Footprints for Retail SRL, trading as Footprints AI("We," "Us," or "Our"), is a Romanian limited liability company headquartered in Bucharest, specializing in Software as a Service(SaaS) technology for retail media. Our platform empowers physical and digital retailers to monetize customer data through AI-driven solutions, including behavioral profiling, audience segmentation, omnichannel campaign management,real-time media-to-sales attribution, and predictive analytics (e.g., via Footprints AI Copilot). Deployed in clients’ private cloud environments, Our platform processes pseudonymized data to deliver targeted advertising while prioritizing privacy and compliance.
This Privacy Statement ("Statement") governs how We process Personal Data across all Our operations, including:
• Interactions with Our website (www.footprints-ai.com), such as contact forms, newsletters, and cookie-based analytics;
• Use of Our SaaS platform by Our employees, licensed retailers, and advertisers (agencies or brands);
• Sales and professional communications, including lead generation and personalized marketing;
• Recruitment processes for job applicants;
• Testing of tools like Retail Analytics for research and development; and
• Integrations with third-party applications (e.g., Google, Meta, POS systems) for campaign execution.
Privacy Statement
Introduction
Who this notice applies to
Website Privacy Notice – For visitors to our websites, event/webinar registrants, and marketing email subscribers.
Platform User Privacy Notice – For authenticated users of the Footprints AI platform (employees, retailer staff,advertiser/agency staff).
Processor Transparency Notice – For shopper and campaign data processed on behalf of our retailer clients.
This Statement applies to Personal Data where We act as a DataController (e.g., for user login credentials, recruitment data) and as a DataProcessor (e.g., for pseudonymized shopper or campaign data controlled by Our clients). Data processing by Our clients as Data Controllers is governed by their respective privacy policies, not this Statement.
Retention Schedule Table
Third-Party Recipients
We share personal data with trusted service providers who process it on our behalf to deliver our services. These recipients fall into the following categories:
• Hosting and infrastructure – e.g., Microsoft Azure (West Europe) for platform hosting.
• Analytics and performance monitoring – e.g., Google analytics, Footprints AI.
• Marketing and CRM tools – e.g., email marketing platforms, webinar platforms, Footprints AI.
• Security and compliance – e.g., Microsoft Azure.
• Professional advisors – e.g., legal, accounting, and business consultants.
All such vendors are bound by written contracts and process personal data only under our instructions.
We share personal data with trusted service providers who process it on our behalf to deliver our services. These recipients fall into the following categories:
• Hosting and infrastructure – e.g., Microsoft Azure (West Europe) for platform hosting.
• Analytics and performance monitoring – e.g., Google analytics, Footprints AI.
• Marketing and CRM tools – e.g., email marketing platforms, webinar platforms, Footprints AI.
• Security and compliance – e.g., Microsoft Azure.
• Professional advisors – e.g., legal, accounting, and business consultants.
All such vendors are bound by written contracts and process personal data only under our instructions.
Key Definitions
• Personal Data: Any information relating to an identified or identifiable natural person, as defined by Regulation (EU) 2016/679 (GDPR).
• Data Controller: The entity determining the purposes and means of processing Personal Data (e.g., Our clients for shopper/campaign data; We for limited internal data like user logins).
• Data Processor: The entity processing Personal Data on behalf of a Controller (e.g., Our role for client-directed campaign data).
• Pseudonymized Data: Personal Data processed so it cannot be attributed to an individual without additional, separately stored information.
• Retail Analytics: Our tool using ePOS transactions, Wi-Fi technology and mobile device detection to generate anonymized shopping behavior statistics.
We are committed to protecting your privacy in compliance with GDPR, ISO 27001/27701 standards, and other applicable laws. This Statement outlines Our data processing practices, your rights, and how to contact Us for inquiries or requests.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined by Regulation (EU) 2016/679 (GDPR).
• Data Controller: The entity determining the purposes and means of processing Personal Data (e.g., Our clients for shopper/campaign data; We for limited internal data like user logins).
• Data Processor: The entity processing Personal Data on behalf of a Controller (e.g., Our role for client-directed campaign data).
• Pseudonymized Data: Personal Data processed so it cannot be attributed to an individual without additional, separately stored information.
• Retail Analytics: Our tool using ePOS transactions, Wi-Fi technology and mobile device detection to generate anonymized shopping behavior statistics.
