GDPR Compliance Statement

1. Introduction

mia (“we”, “us”, or “our”) is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This document outlines our practices for collecting, processing, storing, and protecting personal data across our services, including mia (Market Intelligence Agent).

2. Our Role under GDPR

Data Controller: For direct interactions with our clients (e.g., onboarding, marketing).

Data Processor: When clients upload data into our platform, we process this data on their behalf.

3. Legal Basis for Processing

We process personal data under the following lawful bases:

• Contractual necessity – to deliver platform functionality and support.
• Legitimate interests – for analytics, product improvement, and fraud prevention.
• Consent – for email communications and use of optional cookies.
• Legal obligation – to meet compliance or audit requirements.

4. Categories of Data Collected

• Personal Information: Name, email address, job title.
• Company Information: Company name, sector, location.
• Platform Usage: Log files, user actions, session metadata.
• Uploaded Data: Documents, campaign datasets, third-party data (via user upload).

We do not knowingly collect data from children or process special categories of personal data unless explicitly agreed under DPA.

5. Data Subject Rights

As a data subject, you have the following rights:

• Access – Request a copy of your personal data.
• Rectification – Correct inaccurate or incomplete data.
• Erasure (Right to be Forgotten) – Request deletion of your data.
• Restriction – Limit processing under certain conditions.
• Portability – Obtain a copy in a machine-readable format.
• Objection – To processing based on legitimate interests.
• Withdraw Consent – At any time where consent is the legal basis.

Requests can be made at: hello@aureliax.co

6. Data Transfers & Hosting

All data is securely stored and processed within the EU (primarily in the Netherlands, Germany, or Ireland).

If we transfer data outside the EEA, we ensure appropriate safeguards such as:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs)
• Vendor compliance with GDPR, UK GDPR, or CCPA

7. Subprocessors

We use a limited number of subprocessors to deliver our services (e.g., AWS, Vercel, Mixpanel). A full list is available upon request. All subprocessors are bound by strict Data Processing Agreements.

8. Security & Breach Protocol

We apply industry-standard security practices:

• Data encryption at rest and in transit
• Role-based access controls (RBAC)
• Intrusion detection and regular vulnerability scans

In the event of a data breach, we notify affected users and authorities within 72 hours, per GDPR Article 33.

9. Data Retention

• Active users: Data retained for the duration of service.
• Former users: Data deleted within 30–90 days post-termination, unless required for legal obligations.

Users may request deletion at any time via hello@aureliax.co

10. Supervisory Authority

If you have concerns, you may contact your local Data Protection Authority (DPA) or the Dutch Authority for Personal Data (Autoriteit Persoonsgegevens).

11. Contact