Commission (DPC), as our EU operations are based in Ireland.

10. Contact Information

For any GDPR-related inquiries or to exercise your rights, please contact us:

Privacy Team: privacy@miarvo.net

Postal Address: Miarvo LLC., 303 A St STE 301, San Diego, CA 92101

EU Representative: Miarvo EU Ltd., Dublin, Ireland

Phone: (619) 252-8126

We are committed to responding to all inquiries within one month and will work with you to resolve any concerns about our data processing practices.