Your GDPR Rights

Last updated: April 2026

Your Six Key Rights

1. Right of Access (Article 15)

What it means: You have the right to know what personal data we hold about you and how we use it.

You can request:

• A copy of all personal data we hold about you
• Information about how we process your data
• Who we share your data with
• How long we keep your data
• Where your data came from, if not collected directly from you

Example request: "I would like a copy of all my personal data you have stored."

2. Right to Rectification (Article 16)

What it means: You have the right to correct inaccurate or incomplete personal data.

• Correction of incorrect information, such as a wrong email address or misspelled name
• Completion of incomplete information
• Updates to outdated information

Example request: "My email address in your system is incorrect. Please update it."

3. Right to Erasure — Right to be Forgotten (Article 17)

What it means: You have the right to request deletion of your personal data in certain circumstances.

This applies when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

We may not be able to delete data if we need it for:

• Legal compliance — for example, tax records must be kept for 7 years under German law
• Establishing, exercising, or defending legal claims

Example request: "I would like to delete my account and all associated personal data."

4. Right to Data Portability (Article 20)

What it means: You have the right to receive your personal data in a structured, machine-readable format.

You can request:

• Your data in CSV or JSON format
• Transfer of your data directly to another service provider where technically feasible

Data included in an export:

• Your account information
• Your scan history and results
• Your bookmarks and notes

Example request: "Please provide all my scan data in CSV format."

5. Right to Restriction of Processing (Article 18)

What it means: You have the right to limit how we use your data in certain situations.

This applies when:

• You contest the accuracy of the data — restriction applies while we verify
• Processing is unlawful but you do not want the data deleted
• We no longer need the data but you need it for legal claims
• You have objected to processing — restriction applies while we verify our grounds

When restriction applies, we will store your data but not actively process it, except with your consent or for legal claims.

Example request: "I dispute the accuracy of my scan history. Please restrict processing until this is resolved."

6. Right to Object (Article 21)

What it means: You have the right to object to processing based on legitimate interests or for direct marketing.

• If processing is based on legitimate interests, we must stop unless we have compelling legitimate grounds
• If processing is for direct marketing, we must stop immediately

Example request: "I object to receiving marketing emails. Please stop sending them."

Additional Rights

Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection supervisory authority if you believe we have not handled your data appropriately.

How to Exercise Your Rights

Step 1 — Submit your request

Email info@scanthegap.com with:

• Subject: "GDPR Request — [Your Request Type]"
• Your full name
• Your registered email address
• A clear description of your request
• Any relevant details, such as specific data you want corrected

Step 2 — Identity verification

To protect your privacy, we may need to verify your identity before processing your request. We may ask for:

• Confirmation of your registered email address
• Answers to security questions
• Proof of identity in exceptional cases

Step 3 — We process your request

• We will acknowledge receipt within 48 hours
• We will respond within 30 days as required by GDPR Article 12
• We will inform you if we need to extend this period — maximum 60 days in complex cases
• There is no charge for exercising your rights unless requests are clearly excessive

Supervisory Authorities

Germany — Hamburg

Other EU countries

• Full list of EU authorities: edpb.europa.eu
• UK: Information Commissioner's Office — ico.org.uk
• Ireland: Data Protection Commission — dataprotection.ie
• France: CNIL — cnil.fr

Data Controller