We are committed to protecting your privacy in compliance with GDPR, ISO 27001/27701 standards, and other applicable laws. This Statement outlines Our data processing practices, your rights, and how to contact Us for inquiries or requests.
Data Controller and Contact Details
Footprints for Retail SRL, trading as Footprints AI, is aRomanian limited liability company and the owner of the website www.footprints-ai.com.We act as a Data Controller for Personal Data we collect and process for our own purposes, such as user login credentials for the Footprints AI platform, recruitment data, and website interactions (e.g., contact forms,newsletter subscriptions). We act as a Data Processor for Personal Data processed on behalf of our clients (e.g., pseudonymized shopper or campaign data for retailers and advertisers), under their instructions and in accordance with their privacy policies.
Company Details
Legal Name: Footprints for Retail SRL
Registration: Romanian Trade Registry no. J2017017113401, VAT number RO 38324578
Headquarters: 108 Eminescu, Bucharest, Romania
Website: www.footprints-ai.com
Contact Information
For questions, data subject access requests (DSARs), or concerns about Personal Data processing, please contact our Data Protection Officer (DPO) or support team:
Email (DPO): dpo@footprints-ai.com (for DSARs and privacy inquiries)
Email (General/Support): support@footprints-ai.com
Email (Security Issues): support@footprints-ai.com
Postal Address: Footprints for Retail SRL, 108 Eminescu, 1st Floor, District 2, Bucharest, Romania
Phone: Available upon request via email for verified inquiries
We aim to respond to all inquiries within 30 days, as required by GDPR. For Personal Data processed on behalf of our clients (e.g.,shopper or campaign data), DSARs should be directed to the relevant DataController (retailer or agency), and we will assist them in fulfilling requests per our Data Processing Agreements.
Supervisory Authority
If you believe we have not adequately addressed your concerns, you may contact the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
Website: www.dataprotection.ro
Address: 28-30 G-ral Gheorghe Magheru Blvd., District 1, Bucharest, Romania
Email: anspdcp@dataprotection.ro
Company Details
Legal Name: Footprints for Retail SRL
Registration: Romanian Trade Registry no. J2017017113401, VAT number RO 38324578
Headquarters: 108 Eminescu, Bucharest, Romania
Website: www.footprints-ai.com
Contact Information
For questions, data subject access requests (DSARs), or concerns about Personal Data processing, please contact our Data Protection Officer (DPO) or support team:
Email (DPO): dpo@footprints-ai.com (for DSARs and privacy inquiries)
Email (General/Support): support@footprints-ai.com
Email (Security Issues): support@footprints-ai.com
Postal Address: Footprints for Retail SRL, 108 Eminescu, 1st Floor, District 2, Bucharest, Romania
Phone: Available upon request via email for verified inquiries
We aim to respond to all inquiries within 30 days, as required by GDPR. For Personal Data processed on behalf of our clients (e.g.,shopper or campaign data), DSARs should be directed to the relevant DataController (retailer or agency), and we will assist them in fulfilling requests per our Data Processing Agreements.
Supervisory Authority
If you believe we have not adequately addressed your concerns, you may contact the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
Website: www.dataprotection.ro
Address: 28-30 G-ral Gheorghe Magheru Blvd., District 1, Bucharest, Romania
Email: anspdcp@dataprotection.ro
Our Business and Data Processing Overview
Footprints AI, operated by Footprints for Retail SRL, is a leading Software as a Service (SaaS) provider specializing in AI-driven retail media solutions. Our platform empowers physical and digital retailers to monetize customer data through omnichannel advertising networks, delivering targeted campaigns with high return on ad spend (ROAS). We leverage proprietary artificial intelligence, including tools like the Footprints AI Copilot, to analyze pseudonymized shopper behavior, generate predictive audience profiles,and enable real-time media-to-sales attribution. Our services are deployed in clients’ private cloud environments (e.g., Microsoft Azure West Europe),ensuring data privacy and compliance with GDPR and ISO 27001/27701 standards.
Our Business Operations
Our core activities involve:
Platform Services: Providing a white-label retail media platform for retailers and advertisers, including:
• Data Ingestion: Collecting pseudonymized data (e.g., hashed device IDs, loyalty card numbers, POS transactions) from retailer systems.
• Audience Profiling: Using AI to create anonymized behavioral clusters and affinity profiles for targeted advertising.
