Who this applies to

This page covers rights granted by three privacy regimes:

• GDPR (EU General Data Protection Regulation, Regulation 2016/679), for residents and visitors located in the European Union and EEA.
• UK GDPR + Data Protection Act 2018: for residents and visitors located in the United Kingdom.
• CCPA / CPRA (California Consumer Privacy Act + California Privacy Rights Act), for California residents.

These overlap heavily with the general rights granted in our Privacy Policy. This page spells out the statutory specifics.

Your GDPR (and UK GDPR) rights

• Right of access (Art. 15). Receive a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art. 16). Correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) (Art. 17). Have personal data deleted in eligible circumstances.
• Right to restrict processing (Art. 18). Pause our use of your data while a dispute is resolved.
• Right to data portability (Art. 20). Receive your data in a structured, machine-readable format (we provide JSON and CSV on request).
• Right to object (Art. 21). Object to processing based on legitimate interest, including direct marketing.
• Rights related to automated decision-making (Art. 22). We do not make decisions about you based solely on automated processing that produces legal or similarly significant effects.
• Right to withdraw consent. Where processing relies on consent (e.g. SMS marketing), you can withdraw at any time.

Your CCPA / CPRA rights (California)

• Right to know. Categories of personal information collected, sources, purposes, and recipients.
• Right to delete. Request deletion of personal information we hold about you.
• Right to correct. Correct inaccurate personal information.
• Right to opt out of sale or sharing. WeActive8 does not sell or share personal information as defined by the CCPA / CPRA. There is nothing for you to opt out of, but the right is preserved.
• Right to limit use of sensitive personal information. We do not use sensitive PI for any purpose other than providing the service you requested.
• Right to non-discrimination. We will not deny service, charge different prices, or provide a different level of service because you exercised a right.

How to exercise these rights

Two channels, both go to the same inbox:

• Structured form: submit a privacy request below. Goes straight to our compliance inbox with the request type and your context pre-tagged.
• Email: hello@weactive8.comfrom the address on file (or, if that's not possible, include enough context that we can verify you).

We acknowledge within 10 business days. We respond within 30 days (GDPR / UK GDPR) or 45 days (CCPA). Complex or numerous requests can be extended to a total of 90 days under either statute, with written notice of the extension during the first response window.

Requests are free of charge. We may charge a reasonable administrative fee, or decline to act, only where a request is manifestly unfounded, excessive, or repetitive. This carve-out is the one permitted by GDPR Art. 12(5) and CCPA 1798.130(a)(2). California residents are entitled to at least two free responses in any 12-month period.

You may authorize an agent to act on your behalf. We will ask for signed written authorization plus identity verification of the underlying data subject.

Legal basis for processing (GDPR Art. 6)

• Contract (6(1)(b)). Delivering the audit, project, retainer, or product subscription you bought.
• Consent (6(1)(a)). SMS marketing, optional newsletter, optional analytics cookies.
• Legitimate interest (6(1)(f)). Detecting abuse, securing infrastructure, basic non-tracking analytics, responding to inbound inquiries before a contract exists.
• Legal obligation (6(1)(c)). Tax records, accounting, lawful subpoena response.

Retention periods (recap)

• Billing & engagement records — 7 years (tax obligation).
• SMS opt-in/out consent, indefinite (TCPA defense).
• Active CRM contact records, duration of business relationship + 2 years, then archived.
• Web analytics: 14 months (GA4 default).
• Server access logs: 90 days.
• Backup data, overwritten on the rolling 90-day window unless legal hold.

International transfers

Our primary processing happens in Germany (Hetzner). Data may transfer to the United States via vendors (Stripe, Cloudflare, Telnyx, Resend, Google). We rely on the EU Commission's Standard Contractual Clauses(2021 modules) for any EU/UK→US transfer where the recipient is not certified under an adequacy framework.

Lodging a complaint

If you believe we have mishandled your data, please email us first, we can usually resolve issues directly. You also have the right to lodge a complaint with your local supervisory authority:

• EU residents: the data protection authority in your country of residence. List at edpb.europa.eu.
• UK residents:Information Commissioner's Office at ico.org.uk.
• California residents: California Privacy Protection Agency at cppa.ca.gov.

Data controller: WeActive8 LLC, 30 N Gould St, Sheridan, WY 82801, USA. hello@weactive8.com.