GDPR Statement

Backup Engine Inc. is a Canadian corporation headquartered in British Columbia. We design the Service to be compliant with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK GDPR. Customers in the EU/EEA and the UK can use the Service with confidence that their data is processed according to those rules.

GDPR distinguishes between the "controller" (who decides why and how personal data is processed) and the "processor" (who processes data on behalf of the controller).

• •For your backup content — you are the controller, we are the processor. You decide what to back up and what retention policy to apply; we provide the storage and execution. Because you encrypt content client-side, we cannot read it.
• •For your account data (email, billing, device metadata) — we are the controller. We collect this directly from you to provide the Service.
• •For team-member accounts in a business plan — the account owner is the controller of team-member personal data; we are the processor.

• •Contract (Art. 6(1)(b)) — processing necessary to deliver the Service to you.
• •Legitimate interest (Art. 6(1)(f)) — abuse detection, infrastructure security, internal analytics. We balance this against your fundamental rights and document the test on request.
• •Legal obligation (Art. 6(1)(c)) — tax records, lawful disclosure orders, breach notifications.
• •Consent (Art. 6(1)(a)) — only for non-essential processing that requires it. We do not rely on consent today; if we add such processing in the future, we will surface a clear opt-in.

We process special categories of personal data (Art. 9) only if you choose to back up files containing such data. We treat the encrypted chunks the same regardless of content; you remain responsible for what you choose to back up.

We engage the following subprocessors to deliver the Service. Each is bound by a written agreement that imposes equivalent data-protection obligations to those in our agreement with you, including the EU Commission's Standard Contractual Clauses (SCCs) where personal data is transferred outside the EEA.

We notify customers of new subprocessors at least 30 days before they start processing, by email and by updating this page. You may object to a new subprocessor in good faith by emailing us; if we cannot offer a reasonable alternative, you may terminate the affected subscription with a pro-rata refund.

Backup content is stored only in the region you select at signup (US, Canada, or EU) and does not leave that region. Account metadata is stored in Canada and benefits from the EU–Canada adequacy decision (Commission Decision 2002/2/EC).

Where personal data is transferred to a US-based subprocessor (Stripe, Resend, Cloudflare, Anthropic), we rely on the EU Commission's Standard Contractual Clauses (Decision (EU) 2021/914) supplemented by appropriate technical and organisational measures (encryption in transit, access controls, audit logs).

GDPR gives EU/EEA residents the following rights, which we honour for everyone regardless of jurisdiction:

• •Access (Art. 15) — receive a copy of your personal data.
• •Rectification (Art. 16) — correct inaccurate data.
• •Erasure (Art. 17) — delete your account and associated data.
• •Restriction (Art. 18) — pause certain processing.
• •Portability (Art. 20) — receive your data in a machine-readable format.
• •Objection (Art. 21) — object to processing based on legitimate interest.
• •Decisions based solely on automated processing (Art. 22) — we do not perform such decisions today.

To exercise any of these rights, email support@backupengine.com (subject line: "DSAR"). We respond within 30 days. We may require identity verification before disclosing or deleting personal data.

For account data we control directly, you can also self-serve most of these rights from the customer portal: edit your profile, download your data, or delete your account.

We have not yet designated a formal Data Protection Officer (DPO). Privacy and DPO matters are routed to support@backupengine.com. We will publish a named DPO when one is appointed.

As a Canadian company offering services to EU/EEA residents, we may be required to designate an EU representative under GDPR Art. 27 once our processing of EU personal data becomes systematic and regular. We will publish the representative's contact details here once one is appointed. In the meantime, EU/EEA residents may contact us at support@backupengine.com for any GDPR-related matter.

A Data Processing Agreement (DPA), incorporating the EU Commission's Standard Contractual Clauses, is available on request. Email support@backupengine.com with subject "DPA request" and we will counter-sign within 5 business days.

If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• •Notify the relevant supervisory authority within 72 hours of becoming aware (Art. 33).
• •Notify affected individuals without undue delay where the breach is likely to result in a high risk (Art. 34).
• •Document the breach and remediation steps in our internal incident log.

Because backup content is encrypted client-side and we do not hold the decryption key, a compromise of our infrastructure does not expose backup content. We would still notify customers if we identified such a compromise, even where notification is not legally required.

If you believe our processing of your personal data violates GDPR, you may lodge a complaint with your national supervisory authority. A directory is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

Canadian residents may also contact the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

• •Privacy Policy
• •Terms of Service
• •Service Level Agreement
• •Compliance documentation