GDPR COMPLIANCE

Last Updated: January 2025

How Hamhey complies with the General Data Protection Regulation (GDPR) and protects your personal data.

As a Delaware-based corporation offering services in the European Union, Hamhey has designated an EU representative under Article 27 GDPR:

Under GDPR, you have the following rights regarding your personal data:

• Right to Access (Article 15): Request a copy of all personal data we hold about you
• Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
• Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your personal data (subject to legal obligations)
• Right to Restriction of Processing (Article 18): Limit how we use your personal data
• Right to Data Portability (Article 20): Receive your data in a machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing
• Right to Withdraw Consent (Article 7): Withdraw consent at any time for consent-based processing
• Right to Lodge a Complaint (Article 77): File a complaint with your local data protection authority

To exercise any of your GDPR rights, you can:

• Submit a Data Subject Request: Email gdpr@hamhey.com with subject line "GDPR Data Subject Request"
• Use Our Online Form: Visit hamhey.com/gdpr-request (secure form)
• Contact EU Representative: eu-privacy@hamhey.com or +49 30 123 456 789
• Mail Written Request: Hamhey GDPR Team, Clara-Meinek-Str. 3, 12049 Berlin, Germany

Response Time: We will respond within 30 days (extendable to 60 days for complex requests).

We process personal data based on the following lawful grounds under GDPR Article 6:

• Contractual Necessity (Article 6(1)(b)): Processing necessary to fulfill our contract with you
• Consent (Article 6(1)(a)): Marketing communications, cookies, AI chat features (where you've given explicit consent)
• Legitimate Interests (Article 6(1)(f)): Fraud prevention, security monitoring, platform improvements
• Legal Obligations (Article 6(1)(c)): Tax compliance, anti-money laundering, responding to law enforcement

As a U.S.-based company, we transfer EU user data to the United States. We ensure appropriate safeguards:

• EU-U.S. Data Privacy Framework: Hamhey complies with the EU-U.S. Data Privacy Framework
• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs for data transfers
• Encryption: All data transfers are encrypted using TLS 1.3; data at rest is encrypted using AES-256
• Third-Party Compliance: All subprocessors (Stripe, OpenAI, AWS) are GDPR-compliant

We retain personal data only as long as necessary:

If you believe your GDPR rights have been violated, you have the right to lodge a complaint: