GDPR Compliance

1. Data Controller

For personal data collected through the fleekerp.com website, OnFleek Media and Technologies Pvt Ltd acts as the data controller, we determine the purposes and means of processing.

For personal data processed within the Fleek ERP product on behalf of our customers, OnFleek Media and Technologies Pvt Ltd acts as the data processorand each customer is the data controller. This relationship is governed by our Data Processing Agreement (DPA).

Data Controller:

2. Personal Data We Collect (Website)

On this website, we collect personal data only when you voluntarily submit a contact or demo request form. The categories of personal data collected are:

We do not collect or process any special categories of personal data (GDPR Article 9), such as health, biometric, racial, or political data, through this website.

3. Lawful Basis for Processing

Under GDPR Article 6, we rely on the following lawful bases:

• Article 6(1)(a), Consent: When you submit a form on this website, you are actively providing your information and consenting to us using it to respond to your request. You may withdraw consent at any time by contacting us.
• Article 6(1)(b), Contract: Where your enquiry leads to a service agreement with OnFleek Media and Technologies Pvt Ltd, processing becomes necessary for the performance of that contract.
• Article 6(1)(f), Legitimate interests: We process server log data (IP addresses, access logs) for the legitimate interest of website security and preventing abuse. We have conducted a Legitimate Interests Assessment (LIA) and concluded this interest is not overridden by individual rights.

4. Your Rights Under GDPR

As a data subject under GDPR, EU residents have the following rights. To exercise any of them, email info@fleekerp.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice to you).

• Right of access (Article 15), request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to rectification (Article 16), request that we correct inaccurate or complete incomplete personal data.
• Right to erasure / ‘right to be forgotten’ (Article 17), request deletion of your personal data where there is no overriding legitimate reason to continue processing it.
• Right to restriction of processing (Article 18), ask us to suspend processing of your data in certain circumstances (e.g., while accuracy is contested).
• Right to data portability (Article 20), receive your personal data in a structured, commonly used, machine-readable format, and have the right to transmit it to another controller.
• Right to object (Article 21), object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights related to automated decision-making (Article 22), we do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.
• Right to withdraw consent (Article 7(3)), where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5. Data Retention

We retain personal data only for as long as necessary for the purposes described in this document, and in compliance with applicable law.

Upon expiry of the retention period, data is permanently deleted or anonymised.

6. International Data Transfers

OnFleek Media and Technologies Pvt Ltd is based in India. When EU residents submit data through this website, it is transferred to and processed in India. The EU has not yet issued an adequacy decision for India under GDPR.

To ensure adequate safeguards for international transfers, we rely on:

• Standard Contractual Clauses (SCCs), the EU Commission's approved standard clauses (2021/914/EU) are incorporated into our Data Processing Agreement and sub-processor agreements where applicable.
• Supplementary measures, including data encryption in transit and at rest, and access controls ensuring that transferred data is protected to GDPR standards.

Our email delivery sub-processor (Resend) operates in the United States. Resend processes only the recipient's email address and the content of transactional confirmation emails. This transfer is governed by SCCs.

7. Data Processing Agreement (DPA)

For Fleek ERP customers who process personal data of their own employees or end-users through the platform, OnFleek Media and Technologies Pvt Ltd acts as a data processor under GDPR Article 28.

A full Data Processing Agreement (DPA) is available to all customers upon request. The DPA covers:

• Subject matter, duration, nature, and purpose of processing.
• Types of personal data and categories of data subjects.
• Obligations and rights of the data controller (the customer).
• Sub-processing conditions and sub-processor list.
• Data security measures (technical and organisational).
• Data subject rights assistance obligations.
• Data breach notification procedures.
• Deletion or return of data upon termination.

To request a DPA, email info@fleekerp.com with the subject line “DPA Request”.

8. Sub-Processors

As a data processor for our customers, we engage the following sub-processors who may have access to or process customer data:

We will notify customers of any intended changes to sub-processors (additions or replacements) in advance, providing the opportunity to object.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of EU individuals, we will:

• Notify the relevant EU supervisory authority within 72 hours of becoming aware of the breach (Article 33).
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).
• Notify affected customers (as data controllers) without undue delay so they can fulfil their own notification obligations.

Our breach notification process is documented in our Incident Response Plan, which is tested periodically.

10. Cookies and Tracking (GDPR)

We use only essential cookies that are strictly necessary for website operation. We do not use advertising cookies, behavioural tracking, or third-party analytics. No consent banner is currently required for our website as we do not set non-essential cookies.

For full details, see our Cookie Policy.

11. Supervisory Authority

EU residents have the right to lodge a complaint with their national data protection supervisory authority if they believe their personal data has been processed in a manner that does not comply with GDPR. Contact details for EU supervisory authorities are available at edpb.europa.eu/about-edpb/about-edpb/members_en.

We encourage you to contact us first at info@fleekerp.com so we have the opportunity to resolve your concern directly.

12. Contact and Data Protection Enquiries

For any GDPR-related enquiry, to exercise your rights, or to request our DPA:

Please mark your email subject as GDPR Request or Data Protection Enquiry for prompt routing.