GDPR Compliance

Last updated: February 1, 2026

Our Commitment to GDPR

CommBridge Ltd is fully committed to complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). We recognise the importance of data protection and privacy as fundamental rights. This page outlines how we meet our obligations under the GDPR, the legal bases for processing your personal data, and the rights available to you as a data subject. Whether you are based in the European Economic Area (EEA) or elsewhere, we apply GDPR-level protections to all users of the CommBridge platform.

Legal Basis for Processing

We process your personal data only when we have a valid legal basis under Article 6 of the GDPR. The legal bases we rely on include:

  • 1.Consent — Where you have given clear and affirmative consent for us to process your personal data for specific purposes, such as receiving marketing communications or enabling optional analytics cookies. You may withdraw your consent at any time.
  • 2.Contract Performance — Processing that is necessary for the performance of a contract to which you are a party, such as creating your account, facilitating transactions, and providing escrow services.
  • 3.Legal Obligation — Processing required to comply with our legal obligations, including Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements, tax reporting, and regulatory record-keeping.
  • 4.Legitimate Interests — Processing necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms. Examples include fraud prevention, platform security improvements, and internal analytics.

Your Rights Under GDPR

As a data subject under the GDPR, you are entitled to the following rights:

Right to Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is processed.

Right to Rectification (Article 16)

You have the right to request that we correct any inaccurate personal data or complete any incomplete data we hold about you.

Right to Erasure (Article 17)

Also known as the “right to be forgotten”, you may request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent. This right is subject to legal retention obligations (e.g., KYC/AML records).

Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of your data or object to processing based on legitimate interests.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

Right to Object (Article 21)

You have the right to object to the processing of your personal data where it is based on legitimate interests or used for direct marketing purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where automated decision-making is used, you have the right to obtain human intervention, express your point of view, and contest the decision.

Data Protection Officer

CommBridge has appointed a Data Protection Officer (DPO) to oversee our compliance with the GDPR and to serve as the point of contact for data subjects and supervisory authorities.

Data Protection Officer

Email: dpo@commbridge.com

How to Exercise Your Rights

To exercise any of your rights under the GDPR, please follow this process:

  1. 1Send an email to dpo@commbridge.com with the subject line “GDPR Rights Request”.
  2. 2Clearly describe which right you wish to exercise and provide sufficient information for us to verify your identity (e.g., your registered email address and account details).
  3. 3We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receipt. In exceptional cases, this period may be extended by up to 60 additional days, in which case we will notify you of the extension and the reasons for the delay.

All requests are handled free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, as permitted under Article 12(5) of the GDPR.

Cross-Border Data Transfers

CommBridge processes data in both the European Union and the United States. When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:

  • EU Standard Contractual Clauses (SCCs) — We use the European Commission's approved Standard Contractual Clauses with all third-party processors located outside the EEA to ensure an adequate level of data protection.
  • Data Processing in EU and US — Our primary data infrastructure is hosted within the EU. Certain processing activities may occur in the United States through vetted sub-processors who are bound by SCCs and supplementary security measures.

Data Breach Notification

In the event of a personal data breach, CommBridge will:

  • Notify the supervisory authority — Report the breach to the relevant data protection authority within 72 hours of becoming aware of it, as required under Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
  • Notify affected users — Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required under Article 34 of the GDPR, providing details of the breach, the likely consequences, and the measures taken to address it.

Children's Data

The CommBridge platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data. If you believe that a child has provided us with personal data, please contact our DPO at dpo@commbridge.com.

Contact Us

For any GDPR-related questions, concerns, or requests, please contact our Data Protection Officer:

Data Protection Officer — CommBridge Ltd

Email: dpo@commbridge.com

You also have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Privacy Policy|Terms of Service|Cookie Policy