• Campaign Management: Enabling advertisers (agencies or brands) to set up, activate, and monitor omnichannel campaigns (in-store, online, off-site) via a centralized dashboard.
• Real-Time Attribution: Measuring campaign performance with SKU- and store-level insights.
• Predictive Analytics: Offering tools like Footprints AI Copilot to optimize campaigns and customer engagement.
Website Interactions: Engaging visitors through www.footprints-ai.com for lead generation, professional communications (e.g., newsletters, alerts), and recruitment.
Sales and Marketing: Using behavioral profiling and remarketing to synchronize multi-channel marketing, boosting traffic and conversions for current and prospective clients.
Recruitment: Processing applicant data to evaluate candidates for roles at Footprints AI.
Research and Development: Testing tools like Retail Analytics or new AI models.
Third-Party Integrations: Connecting with client-approved platforms (e.g., Google, Meta, POS systems) to automate campaign data flows and enhance targeting efficiency.
Our Business Operations
Our core activities involve:
Platform Services: Providing a white-label retail media platform for retailers and advertisers, including:
• Data Ingestion: Collecting pseudonymized data (e.g., hashed device IDs, loyalty card numbers, POS transactions) from retailer systems.
• Audience Profiling: Using AI to create anonymized behavioral clusters and affinity profiles for targeted advertising.
• Campaign Management: Enabling advertisers (agencies or brands) to set up, activate, and monitor omnichannel campaigns (in-store, online, off-site) via a centralized dashboard.
• Real-Time Attribution: Measuring campaign performance with SKU- and store-level insights.
• Predictive Analytics: Offering tools like Footprints AI Copilot to optimize campaigns and customer engagement.
Website Interactions: Engaging visitors through www.footprints-ai.com for lead generation, professional communications (e.g., newsletters, alerts), and recruitment.
Sales and Marketing: Using behavioral profiling and remarketing to synchronize multi-channel marketing, boosting traffic and conversions for current and prospective clients.
Recruitment: Processing applicant data to evaluate candidates for roles at Footprints AI.
Research and Development: Testing tools like Retail Analytics or new AI models.
Third-Party Integrations: Connecting with client-approved platforms (e.g., Google, Meta, POS systems) to automate campaign data flows and enhance targeting efficiency.
Our Business Operations
Data Processing Overview
We process Personal Data in the following contexts, with distinct roles:
As Data Controller: We determine the purposes and means of processing for:
• User login data (e.g., business emails, role-based credentials) for platform access by employees, retailers, and advertisers.
• Website visitor data (e.g., contact form submissions, cookie-based analytics) for lead generation and communications.
• Recruitment data (e.g., CVs, contact details) for hiring processes.
As Data Processor: We process data on behalf of our clients (retailers or advertisers) as Data Controllers, including:
• Pseudonymized shopper data (e.g., hashed device IDs, loyalty card numbers) for profiling and campaign targeting.
• Campaign performance data (e.g., impressions, conversions) for attribution and reporting.
• Data synchronized from third-party platforms (e.g., Google, Meta) per client instructions.
Data Scope: We prioritize pseudonymized and anonymized data to minimize privacy risks. No direct identifiers (e.g., names, personal emails) are collected unless explicitly provided by clients or users (e.g., in recruitment or contact forms).
Data Residency: All data is processed and stored within the European Union (Microsoft Azure West Europe, Netherlands), ensuring GDPR compliance and no cross-border transfers without safeguards.
Our processing adheres to GDPR principles of lawfulness,fairness, transparency, data minimization, and security. We do not sell Personal Data or use it for purposes beyond those specified in this Statement or client agreements.
Data Processing Overview
We process Personal Data in the following contexts, with distinct roles:
As Data Controller: We determine the purposes and means of processing for:
• User login data (e.g., business emails, role-based credentials) for platform access by employees, retailers, and advertisers.
• Website visitor data (e.g., contact form submissions, cookie-based analytics) for lead generation and communications.
• Recruitment data (e.g., CVs, contact details) for hiring processes.
As Data Processor: We process data on behalf of our clients (retailers or advertisers) as Data Controllers, including:
• Pseudonymized shopper data (e.g., hashed device IDs, loyalty card numbers) for profiling and campaign targeting.
• Campaign performance data (e.g., impressions, conversions) for attribution and reporting.
