GDPR & UK GDPR Statement
Last updated: 24 April 2026
FreshGeo is built for companies that take data protection seriously. This page is a short, plain-English summary of how we comply with UK GDPR and EU GDPR. For the formal detail, see our Privacy Policy and Data Processing Addendum.
Contact: privacy@freshgeo.com.
Our role
Under GDPR we wear two hats:
- Controller — for data about you (our customer): your account, billing, marketing, usage telemetry, and the public-web data in our core dataset.
- Processor — for data you submit through our API for lookup, enrichment or matching. You’re the controller. We process it on your instructions under our DPA.
Data subject rights
If you or one of your end users asks us to exercise a right — access, rectification, erasure, restriction, objection or portability — we action it within 30 days. If the request comes through a customer who is the controller, we hand it back to them promptly to fulfil.
Email privacy@freshgeo.com with the subject line “Data subject request”.
Where your data lives
- Primary region: London, United Kingdom (AWS eu-west-2).
- Read replicas: Frankfurt, Germany (eu-central-1) and Virginia, USA (us-east-1) for resilience and latency.
- Backups: encrypted, London region.
Transfers outside the UK/EEA are protected by the UK International Data Transfer Agreement (IDTA) and the EU Standard Contractual Clauses (2021), plus encryption in transit and at rest and strict access controls.
Sub-processors
We use a small list of sub-processors. The current list is always at freshgeo.com/subprocessors. At the time of writing:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting, storage | UK, DE, US |
| Stripe | Payment processing | US, IE |
| Postmark | Transactional email | US |
| Sentry | Error monitoring | US (EU region on request) |
We notify customers 30 days in advance of adding or changing a sub-processor. Enterprise customers can object and, if we can’t find an alternative, terminate the affected service.
Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Least-privilege, SSO-backed internal access.
- Annual third-party penetration test.
- Quarterly access reviews.
- SOC 2 Type II audit in progress — report available under NDA on request.
- ISO 27001 alignment underway for 2026.
Breach notification
If we experience a personal data breach that affects your data, we notify you within 72 hours of becoming aware, with what we know, what we’re doing and what you may need to do. We also notify the ICO where required.
DPO and governance
We have a designated Data Protection Officer. Reach them at dpo@freshgeo.com. For requests from EU supervisory authorities, our EU representative details are on our DPA.
DPIA support
Enterprise customers can request our standard DPIA template and a completed processor-side DPIA covering FreshGeo. Email privacy@freshgeo.com.
Questions
privacy@freshgeo.com — we’re happy to walk procurement and DPO teams through our setup.