GDPR Compliance

General Data Protection Regulation compliance and your data rights

Our GDPR Commitment

ROME is fully compliant with the General Data Protection Regulation (GDPR). Our zero-knowledge architecture ensures that we cannot access your personal data, providing you with the highest level of privacy protection under GDPR and beyond.

Your Data Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right to Information

You have the right to know what personal data we process, why we process it, and how long we retain it. Our Privacy Policy provides comprehensive information about our data practices.

Right of Access

You can request a copy of all personal data we hold about you. Due to our zero-knowledge architecture, this is limited to basic account information and metadata.

Right to Rectification

You can update and correct your personal information through your account settings or by contacting us directly.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data. When you delete your ROME account, all associated data is permanently removed from our systems.

Right to Restrict Processing

You can limit how we process your data while we address any concerns or disputes you may have about our data handling.

Right to Data Portability

You can export your data in a machine-readable format to transfer to another service. Your encrypted messages remain accessible only to you.

Right to Object

You can object to certain types of data processing, including automated decision-making and profiling (which we don't engage in due to our privacy-first approach).

Legal Basis for Processing

We process personal data under the following GDPR legal bases:

  • Contract Performance: To provide our messaging and communication services
  • Legitimate Interest: To improve our service and ensure security
  • Consent: For marketing communications and optional features
  • Legal Obligation: To comply with applicable laws and regulations

Data Protection Measures

We implement technical and organizational measures to protect your data:

Technical Measures

  • End-to-end encryption
  • Zero-knowledge architecture
  • Secure key management
  • Regular security audits
  • Data minimization

Organizational Measures

  • Privacy by design principles
  • Staff training and access controls
  • Data protection impact assessments
  • Incident response procedures
  • Vendor security requirements

International Transfers

When we transfer data outside the European Economic Area (EEA), we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Additional safeguards for encrypted data
  • Regular monitoring of transfer mechanisms

Data Retention

We retain personal data only as long as necessary:

  • Account Data: Until account deletion
  • Support Records: 3 years after resolution
  • Security Logs: 1 year for fraud prevention
  • Marketing Data: Until consent withdrawal

Complaints and Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:

  • Your local data protection authority
  • The Irish Data Protection Commission (our lead supervisory authority)
  • Our Data Protection Officer at gdpr@rome.app