• Data synchronized from third-party platforms (e.g., Google, Meta) per client instructions.
Data Scope: We prioritize pseudonymized and anonymized data to minimize privacy risks. No direct identifiers (e.g., names, personal emails) are collected unless explicitly provided by clients or users (e.g., in recruitment or contact forms).
Data Residency: All data is processed and stored within the European Union (Microsoft Azure West Europe, Netherlands), ensuring GDPR compliance and no cross-border transfers without safeguards.
Our processing adheres to GDPR principles of lawfulness,fairness, transparency, data minimization, and security. We do not sell Personal Data or use it for purposes beyond those specified in this Statement or client agreements.
Categories of Personal Data We Process
Footprints AI processes Personal Data across our operations,including website interactions, platform usage, sales, recruitment, and tool testing. We prioritize pseudonymized and anonymized data to minimize privacy risks, acting primarily as a Data Processor for client-controlled data (e.g.,shopper and campaign data) and as a Data Controller for limited internal data(e.g., user logins, recruitment). Below is a detailed overview of the Personal Data categories we process, organized by operation.
Notes on Data Processing
• Pseudonymization: Shopper and campaign data is pseudonymized (e.g., hashed IDs) to prevent direct identification, stored separately from any linking information.
• No Direct Identifiers: We do not collect sensitive identifiers (e.g., Social Security numbers, passport details) unless explicitly provided by clients or users.
• Client Control: For platform and integration data, our clients (retailers/advertisers) as Data Controllers determine the data categories and collection methods.
• GDPR Compliance: All processing adheres to data minimization, purpose limitation, and security principles, with robust safeguards (e.g., AES-256 encryption, TLS 1.2+).
• Pseudonymization: Shopper and campaign data is pseudonymized (e.g., hashed IDs) to prevent direct identification, stored separately from any linking information.
• No Direct Identifiers: We do not collect sensitive identifiers (e.g., Social Security numbers, passport details) unless explicitly provided by clients or users.
• Client Control: For platform and integration data, our clients (retailers/advertisers) as Data Controllers determine the data categories and collection methods.
• GDPR Compliance: All processing adheres to data minimization, purpose limitation, and security principles, with robust safeguards (e.g., AES-256 encryption, TLS 1.2+).
How We Collect Personal Data
Footprints AI collects Personal Data through various methods and sources, depending on the operation (e.g., website interactions, platform usage, sales, recruitment, tool testing, third-party integrations). As a DataController for limited internal data (e.g., user logins, recruitment) and aData Processor for client-controlled data (e.g., pseudonymized shopper or campaign data), we ensure collection methods are lawful, transparent, and compliant with GDPR. All data is processed and stored within the European Union(Microsoft Azure West Europe). The table below outlines how we collect Personal Data for each operation.
Notes on Collection Methods
• Consent and Transparency: Where we act as Controller (e.g., website, recruitment), we obtain consent for non-essential processing (e.g., cookies, newsletters) via clear opt-in mechanisms. For Processor activities, clients as Controllers manage consent.
• Pseudonymization: Shopper and campaign data is collected in pseudonymized form (e.g., hashed IDs) to prevent direct identification, with linking data stored separately in client-controlled environments.
• Security: Collection occurs over secure channels (e.g., TLS 1.2+ for APIs, web forms). Data is encrypted at rest (AES-256) and processed in EU-based private clouds (Microsoft Azure West Europe).
• No Unauthorized Sources: We do not scrape data or collect from unverified sources. Public source data (e.g., LinkedIn) is used only with consent and for lawful purposes (e.g., recruitment, sales).
• Consent and Transparency: Where we act as Controller (e.g., website, recruitment), we obtain consent for non-essential processing (e.g., cookies, newsletters) via clear opt-in mechanisms. For Processor activities, clients as Controllers manage consent.
• Pseudonymization: Shopper and campaign data is collected in pseudonymized form (e.g., hashed IDs) to prevent direct identification, with linking data stored separately in client-controlled environments.
• Security: Collection occurs over secure channels (e.g., TLS 1.2+ for APIs, web forms). Data is encrypted at rest (AES-256) and processed in EU-based private clouds (Microsoft Azure West Europe).
• No Unauthorized Sources: We do not scrape data or collect from unverified sources. Public source data (e.g., LinkedIn) is used only with consent and for lawful purposes (e.g., recruitment, sales).
