GDPR Commitment

Last updated: May 2025

Reachmcp is committed to complying with the General Data Protection Regulation (GDPR — EU Regulation 2016/679 of 27 April 2016) and the French Data Protection Act (Loi Informatique et Libertés). This page describes our responsibilities as a data processor and the rights you hold as a data subject.

1. Roles and responsibilities

Within the meaning of GDPR, Reachmcp acts solely as a data processoron behalf of its customers (the “Organisation”). The Organisation remains the data controller and determines the purposes and means of processing personal data via the Platform.

Reachmcp processes personal data only on documented instructions from the Organisation, including with regard to transfers to third countries or international organisations, unless required to do otherwise by EU or national law. In that case, Reachmcp will inform the Organisation before processing, unless prohibited by law.

2. Data processing agreement (DPA)

By accepting these Terms of Service, Organisations enter into a Data Processing Agreement with MCP Reach in accordance with Article 28 of the GDPR. The key terms are:

  • Reachmcp processes personal data only as instructed by the Organisation and for no other purpose.
  • Reachmcp ensures that personnel authorised to process personal data are bound by confidentiality obligations.
  • Reachmcp implements appropriate technical and organisational security measures (see Section 4 below).
  • Reachmcp will not engage a new sub-processor without prior written authorisation from the Organisation.
  • Reachmcp assists the Organisation in fulfilling its obligations regarding data subject rights, security, breach notification, DPIAs, and prior consultation with supervisory authorities.
  • Upon termination of services, Reachmcp will delete or return all personal data as instructed by the Organisation.

3. Sub-processors

Reachmcp uses the following categories of sub-processors, all of whom provide GDPR-compliant data processing guarantees:

  • Cloud infrastructure — Google Cloud Platform (EU region) for hosting and storage.
  • Payment processing — Stripe for billing and financial transactions.
  • Email delivery — for transactional communications.
  • Customer support — for support ticket management.
  • Analytics — for aggregated, anonymised usage analytics.

4. Security measures

Reachmcp implements the following technical and organisational measures to protect personal data:

  • Encryption of data in transit (TLS) and at rest.
  • Role-based access controls limiting data access to authorised personnel only.
  • Pseudonymisation and anonymisation where appropriate.
  • Regular security reviews and penetration testing.
  • Incident response procedures ensuring breach notification within 72 hours to the CNIL.
  • Business continuity and disaster recovery measures.

5. Data transfers outside the EU

All personal data is stored and processed within the European Union. In the event that a transfer to a third country becomes necessary, Reachmcp will ensure that appropriate safeguards are in place (e.g., Standard Contractual Clauses approved by the European Commission) before any such transfer takes place.

6. Data retention

Personal data is retained for as long as necessary to deliver the service and for seven (7) days following the termination of the service agreement, unless a longer retention period is required by applicable law.

7. Your rights as a data subject

If you are an individual whose data is processed through the Platform, you may exercise the following rights by contacting the Organisation (data controller) directly, or Reachmcp at support@reachmcp.com:

  • Right of access (Art. 15) — obtain a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your data.
  • Right to restriction (Art. 18) — temporarily halt processing.
  • Right to data portability (Art. 20) — receive your data in a structured format.
  • Right to object (Art. 21) — object to processing based on legitimate interest.

You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr.

8. Data Protection Officer

For any question relating to the processing of your personal data or the exercise of your rights, contact our data protection contact at: support@reachmcp.com.