GDPR Compliance Statement
Effective Date: March 15, 2026
At VisitThree, we take data privacy and local governance frameworks extremely seriously. We are fully committed to complying with the General Data Protection Regulation (GDPR) to ensure all users—especially those operating within the European Economic Area (EEA)—retain complete transparency and control over their personal data.
1. Role Classifications
Understanding our relationship with your data is paramount under GDPR framework definitions.
- Data Controller: For standard operations regarding your VisitThree development account (e.g., authentication, billing, dashboard access logs), VisitThree operates as the Data Controller.
- Data Processor: When you utilize our API endpoints to process payloads originating from your own end-users (e.g., streaming their IP through our Geo-location endpoint), VisitThree operates exclusively as a Data Processor. In this capacity, we process that data entirely at your direction and immediately discard it after edge execution unless explicitly cached.
2. Your Explicit Data Rights
Under the GDPR (and similar international privacy standards), VisitThree actively supports your right to manage data proactively:
- Right to Access: You may request a comprehensive export of all personal data held by VisitThree.
- Right to Rectification: You can correct incomplete or mathematically inaccurate data stored within your account via the Developer Dashboard.
- Right to Erasure (Right to be Forgotten): Upon requesting account deletion, all associated PII, valid session tokens, and billing profiles will be completely purged from our databases within an automated 30-day window.
- Right to Restrict Processing: You may request a halt on data processing operations if you contest the accuracy or legality of the collection.
3. International Data Transfers
Given our distributed edge architecture, data transfers across international borders are a necessary part of ensuring sub-100ms API latency. When personal data originates from the EEA and is routed externally, VisitThree strictly relies on Standard Contractual Clauses (SCCs) enacted alongside adequate cloud infrastructure safeguards.
4. Incident Response and Breach Notification
VisitThree utilizes continuous monitoring frameworks to audit platform integrity. In the highly unlikely event of a security breach compromising Personal Information, we will notify affected individuals and explicit regulatory data authorities within seventy-two (72) hours of uncovering the anomaly, detailing mitigation efforts and scope.
5. Data Processing Agreements (DPA)
If your organization leverages VisitThree to process Personal Data covered by the GDPR, you must sign a formal Data Processing Agreement. We offer pre-signed DPAs directly tailored for Enterprise customers upon request.
To request DPA execution, exercise your Data Rights, or contact our Data Protection Officer, email
[email protected]