If you live in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) gives you specific rights over your personal data. This page explains those rights and how OVirtual upholds them.
1. Our role
OVirtual acts as a data controller for personal data we collect about our account holders (your name, email, billing info). For data that flows through your projects — for example, submissions captured by forms you build — OVirtual acts as a data processor, and you are the controller.
Customers on paid plans can sign a Data Processing Agreement (DPA) incorporating the EU Standard Contractual Clauses. Request a copy from legal@ovirtual.com.
2. Your rights under GDPR
You have the following rights, free of charge, and we'll respond within 30 days:
- Right of access (Article 15) — get a copy of the personal data we hold about you.
- Right to rectification (Article 16) — correct inaccurate or incomplete data.
- Right to erasure (Article 17) — delete your data (the "right to be forgotten"), subject to legal retention obligations.
- Right to restriction of processing (Article 18) — limit how we use your data while a dispute is resolved.
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format (JSON / CSV).
- Right to object (Article 21) — opt out of processing based on legitimate interests, including direct marketing.
- Rights regarding automated decision-making (Article 22) — we do not make decisions about you based solely on automated processing.
- Right to withdraw consent at any time, where processing is based on consent.
- Right to lodge a complaint with your local supervisory authority.
3. How to exercise your rights
Most rights can be exercised directly from your account:
- Settings → Privacy → Export my data — generates a downloadable archive.
- Settings → Privacy → Delete my account — irreversibly erases your data after a 14-day grace period.
- Settings → Communications — opt out of marketing emails.
For anything else, email privacy@ovirtual.com. We may ask you to verify your identity before acting on a request.
4. Legal bases for processing
We rely on these GDPR legal bases:
- Contract (Art. 6(1)(b)) — to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, and product improvement. We balance this against your rights and offer opt-outs where appropriate.
- Legal obligation (Art. 6(1)(c)) — for tax, accounting, and law-enforcement requests.
- Consent (Art. 6(1)(a)) — for marketing emails and non-essential cookies. Withdraw anytime.
5. International transfers
OVirtual is a US-incorporated company. When we move personal data from the EEA/UK/Switzerland to the United States or other third countries, we rely on:
- EU Standard Contractual Clauses (2021/914)
- UK International Data Transfer Addendum
- Swiss FDPIC-recognised safeguards
- Supplementary technical measures including end-to-end encryption
A transfer impact assessment (TIA) is available to enterprise customers on request.
6. Sub-processors
We maintain a complete, up-to-date list of GDPR sub-processors (with location and safeguard details). The list is available at privacy@ovirtual.com. Customers on Business plans receive 30 days' notice before any new sub-processor is engaged and may object.
7. Breach notification
In the unlikely event of a personal data breach posing a risk to your rights, we will notify our supervisory authority within 72 hours, and notify affected users without undue delay, as required by Articles 33 and 34 GDPR.
8. Data Protection Officer & EU Representative
OVirtual has appointed an internal Data Protection Officer (DPO). Our EU representative under Article 27 GDPR can be contacted at eu-rep@ovirtual.com. UK representative: uk-rep@ovirtual.com.
9. Supervisory authorities
You have the right to lodge a complaint with the data protection authority of your country of residence. A list of EU/EEA authorities is maintained by the European Data Protection Board at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).
10. Contact
For any GDPR-related question or request, email privacy@ovirtual.com. We aim to respond within 72 hours and complete formal requests within 30 days.