GDPR & UK GDPR

Last Updated: July 13, 2026

This page summarises how Org Chart Studio complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR. It sits alongside our Privacy Policy (the full detail) and our Sub-processor List — this page is the plain-language overview.

We are a small team, and we build privacy in at the code level rather than bolting it on. Where a choice is between collecting data and not collecting it, we default to not.

1. Controller and processor roles

For the employee and organisational data you put into your charts, you are the data controller and Org Chart Studio is your data processor — we process that data only on your documented instructions (see our Terms and the Data Processing Agreement available to customers on request).

For your own account data (your name, email, sign-in, billing, and the analytics you consent to), we are the data controller. The legal bases below distinguish the two.

2. Legal bases (Art. 6)

ProcessingLawful basis
Providing the service — creating your account, signing you in, storing and exporting your charts, collaborationArt. 6(1)(b) — performance of our contract with you
Payments and billing recordsArt. 6(1)(b) contract + Art. 6(1)(c) legal obligation (financial record-keeping)
The employee data inside your chartsProcessed only on your documented instructions — you are the controller, we are the processor (Art. 28). We hold no independent basis for it.
Analytics, session replay, and marketingArt. 6(1)(a) — your consent. Opt-in, granular per purpose, off by default, and withdrawable at any time.
Basic security/support telemetry (e.g. last-seen) and aggregate visitor countingArt. 6(1)(f) — legitimate interest. Minimal, aggregate, and never used to track individuals.
Recording your consent choicesArt. 6(1)(c) — legal obligation (to be able to demonstrate consent)

We do not ask you to route special-category data (Art. 9) or children's data through the service, and our persistence allow-list drops sensitive fields before they reach the database (see §5).

3. Your rights

You have the right to access, rectify, erase, restrict, and object to the processing of your personal data, to data portability, and to withdraw consent at any time. The Privacy Policy describes each in full. In practice, most rights are self-service:

  • Erasure / account deletion — delete your account (and all its data) from account settings, one click, no email required.
  • Portability — export your charts as CSV, PNG, PDF, or PowerPoint at any time.
  • Withdraw consent — change analytics, session-replay, and marketing choices from the cookie settings in the footer; declining changes nothing about how the product works.
  • Per-employee erasure — as a controller, remove a named individual from every saved version of your charts using the in-app erasure tool.

For access, rectification, restriction, objection, or anything not covered above, contact us (§7) and we will respond within one month.

4. Where your data lives

Your behavioural analytics (event data you consent to) is stored with Tinybird, an EU-resident processor (Tinybird Analytics S.L., hosting in Frankfurt) — it stays in the EU/EEA and holds only pseudonymous identifiers, never your name, email, or org-chart employee data.

Other sub-processors (our database, hosting, authentication, and payments) are in the United States. For those EU/EEA and UK transfers we rely on the EU-US Data Privacy Framework where the recipient is certified, and on Standard Contractual Clauses (EU SCCs 2021/914 + UK IDTA/Addendum) with a transfer impact assessment otherwise.

The full list — each sub-processor, what it processes, its region, and the transfer instrument — is on our Sub-processor List.

5. How privacy is enforced in the product

Rather than rely on policy alone, these protections are built into the code:

  • Consent-gated by default. No analytics, session-replay, or marketing tool loads until you opt in, per purpose. Global Privacy Control (GPC) is honoured.
  • Data-minimised analytics. Events carry pseudonymous IDs only — no names, emails, or employee data — and are stored in the EU (§4).
  • Employee data is masked in session recordings and excluded from network capture.
  • A server-side allow-list drops sensitive fields (for example phone, salary, date of birth, health) at the persistence boundary — by field name, before they ever reach the database.
  • Retention is enforced automatically by a scheduled purge, not manual cleanup, and erasure rotates the identifiers that could re-link anonymised records.

6. Retention

We keep personal data only as long as needed for the purpose it was collected, then delete or anonymise it. The specific windows (and the mechanisms that enforce them) are listed in the Privacy Policy.

7. Contact and complaints

For any data-protection question, or to exercise a right, contact us at hello@orgchartstudio.com. We are a small team and handle these requests directly.

If you are in the EU/EEA or the UK, you also have the right to lodge a complaint with your local data-protection supervisory authority.