Purposes of Processing and Legal Bases
Footprints AI processes Personal Data for specific, lawful purposes aligned with our operations as a SaaS retail media platform, including website interactions, platform usage, sales, recruitment, tool testing, and third-party integrations. As a Data Controller for limited internal data (e.g.,user logins, recruitment) and a Data Processor for client-controlled data(e.g., pseudonymized shopper or campaign data), we ensure compliance with GDPR principles, including purpose limitation, transparency, and data minimization.The table below details the purposes of processing and their legal bases underRegulation (EU) 2016/679 (GDPR) for each operation.
Notes on Processing Purposes
• Transparency: We inform users of processing purposes at the point of data collection (e.g., via forms, cookie banners, or client agreements). Any new purposes require prior notification and, if applicable, consent.
• Pseudonymization: Shopper and campaign data is processed in pseudonymized form to minimize privacy risks, with no automated decisions producing legal effects (GDPR Art. 22).
• Client Control: As a Data Processor, we process data strictly per client instructions, as outlined in Data Processing Agreements (DPAs). Clients determine purposes for shopper/campaign data.
• Security and Compliance: All processing is conducted in EU-based private clouds (Microsoft Azure West Europe) with robust security measures (e.g., AES-256 encryption, TLS 1.2+), aligned with ISO 27001/27701 standards.
• Transparency: We inform users of processing purposes at the point of data collection (e.g., via forms, cookie banners, or client agreements). Any new purposes require prior notification and, if applicable, consent.
• Pseudonymization: Shopper and campaign data is processed in pseudonymized form to minimize privacy risks, with no automated decisions producing legal effects (GDPR Art. 22).
• Client Control: As a Data Processor, we process data strictly per client instructions, as outlined in Data Processing Agreements (DPAs). Clients determine purposes for shopper/campaign data.
• Security and Compliance: All processing is conducted in EU-based private clouds (Microsoft Azure West Europe) with robust security measures (e.g., AES-256 encryption, TLS 1.2+), aligned with ISO 27001/27701 standards.
Marketing Communications
We may send you marketing communications about our products,services, events, and industry insights if:
- You have given your consent (GDPR Art. 6(1)(a)), or
- You are a business contact and we rely on our legitimate interest in B2B marketing (GDPR Art. 6(1)(f)), in line with applicable national marketing laws.
- You have given your consent (GDPR Art. 6(1)(a)), or
- You are a business contact and we rely on our legitimate interest in B2B marketing (GDPR Art. 6(1)(f)), in line with applicable national marketing laws.
Managing Preferences
You can opt out of marketing emails at any time by clicking the unsubscribe link in the email or by contacting us at support@footprints-ai.com. When you opt out, we will add your contact details to a suppression list to ensure we do not send you further marketing communications.
Cookie-Based Marketing
Some of our marketing is delivered through cookies or similar tracking technologies. We only use these for personalised advertising with your consent,collected through our Consent Management Platform (CMP) when you visit our websites.
You can change or withdraw your cookie preferences at any time via the Cookie Settings link at the bottom of our site.
You can opt out of marketing emails at any time by clicking the unsubscribe link in the email or by contacting us at support@footprints-ai.com. When you opt out, we will add your contact details to a suppression list to ensure we do not send you further marketing communications.
Cookie-Based Marketing
Some of our marketing is delivered through cookies or similar tracking technologies. We only use these for personalised advertising with your consent,collected through our Consent Management Platform (CMP) when you visit our websites.
You can change or withdraw your cookie preferences at any time via the Cookie Settings link at the bottom of our site.
Data Sharing, Recipients, and International Transfers
Footprints AI is committed to protecting Personal Data and ensuring that any sharing with third parties adheres to GDPR and other applicable data protection laws. As a Data Controller for limited internal data(e.g., user logins, recruitment) and a Data Processor for client-controlled data (e.g., pseudonymized shopper or campaign data), we share data only when necessary, under strict safeguards, and in compliance with client instructions.All data processing and storage occur within the European Union (Microsoft Azure West Europe, Netherlands). Where a service provider processes data outside the EEA, we use SCCs, TIAs, and (where applicable) EU–US Data Privacy Framework certification. The table below outlines how we share Personal Data, the recipients involved, and our approach to international transfers.
Notes on Data Sharing and Transfers
• No Data Sales: We do not sell, rent, or share Personal Data for commercial purposes beyond the scope of our services or client instructions.
