GDPR Compliance

SemlyPro is committed to protecting the personal data of users in the European Union and European Economic Area in accordance with Regulation (EU) 2016/679 (GDPR). This page supplements our Privacy Policy with GDPR-specific information.

For the purposes of GDPR, SemlyPro acts as the Data Controller for personal data collected through our website and platform.

Contact our data protection contact: hello@semlypro.com

We process your personal data under the following legal bases:

• Contract (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Service — account management, billing, content creation, CMS publishing.
• Legitimate interests (Art. 6(1)(f)): Analytics, fraud prevention, platform security, and product improvement.
• Consent (Art. 6(1)(a)): Marketing emails and non-essential cookies. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Retention of billing records and compliance with tax laws.

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
• Right to restriction (Art. 18): Restrict processing while a dispute is resolved.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or direct marketing.
• Rights related to automated decision-making (Art. 22): We do not use fully automated decision-making that produces legal or similarly significant effects on you.

To exercise any right, email hello@semlypro.com. We will respond within 30 days (extendable by a further 60 days for complex requests).

You also have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, or your national DPA).

Some of our service providers are located outside the EEA (primarily the United States). When we transfer personal data to the US, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• EU-US Data Privacy Framework certification where applicable.

Our key sub-processors and their locations:

• Vercel (hosting) — US, with EU region options
• Supabase (database) — EU (Frankfurt) option selected
• Stripe (payments) — US/EU, SCCs in place
• Resend (email) — US, SCCs in place

• Account data: Retained for the duration of your account. Deleted within 30 days of account closure.
• Billing records: Retained for 7 years per legal requirement.
• Analytics data: Aggregated and anonymised after 14 months.
• Support communications: Retained for 3 years.

Non-essential cookies (analytics, marketing) are only set with your consent. You may withdraw consent at any time by:

• Adjusting settings in our cookie banner.
• Using your browser's privacy controls.
• Installing an opt-out browser extension (e.g., Google Analytics Opt-out).

In the event of a personal data breach affecting EU users, we will notify the relevant supervisory authority within 72 hours (where required) and affected users without undue delay if the breach is likely to result in high risk to their rights and freedoms.

For GDPR-related enquiries: hello@semlypro.com