GDPR & Data Protection

How TotalKPI complies with the GDPR and keeps your data safe within the EU.

Effective Date: March 1, 2026

This page explains how TotalKPI complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and related data protection legislation. It supplements our Privacy Policy with GDPR-specific details.

Data Controller

The data controller responsible for your personal data is:

Valoks
Email: [email protected]

As the data controller, we determine the purposes and means of processing your personal data when you use TotalKPI.

EU-Based Infrastructure

Our primary data storage and processing infrastructure is located within the European Union. This means:

Our databases are hosted on Supabase infrastructure in EU data centers.
Server-side processing, including API proxy requests, data aggregation, and chart computation, runs on EU-based servers.
Database backups and replicas are stored exclusively within the EU.

Your data benefits from the full protection of EU data protection laws at every stage of processing.

Lawful Bases for Processing

Under Article 6 of the GDPR, we process your personal data only where we have a valid legal basis. The table below sets out each category of data, the purpose of processing, and the applicable lawful basis.

Category	Data Processed	Purpose	Lawful Basis (Art. 6 GDPR)
Account Data	Name, email address, profile picture (via OAuth)	Account creation, authentication, and management	Art. 6(1)(b) - Performance of contract
Metric Data	CSV uploads, data points, data source configurations	Storing, processing, and displaying your metric data and charts	Art. 6(1)(b) - Performance of contract
API Configurations	Endpoint URLs, HTTP headers, JSON paths	Executing automated API polling on your behalf	Art. 6(1)(b) - Performance of contract
Payment Data	Subscription status, billing email, limited card details (via Stripe)	Payment processing and subscription management	Art. 6(1)(b) - Performance of contract
Usage Data	Page views, feature interactions, session duration	Improving the Service, identifying issues, and understanding usage patterns	Art. 6(1)(f) - Legitimate interest
Technical Data	IP address, browser type, session cookies	Security, fraud prevention, and technical operation of the Service	Art. 6(1)(f) - Legitimate interest
Communication Data	Support emails, feedback	Responding to your inquiries	Art. 6(1)(f) - Legitimate interest

Legitimate Interest Assessments: Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights. You have the right to object to processing based on legitimate interest (see Section "Your Rights" below).

Special Categories of Data: We do not intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR (e.g., health data, biometric data, political opinions). Users must not upload such data to the Service without implementing appropriate safeguards.

As a data subject, you have the following rights under the GDPR:

Right	Description	GDPR Article
Access	Request a copy of all personal data we hold about you	Art. 15
Rectification	Request correction of inaccurate or incomplete data	Art. 16
Erasure	Request deletion of your personal data ("right to be forgotten")	Art. 17
Restriction	Request that we limit processing of your data in certain circumstances	Art. 18
Data Portability	Receive your data in a structured, commonly used, machine-readable format (JSON/CSV)	Art. 20
Object	Object to processing based on legitimate interest or for direct marketing	Art. 21
Withdraw Consent	Withdraw consent at any time where processing is based on consent, without affecting prior processing	Art. 7(3)
Automated Decisions	Not be subject to decisions based solely on automated processing that produce legal or significant effects	Art. 22

How to exercise your rights:

Email us at [email protected] with your request.
We will verify your identity by confirming the email address associated with your account.
We will respond within 30 days of receiving your verified request. If we require additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period with an explanation.
Exercising your rights is free of charge. We may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests, as permitted under Art. 12(5) GDPR.

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates the GDPR. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Sub-Processors

We use a limited number of third-party sub-processors to operate the Service. All sub-processors with access to personal data are bound by Data Processing Agreements (DPAs) that meet the requirements of Article 28 of the GDPR.

Sub-Processor	Purpose	Personal Data Accessed	Location	Transfer Mechanism
Supabase	Database hosting & authentication	Account data, metric data, API configurations	EU	N/A (EU-based)
Stripe	Payment processing	Billing and payment information	EU/US	Standard Contractual Clauses (SCCs)
Google	OAuth authentication	Name, email, profile picture	EU/US	Standard Contractual Clauses (SCCs)
GitHub	OAuth authentication	Name, email, profile picture	EU/US	Standard Contractual Clauses (SCCs)

We will notify users of any changes to our sub-processor list by updating this page.

International Data Transfers

Our primary infrastructure is in the EU. Where personal data is transferred to sub-processors outside the European Economic Area (EEA), we rely on the following safeguards as required by Chapter V of the GDPR:

Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (Decision 2021/914) with sub-processors that process data outside the EEA.
Transfer Impact Assessments: We evaluate the data protection laws of recipient countries and implement supplementary measures where necessary, in line with the EDPB's recommendations.
Adequacy Decisions: Where applicable, we rely on the European Commission's adequacy decisions for transfers to countries with adequate data protection.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

Data Type	Retention Period	Basis
Account data (active accounts)	Duration of account	Contract performance
Metric data and configurations (active accounts)	Duration of account	Contract performance
All personal data (deleted accounts)	Permanently deleted within 30 days of account deletion	Art. 17 GDPR
Payment and transaction records	As required by applicable tax and financial regulations (typically 7 years)	Legal obligation
Server and access logs	Automatically purged after 90 days	Legitimate interest
Aggregated, anonymized data	Indefinite (no longer personal data under GDPR Recital 26)	N/A

Data Protection by Design and Default

In accordance with Article 25 of the GDPR, we implement data protection principles throughout our development process:

Data Minimization: We collect only the personal data necessary to provide the Service. OAuth authentication only requests the minimum required scopes.
Purpose Limitation: We use personal data only for the specific purposes disclosed in this policy.
Storage Limitation: We apply defined retention periods and automatically purge data when no longer needed.
Access Controls: Row-level security policies in our database ensure that users can only access their own data. Internal access to user data is restricted on a need-to-know basis.
Pseudonymization: Where possible, we use pseudonymized identifiers rather than directly identifying information in internal systems.

Security Measures (Article 32)

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption in transit: All connections use TLS 1.2 or higher.
Encryption at rest: Database storage uses AES-256 encryption.
Access control: Row-level security policies ensure data isolation between users. Internal administrative access requires multi-factor authentication.
API credential protection: Third-party API credentials configured by users are stored encrypted and processed exclusively server-side, never exposed to the browser.
Network security: Our API proxy blocks requests to private, internal, and loopback IP ranges to prevent server-side request forgery.
Dependency management: Regular updates and security reviews of software dependencies.
Incident response: Documented procedures for detecting, reporting, and responding to security incidents.

Data Breach Notification

In the event of a personal data breach, we will act in accordance with Articles 33 and 34 of the GDPR:

Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals, unless the breach is unlikely to result in such a risk.
Data Subject Notification: Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, describing the nature of the breach, its likely consequences, and the measures taken to address it.
Documentation: We maintain an internal register of all data breaches, including those that do not meet the threshold for notification, in accordance with Art. 33(5).