Back to Home

GDPR Compliance Statement

Last Updated: April 28, 2026

1. Introduction

TeamLyf, Inc. ("Controller") is committed to complying with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This statement outlines our GDPR compliance measures, tailored to our processing of personal data in the TeamLyf platform.

2. Legal Basis for Processing

  • Contract Performance: Processing user accounts, tenant memberships, and service delivery (Art. 6(1)(b)).
  • Legitimate Interests: Security monitoring, audit logging, and service improvements (Art. 6(1)(f)), balanced against data subject rights.
  • Consent: Optional features like profile sharing or marketing communications (Art. 6(1)(a)), with easy withdrawal.
  • Legal Obligation: Compliance with tax/billing laws for financial data (Art. 6(1)(c)).
  • Vital Interests: Emergency contact processing in HR contexts (Art. 6(1)(d)).

3. Data Subject Rights

  • Right of Access: Data subjects can request access to their data via the Service or email (within 30 days).
  • Right to Rectification: Update inaccurate data through profile settings.
  • Right to Erasure: Delete data upon request, subject to exemptions (e.g., legal retention for HR/financial data).
  • Right to Data Portability: Export data in JSON/CSV format.
  • Right to Object/Withdraw Consent: Opt-out of non-essential processing.
  • Right to Restriction: Limit processing during disputes.
  • Automated Decision-Making: Not used.

4. Data Retention

  • User Accounts: Retained indefinitely unless deleted or terminated.
  • HR Data: 7 years post-employment per labor laws.
  • Communication Data: 1 year for active tenants; deleted upon account closure.
  • Audit Logs: 1 year for security/compliance.
  • Billing Data: 7 years per financial regulations.

5. Technical and Organizational Measures

  • Data Protection by Design: RBAC, encryption (Argon2 for passwords, AES-256 for sensitive data), input validation.
  • Access Controls: Multi-factor authentication, least-privilege access, tenant isolation.
  • Security Measures: TLS 1.3, firewalls, intrusion detection; monitoring via Logtail/Slack alerts.
  • Incident Response: Breach notification within 72 hours; documented procedures for containment and remediation.
  • Data Minimization: Collect only necessary data; anonymize where possible.
  • Sub-Processors: Approved third parties (e.g., LiveKit, S3) with DPAs; no international transfers without safeguards.

6. Data Protection Officer

Our DPO can be contacted at dpo@getteamlyf.com.

7. Complaints

Data subjects may lodge complaints with supervisory authorities (e.g., Irish Data Protection Commission).

8. Updates

This statement is reviewed annually and updated as needed.

9. Contact

For detailed records of processing activities, contact our DPO.