4. Categories of Personal Data

 

• Platform identifiers: workspace ID, user ID, username, display name, email (if scope granted)
• Engagement data: points balances, recognitions, reward redemptions, timestamps.
• Support data: names, emails, ticket content, attachments.
• Technical data: IP address, device/browser metadata (web views only).
• No general Slack message history, files, or passwords are ever ingested.

5. Data Retention & Deletion

 

• Workspace data is retained for the life of the subscription + 90 days.
• Support tickets: 2 years after closure.
• Accounting records: 7 years (statutory).
• Deletion workflow: uninstall or verified request ➜ data queued within 24 h ➜ erased from production within 30 days ➜ purged from encrypted backups within 90 days.

6. International Transfers (GDPR Ch. V)

When EU/UK personal data is stored in Canada, we rely on Standard Contractual Clauses (SCCs) plus technical measures (encryption, logical segregation). EU replicas ensure data residency options for customers that require it.

7. Technical & Organisational Measures (Art. 32)

 

• TLS 1.2+ encryption in transit; AES‑256 at rest via Azure Key Vault.
• Least‑privilege IAM, MFA‑protected admin access, audited command logging.
• Quarterly vulnerability scans, annual penetration testing, 24 × 7 security monitoring.
• We do not use data sub-processors.

8. Data Subject Rights (Arts. 12‑23)

EU/UK data subjects have rights to access, rectify, erase, restrict, object, and port their data, plus the right to withdraw consent where applicable. Requests can be made by: 

• Emailing privacy@celebrio.team
• We respond within 30 days and redirect platform‑controlled requests to the relevant customer admin when appropriate

9. Data Protection Impact Assessments (DPIA) & Records

We maintain Article 30 Records of Processing Activities and conduct DPIAs for major feature changes, new sub‑processors, or high‑risk data uses (e.g., biometric rewards).

10. Incident Response & Breach Notification

Data‑breach notifications (Art. 33/34) are sent to affected customers and supervisory authorities within 72 hours of confirmation.

11. Data Protection Officer & EU Representative

 

• DPO: Jeff Campbell, CEO – privacy@celebrio.team
• EU Representative (Art. 27): GDPR Local Ltd., Josefstrasse 92, 8005 Zürich, Switzerland – contact@gdprlocal.com

12. Updates

We review this statement annually or when regulatory/operational changes occur. Material updates are announced via email to customer admins and posted at celebrio.team/gdpr at least 15 days before taking effect.

For questions about GDPR compliance or to exercise your rights, contact privacy@celebrio.team.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

3. Lawful Bases for Processing (GDPR Art. 6)

 

• Contract performance – we process workspace or learner data to deliver core features (award points, post recognitions, redeem rewards).
• Legitimate interests – security monitoring, service improvement, and minimal analytics.
• Legal obligation – retention of accounting records and fraud‑prevention logs.
• Consent – optional marketing cookies on public websites; shipping addresses when users choose physical rewards.

4. Categories of Personal Data

 

• Platform identifiers: workspace ID, user ID, username, display name, email (if scope granted)
• Engagement data: points balances, recognitions, reward redemptions, timestamps.
• Support data: names, emails, ticket content, attachments.
• Technical data: IP address, device/browser metadata (web views only).
• No general Slack message history, files, or passwords are ever ingested.

5. Data Retention & Deletion

 

• Workspace data is retained for the life of the subscription + 90 days.
• Support tickets: 2 years after closure.
• Accounting records: 7 years (statutory).
• Deletion workflow: uninstall or verified request ➜ data queued within 24 h ➜ erased from production within 30 days ➜ purged from encrypted backups within 90 days.

6. International Transfers (GDPR Ch. V)

When EU/UK personal data is stored in Canada, we rely on Standard Contractual Clauses (SCCs) plus technical measures (encryption, logical segregation). EU replicas ensure data residency options for customers that require it.

