Legal
GDPR Compliance
Our commitment to the General Data Protection Regulation (EU) 2016/679 and the UK GDPR.
Last updated: March 10, 2026
This page describes how Genie Bazaar Private Limited ("Genie Bazaar") complies with the EU General Data Protection Regulation (GDPR) and the UK GDPR for individuals in the European Economic Area (EEA) and the United Kingdom. Where you are an enterprise customer located in the EEA/UK, this page also addresses our obligations as your Data Processor.
Lawful Basis
All processing activities are mapped to a valid legal basis under GDPR Article 6.
Data Processing Agreements
DPAs available for all enterprise customers via our standard template.
Records of Processing
We maintain a full Record of Processing Activities (ROPA) per Article 30.
Data Subject Rights
Access, erasure, portability, objection and restriction requests are fulfilled within 30 days.
International Transfers
EEA/UK data transfers are protected by Standard Contractual Clauses (SCCs).
Breach Notification
Personal data breaches are notified to regulators within 72 hours and affected individuals promptly.
1. Our Roles Under GDPR
Genie Bazaar acts in two distinct capacities:
Data Controller
For data collected via our website, marketing activities, and webinar registrations. We determine the purposes and means of processing.
Data Processor
For Customer Data stored within the Genie Bazaar platform. We process data only on the documented instructions of the enterprise Customer (Controller).
2. Legal Bases for Processing
We rely on the following legal bases (GDPR Article 6) for processing personal data:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing the platform to enterprise customers | Contract performance | Art. 6(1)(b) |
| Sending confirmation and transactional emails | Contract performance | Art. 6(1)(b) |
| Marketing communications (with opt-in) | Consent | Art. 6(1)(a) |
| Analytics and product improvement | Legitimate interests | Art. 6(1)(f) |
| Security monitoring and fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
3. Data Processing Agreement (DPA)
We offer a standard Data Processing Agreement to all enterprise customers who require one for GDPR compliance. The DPA covers:
- Description of processing activities and categories of data
- Sub-processor list and sub-processor change notification process
- Security obligations (technical and organisational measures)
- Data subject rights assistance
- Breach notification obligations (72-hour rule)
- Data deletion or return on contract termination
- Standard Contractual Clauses as the transfer mechanism for data leaving the EEA/UK
To request a DPA, email support@geniebazaar.com.
4. Sub-processors
We use the following categories of sub-processors; a full list with details is available on request:
| Category | Purpose | Location |
|---|---|---|
| Cloud Infrastructure (AWS) | Hosting, storage, CDN | Singapore / Mumbai (ap-southeast-1 / ap-south-1) |
| Email Service Provider | Transactional and marketing emails | USA |
| Analytics Platform | Usage analytics, event tracking | USA / EU |
| Payment Processor | Subscription billing | USA / India |
| Google Workspace (Calendar API) | Webinar calendar invites | USA |
We notify customers of material sub-processor changes with at least 14 days' advance notice.
5. International Data Transfers
Data originating in the EEA or UK may be transferred to India (our primary operations), Singapore (AWS ap-southeast-1), and the USA (certain third-party sub-processors). We rely on:
- Standard Contractual Clauses (2021 SCCs) — for transfers to India and USA.
- UK International Data Transfer Agreements (IDTA) — for UK-origin data.
- Adequacy decisions — where applicable (e.g., transfers within the EEA).
Transfer impact assessments (TIAs) have been conducted for all key transfer routes.
6. Data Subject Rights
EEA and UK data subjects may exercise the following rights at any time:
Right to Access (Art. 15)
Obtain a copy of your personal data and supplementary information.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion, subject to legal retention requirements.
Right to Restriction (Art. 18)
Restrict processing while a dispute or verification is pending.
Right to Data Portability (Art. 20)
Receive data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests or direct marketing.
Automated Decision-Making (Art. 22)
Right not to be subject to solely automated decisions with significant effects.
Right to Withdraw Consent (Art. 7)
Withdraw consent at any time without affecting prior processing.
Submit requests to support@geniebazaar.com. We respond within 30 days (extendable to 60 days for complex requests with notice).
If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority — for example, the CNIL (France), the ICO (UK), the BfDI (Germany), or the relevant authority in your EU member state.
7. Data Retention
We retain personal data only for as long as necessary for the purposes described in our Privacy Policy. Specific retention periods are:
- Active platform data: Duration of contract + 7 years (Indian statutory requirement)
- Marketing leads: Up to 3 years from last interaction or consent withdrawal
- Server logs: 90 days
8. Security Measures
Technical and organisational measures (TOMs) we have implemented include:
- AES-256 encryption at rest; TLS 1.2+ in transit
- Role-based access controls and principle of least privilege
- Multi-factor authentication for administrative access
- Annual penetration testing by independent third parties
- Regular vulnerability scanning and patch management
- Staff data protection training and confidentiality agreements
- Incident response plan with documented breach notification procedures
Full details on our security posture are available on our Security page.
9. Data Protection Officer (DPO)
Contact our Data Protection Point of Contact
For all GDPR-related enquiries, including DPA requests, sub-processor lists, and data subject rights requests:
Email: support@geniebazaar.com
Questions about GDPR compliance? Contact us at support@geniebazaar.com