Aller au contenu
EdgeServers
Tous les documents légaux

GDPR Compliance

How EdgeServers handles personal data of users in the EU and UK under GDPR and UK GDPR.

Dernière mise à jour: 10 mai 2026

This GDPR notice explains how RemotIQ Pty Ltd handles personal data when the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR) apply. It complements our Privacy Policy. To the extent of any inconsistency between this notice and our Privacy Policy on a topic governed specifically by GDPR or UK GDPR, this notice prevails for individuals in scope.

Who this applies to

GDPR applies to processing of personal data of individuals in the European Economic Area (EEA). UK GDPR applies to processing of personal data of individuals in the United Kingdom. We act in accordance with both where they are engaged. References to GDPR in this notice should be read as referring to UK GDPR for individuals in the UK.

Our role: controller and processor

We have two distinct roles depending on the activity.

As controller, we determine the purposes and means of processing for our own website visitors, prospects, customers, suppliers, applicants, and corporate contacts. Our Privacy Policy describes that processing in detail.

As processor, we process personal data on behalf of our customers when delivering services — for example, when we operate or maintain a system that contains the customer's end-user data. In that case, the customer is the controller and our processing is governed by their documented instructions and the Data Processing Agreement (DPA) executed between us.

Categories of personal data we process

When acting as controller, we typically process: identification and contact data (name, email, phone, role, employer); commercial data (proposals, invoices, payment metadata); technical data (IP address, device identifiers, browser fingerprint where strictly necessary, log entries from interactions with our services); applicant data (name, contact details, CV, and any further information you choose to provide).

When acting as processor, the categories of personal data are determined by our customer and described in their DPA and instructions; we do not collect any additional personal data on our own initiative.

Lawful bases (when we are controller)

We rely on the following lawful bases under Article 6 GDPR:

  • Performance of a contract — to deliver services, manage accounts, issue invoices, and respond to your requests.
  • Legitimate interests — to communicate with prospects who initiate contact, to maintain and improve our services, to keep our records, to manage security, and to administer our business in a proportionate way.
  • Consent — for non-essential cookies, marketing communications where required, and any processing where consent is the most appropriate basis; consent can be withdrawn at any time.
  • Legal obligation — to comply with applicable laws including tax, accounting, anti-money-laundering, and lawful requests from authorities.

We do not rely on automated decision-making producing legal or similarly significant effects under Article 22 GDPR.

Processing on behalf of customers (when we are processor)

When we act as processor, we comply with Article 28 GDPR. We process personal data only on documented instructions from the controller, including with regard to international transfers, unless required by law. We ensure that personnel with access are bound to confidentiality. We implement appropriate technical and organisational measures. We engage sub-processors only with the controller's authorisation and pass on equivalent data-protection obligations. We assist the controller, taking into account the nature of the processing and the information available, in fulfilling its obligations to respond to data-subject requests and to ensure security and breach notification. We delete or return personal data at the end of the engagement, save where retention is required by law.

Sub-processors

We engage carefully selected sub-processors to deliver our services — for example, infrastructure providers, email providers, and payment processors. We maintain a current list available to customers under DPA. We notify customers in advance of any new or replacement sub-processor and give the controller a right to object to the change. Where we engage a sub-processor, we ensure by written contract that they are subject to the same data-protection obligations as set out in our DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

International transfers

We are headquartered in Australia, which the European Commission has not designated as an adequate jurisdiction for personal data transfers under Article 45 GDPR. Where we transfer personal data from the EEA or the UK to Australia or to other third countries, we rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for EEA transfers, and the UK International Data Transfer Addendum issued by the Information Commissioner's Office for UK transfers. We complete transfer impact assessments and apply supplementary measures — including encryption in transit and at rest, access controls, and pseudonymisation where appropriate — to safeguard the data. A copy of the relevant transfer mechanism is available on request to privacy@edgeservers.com.au.

Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include: encryption of data in transit (TLS) and at rest where supported; access controls based on the principle of least privilege; multi-factor authentication for administrative accounts; secure software development practices; segregation between customer environments; vendor risk management; logging and monitoring; backups and tested restoration procedures; and incident-response procedures. We review our measures regularly and update them in light of risk and the state of the art.

Personal-data breach notification

When we act as controller, we notify the relevant supervisory authority of a personal-data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk, we notify affected individuals without undue delay.

When we act as processor, we notify the controller without undue delay after becoming aware of a personal-data breach affecting their data, providing the information needed for the controller to comply with its own notification obligations.

Your rights

Individuals in the EEA and UK have the following rights under GDPR and UK GDPR:

  • The right to be informed about how their personal data is processed
  • The right of access to confirm whether we hold personal data about them and to obtain a copy
  • The right to rectification of inaccurate or incomplete data
  • The right to erasure (the right to be forgotten) in defined circumstances
  • The right to restriction of processing while a dispute is investigated
  • The right to data portability for data they provided where processing is based on consent or contract and is automated
  • The right to object to processing based on legitimate interests, including profiling, and to direct marketing at any time
  • The right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal
  • The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects

How to exercise your rights

If we are the controller of your personal data, write to privacy@edgeservers.com.au. We respond within 30 days; if a request is complex or numerous we may extend by up to two further months and will inform you of the reason. We do not charge for responding except where requests are manifestly unfounded or excessive. We may need to verify your identity to protect your data.

If we hold your personal data only as a processor on behalf of a customer, we will route your request to that customer (the controller) without undue delay; you may also contact the customer directly.

Children

Our services are intended for organisations and the professionals working within them. We do not knowingly collect personal data from children under 16 (or the relevant age of digital consent under local law) without verifiable parental or guardian consent. If you believe we hold a child's personal data, contact privacy@edgeservers.com.au and we will delete it.

Retention

When we act as controller, we retain personal data only for as long as necessary for the purpose for which it was collected, including any legal, accounting, or reporting requirement. Typical retention periods are described in our Privacy Policy.

When we act as processor, we retain customer personal data for the duration of the engagement and delete or return it at the end of the engagement in accordance with the DPA, save where retention is required by law.

Data Processing Agreement (DPA)

Customers who require a Data Processing Agreement may obtain our standard DPA from privacy@edgeservers.com.au. The DPA incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable, addresses sub-processor governance, security measures, breach notification, and assistance with data-subject rights. We will sign the DPA before processing any personal data on a customer's behalf where GDPR or UK GDPR applies.

Supervisory authorities

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO) — ico.org.uk. A list of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu. We would, however, appreciate the chance to address your concerns directly first — please contact privacy@edgeservers.com.au.

EU and UK representatives

We are not currently established in the EU or the UK. Where Article 27 GDPR or UK GDPR requires us to designate a representative, we will appoint one and update this notice with their contact details. In the meantime, all enquiries should be directed to privacy@edgeservers.com.au.

Changes to this notice

We update this GDPR notice when our processing changes or when guidance from supervisory authorities or case law makes a clarification appropriate. The effective date at the top of this page indicates the current version. Material changes to processing of personal data will be communicated in advance to affected individuals and customers.

Contact

Privacy and GDPR enquiries: privacy@edgeservers.com.au

Postal: RemotIQ Pty Ltd, #203 Hampton Rd, Northampton WA 6535, Australia