7. Technical & Organisational Measures (Art. 32)

 

• TLS 1.2+ encryption in transit; AES‑256 at rest via Azure Key Vault.
• Least‑privilege IAM, MFA‑protected admin access, audited command logging.
• Quarterly vulnerability scans, annual penetration testing, 24 × 7 security monitoring.
• We do not use data sub-processors.

8. Data Subject Rights (Arts. 12‑23)

EU/UK data subjects have rights to access, rectify, erase, restrict, object, and port their data, plus the right to withdraw consent where applicable. Requests can be made by: 

• Emailing privacy@celebrio.team
• We respond within 30 days and redirect platform‑controlled requests to the relevant customer admin when appropriate

9. Data Protection Impact Assessments (DPIA) & Records

We maintain Article 30 Records of Processing Activities and conduct DPIAs for major feature changes, new sub‑processors, or high‑risk data uses (e.g., biometric rewards).

10. Incident Response & Breach Notification

Data‑breach notifications (Art. 33/34) are sent to affected customers and supervisory authorities within 72 hours of confirmation.

11. Data Protection Officer & EU Representative

 

• DPO: Jeff Campbell, CEO – privacy@celebrio.team
• EU Representative (Art. 27): GDPR Local Ltd., Josefstrasse 92, 8005 Zürich, Switzerland – contact@gdprlocal.com

12. Updates

We review this statement annually or when regulatory/operational changes occur. Material updates are announced via email to customer admins and posted at celebrio.team/gdpr at least 15 days before taking effect.

For questions about GDPR compliance or to exercise your rights, contact privacy@celebrio.team.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

2. Services and Data Flows

 

• Incentli: Web dashboard, REST API, and optional LMS plugins (e.g., Moodle, Totara) for customer/partner engagement
• Celebrio: Slack Marketplace application that posts recognitions, tracks points, and fulfils rewards inside Slack.
• Both services run on Microsoft Azure in Canada (primary) with encrypted replicas in the Netherlands (EU).

3. Lawful Bases for Processing (GDPR Art. 6)

 

• Contract performance – we process workspace or learner data to deliver core features (award points, post recognitions, redeem rewards).
• Legitimate interests – security monitoring, service improvement, and minimal analytics.
• Legal obligation – retention of accounting records and fraud‑prevention logs.
• Consent – optional marketing cookies on public websites; shipping addresses when users choose physical rewards.

4. Categories of Personal Data

 

• Platform identifiers: workspace ID, user ID, username, display name, email (if scope granted)
• Engagement data: points balances, recognitions, reward redemptions, timestamps.
• Support data: names, emails, ticket content, attachments.
• Technical data: IP address, device/browser metadata (web views only).
• No general Slack message history, files, or passwords are ever ingested.

5. Data Retention & Deletion

 

• Workspace data is retained for the life of the subscription + 90 days.
• Support tickets: 2 years after closure.
• Accounting records: 7 years (statutory).
• Deletion workflow: uninstall or verified request ➜ data queued within 24 h ➜ erased from production within 30 days ➜ purged from encrypted backups within 90 days.

6. International Transfers (GDPR Ch. V)

When EU/UK personal data is stored in Canada, we rely on Standard Contractual Clauses (SCCs) plus technical measures (encryption, logical segregation). EU replicas ensure data residency options for customers that require it.

7. Technical & Organisational Measures (Art. 32)

 

• TLS 1.2+ encryption in transit; AES‑256 at rest via Azure Key Vault.
• Least‑privilege IAM, MFA‑protected admin access, audited command logging.
• Quarterly vulnerability scans, annual penetration testing, 24 × 7 security monitoring.
• We do not use data sub-processors.

8. Data Subject Rights (Arts. 12‑23)

EU/UK data subjects have rights to access, rectify, erase, restrict, object, and port their data, plus the right to withdraw consent where applicable. Requests can be made by: 

• Emailing privacy@celebrio.team
• We respond within 30 days and redirect platform‑controlled requests to the relevant customer admin when appropriate

9. Data Protection Impact Assessments (DPIA) & Records

We maintain Article 30 Records of Processing Activities and conduct DPIAs for major feature changes, new sub‑processors, or high‑risk data uses (e.g., biometric rewards).

