Ecopyright
Legal · Last updated May 13, 2026

GDPR Compliance

Your rights under EU data protection law, and how we honor them.

Overview

The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. It gives EU residents (and people in the EEA and UK under equivalent regimes) specific rights over their personal data, and imposes specific obligations on organizations that process that data.

Ecopyright applies GDPR-level protection to all of our members, not just EU residents. We chose this approach because it is the right baseline for a service whose entire purpose is handling sensitive authorship records on behalf of creators.

Who is the data controller?

The data controller is Sistem Patent, operating Ecopyright. Contact for all data-protection matters:

Email: legal@ecopyright.io
Subject line: Use "GDPR" or describe your specific request

We do not have an appointed EU representative under Article 27, because our processing is unlikely to rise to the threshold requiring one. If you are an EU resident and prefer to communicate via an EU-based data protection contact, let us know and we will arrange an appropriate route.

What we collect, why, and on what basis

Detailed information about what data we collect and how we use it is in our Privacy Policy. The summary for GDPR purposes:

  • Account data (email, name, country): legal basis is contract, since we need it to provide the Service.
  • Uploaded files: legal basis is contract. Files are stored encrypted and accessed only on your request or to generate certificates.
  • Payment data: legal basis is contract and legal obligation (tax records).
  • Service usage data: legal basis is legitimate interests (operating and improving the Service, preventing abuse).
  • Marketing communications (if any): legal basis is consent, opt-in only.

Your rights

Under GDPR Articles 15-22, you have the following rights with respect to your personal data:

Right of access

Get a copy of all personal data we hold about you, in a portable format.

How: Email legal@ecopyright.io with subject "Data Access Request". We respond within 30 days.

Right to rectification

Have inaccurate personal data corrected.

How: Update your profile in the dashboard, or email us for changes you cannot make yourself.

Right to erasure

Have your personal data deleted ("right to be forgotten"), subject to our legal retention obligations.

How: Delete your account from settings, or email us. Full erasure typically completes within 30 days.

Right to restriction

Restrict how we process your data in specific circumstances.

How: Email us with the reason for the restriction request.

Right to portability

Export your personal data in a machine-readable format you can transfer to another service.

How: Use the "Export My Data" tool in your account settings, or email us.

Right to object

Object to processing based on our legitimate interests, including profiling.

How: Email us with the basis for your objection.

Right to withdraw consent

Where we process data under your consent, withdraw it at any time. This does not affect processing already done.

How: Cookie banner, marketing email unsubscribe, or account settings, depending on what you consented to.

Right to lodge a complaint

Complain to a supervisory authority in your country if you believe we have not handled your data correctly.

How: For EU residents: your national data protection authority. We always prefer to resolve first.

How we respond to requests

We respond to GDPR rights requests within 30 days as required by Article 12. For complex requests we may extend by an additional two months, with notice and reasoning.

We respond free of charge unless your request is "manifestly unfounded or excessive". In those rare cases we may charge a reasonable fee or refuse the request, with written reasoning.

We may ask you to verify your identity before processing a request, to protect your data from unauthorized access by someone pretending to be you.

Where we transfer data

We primarily store EU-resident data on servers in Germany (within the EU). When personal data is transferred outside the EU, we use one or more of the following safeguards required by GDPR Article 46:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where the destination country has been deemed to provide adequate protection.
  • Binding Corporate Rules where applicable to our processors.

Türkiye, where our operating entity is registered, does not have an adequacy decision under GDPR as of the date of this policy. Transfers from EU residents to our Türkiye-based operations are handled under appropriate SCCs.

Data breach notification

If a data breach occurs that is likely to result in a risk to your rights and freedoms, we notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Articles 33 and 34.

Notifications include: the nature of the breach, the categories and approximate number of affected individuals, likely consequences, and measures we are taking in response.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for any new processing that is likely to result in high risk to individuals' rights, as required by GDPR Article 35. Current assessments include our blockchain anchoring (concluded as low-risk since only cryptographic hashes are exposed, not personal data) and AI-assisted features (where applicable).

Children's data

We do not knowingly collect personal data from children under 16 (the GDPR default age of consent). Where local law sets the age higher (up to 16) or lower (down to 13), we apply the local standard. Parents who become aware that a child has provided personal data should contact us for prompt deletion.

Automated decision-making

We do not use solely automated processing (including profiling) to make decisions that produce legal or similarly significant effects on you. Some service features use automated analysis (such as AI originality detection for uploaded works), but final outcomes always involve human review when contested.

Supervisory authority

EU residents have the right to lodge a complaint with a supervisory authority in their country of residence, place of work, or location of the alleged infringement. The list of national authorities is maintained by the European Data Protection Board at edpb.europa.eu.

We always prefer to resolve concerns directly first. Contact us at legal@ecopyright.io and we will work to address the issue before any formal complaint becomes necessary.

UK GDPR and other regimes

The UK GDPR (post-Brexit) is functionally equivalent to EU GDPR for our purposes. UK residents have the same rights as described here, with complaints handled by the UK's Information Commissioner's Office (ICO).

Türkiye's KVKK (Kişisel Verilerin Korunması Kanunu) provides similar protections to KVKK-covered individuals. We apply equivalent processes across all regimes.