10. Incident Response & Breach Notification

Data‑breach notifications (Art. 33/34) are sent to affected customers and supervisory authorities within 72 hours of confirmation.

11. Data Protection Officer & EU Representative

 

• DPO: Jeff Campbell, CEO – privacy@celebrio.team
• EU Representative (Art. 27): GDPR Local Ltd., Josefstrasse 92, 8005 Zürich, Switzerland – contact@gdprlocal.com

12. Updates

We review this statement annually or when regulatory/operational changes occur. Material updates are announced via email to customer admins and posted at celebrio.team/gdpr at least 15 days before taking effect.

For questions about GDPR compliance or to exercise your rights, contact privacy@celebrio.team.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

2. Services and Data Flows

 

• Incentli: Web dashboard, REST API, and optional LMS plugins (e.g., Moodle, Totara) for customer/partner engagement
• Celebrio: Slack Marketplace application that posts recognitions, tracks points, and fulfils rewards inside Slack.
• Both services run on Microsoft Azure in Canada (primary) with encrypted replicas in the Netherlands (EU).

3. Lawful Bases for Processing (GDPR Art. 6)

 

• Contract performance – we process workspace or learner data to deliver core features (award points, post recognitions, redeem rewards).
• Legitimate interests – security monitoring, service improvement, and minimal analytics.
• Legal obligation – retention of accounting records and fraud‑prevention logs.
• Consent – optional marketing cookies on public websites; shipping addresses when users choose physical rewards.

4. Categories of Personal Data

 

• Platform identifiers: workspace ID, user ID, username, display name, email (if scope granted)
• Engagement data: points balances, recognitions, reward redemptions, timestamps.
• Support data: names, emails, ticket content, attachments.
• Technical data: IP address, device/browser metadata (web views only).
• No general Slack message history, files, or passwords are ever ingested.

5. Data Retention & Deletion

 

• Workspace data is retained for the life of the subscription + 90 days.
• Support tickets: 2 years after closure.
• Accounting records: 7 years (statutory).
• Deletion workflow: uninstall or verified request ➜ data queued within 24 h ➜ erased from production within 30 days ➜ purged from encrypted backups within 90 days.

6. International Transfers (GDPR Ch. V)

When EU/UK personal data is stored in Canada, we rely on Standard Contractual Clauses (SCCs) plus technical measures (encryption, logical segregation). EU replicas ensure data residency options for customers that require it.

7. Technical & Organisational Measures (Art. 32)

 

• TLS 1.2+ encryption in transit; AES‑256 at rest via Azure Key Vault.
• Least‑privilege IAM, MFA‑protected admin access, audited command logging.
• Quarterly vulnerability scans, annual penetration testing, 24 × 7 security monitoring.
• We do not use data sub-processors.

8. Data Subject Rights (Arts. 12‑23)

EU/UK data subjects have rights to access, rectify, erase, restrict, object, and port their data, plus the right to withdraw consent where applicable. Requests can be made by: 

• Emailing privacy@celebrio.team
• We respond within 30 days and redirect platform‑controlled requests to the relevant customer admin when appropriate

9. Data Protection Impact Assessments (DPIA) & Records

We maintain Article 30 Records of Processing Activities and conduct DPIAs for major feature changes, new sub‑processors, or high‑risk data uses (e.g., biometric rewards).

10. Incident Response & Breach Notification

Data‑breach notifications (Art. 33/34) are sent to affected customers and supervisory authorities within 72 hours of confirmation.

11. Data Protection Officer & EU Representative

 

• DPO: Jeff Campbell, CEO – privacy@celebrio.team
• EU Representative (Art. 27): GDPR Local Ltd., Josefstrasse 92, 8005 Zürich, Switzerland – contact@gdprlocal.com

12. Updates

We review this statement annually or when regulatory/operational changes occur. Material updates are announced via email to customer admins and posted at celebrio.team/gdpr at least 15 days before taking effect.

For questions about GDPR compliance or to exercise your rights, contact privacy@celebrio.team.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]