• Subprocessors: We use limited subprocessors (e.g., Microsoft Azure, Google) with Data Processing Agreements (DPAs) ensuring GDPR compliance, including encryption (AES-256, TLS 1.2+), access controls, and audit obligations. Microsoft Azure is ISO 27001/27701 certified and operates under the EU-approved Data Protection Addendum.
International Transfers: All data is processed and stored in the EU (Microsoft Azure West Europe). If a client or legal requirement necessitates non-EU transfers, we implement Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments (TIAs) per EDPB guidelines to ensure equivalent protection. For US-based subprocessors (e.g., Google, Meta), we rely on the EU-US Data Privacy Framework (DPF) or SCCs.
• Legal Obligations: Data may be disclosed to authorities if required by law (e.g., court orders), with prompt notification to affected users unless prohibited.
• Security: All sharing occurs over secure channels with robust safeguards (e.g., RBAC, MFA, penetration testing every 6 months), aligned with ISO 27001/27701 standards.
• No Data Sales: We do not sell, rent, or share Personal Data for commercial purposes beyond the scope of our services or client instructions.
• Subprocessors: We use limited subprocessors (e.g., Microsoft Azure, Google) with Data Processing Agreements (DPAs) ensuring GDPR compliance, including encryption (AES-256, TLS 1.2+), access controls, and audit obligations. Microsoft Azure is ISO 27001/27701 certified and operates under the EU-approved Data Protection Addendum.
International Transfers: All data is processed and stored in the EU (Microsoft Azure West Europe). If a client or legal requirement necessitates non-EU transfers, we implement Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments (TIAs) per EDPB guidelines to ensure equivalent protection. For US-based subprocessors (e.g., Google, Meta), we rely on the EU-US Data Privacy Framework (DPF) or SCCs.
• Legal Obligations: Data may be disclosed to authorities if required by law (e.g., court orders), with prompt notification to affected users unless prohibited.
• Security: All sharing occurs over secure channels with robust safeguards (e.g., RBAC, MFA, penetration testing every 6 months), aligned with ISO 27001/27701 standards.
Data Retention Periods
Footprints AI retains Personal Data only for as long as necessary to fulfill the purposes outlined in Chapter 6, comply with legal obligations, or support client instructions, in accordance with GDPR’s storage limitation principle. As a Data Controller for limited internal data (e.g.,user logins, recruitment) and a Data Processor for client-controlled data(e.g., pseudonymized shopper or campaign data), we apply specific retention periods tailored to each operation. Data is securely deleted or anonymized when no longer needed, using industry-standard methods (e.g., overwriting, secure erasure). All data is processed and stored within the European Union (Microsoft Azure West Europe). The table below details retention periods for each operation.
Notes on Retention
• Data Minimization: We retain only data necessary for the specified purposes. Pseudonymized data (e.g., hashed IDs) is used to reduce privacy risks.
• Deletion Process: Data is securely deleted using cryptographic erasure or overwritten in backups within 30 days of retention expiry, unless legally required to retain (e.g., tax laws). Clients can request earlier deletion for Processor data.
• Client Control: For platform and integration data, retention periods are governed by client (Controller) instructions in Data Processing Agreements (DPAs).
• Security: Data is stored in EU-based private clouds (Microsoft Azure West Europe) with AES-256 encryption and TLS 1.2+ for transfers, aligned with ISO 27001/27701 standards.
• Data Subject Requests: You may request deletion or access to your data (see Chapter 10). For Processor data, requests are directed to the client (Controller).
• Data Minimization: We retain only data necessary for the specified purposes. Pseudonymized data (e.g., hashed IDs) is used to reduce privacy risks.
• Deletion Process: Data is securely deleted using cryptographic erasure or overwritten in backups within 30 days of retention expiry, unless legally required to retain (e.g., tax laws). Clients can request earlier deletion for Processor data.
• Client Control: For platform and integration data, retention periods are governed by client (Controller) instructions in Data Processing Agreements (DPAs).
• Security: Data is stored in EU-based private clouds (Microsoft Azure West Europe) with AES-256 encryption and TLS 1.2+ for transfers, aligned with ISO 27001/27701 standards.
• Data Subject Requests: You may request deletion or access to your data (see Chapter 10). For Processor data, requests are directed to the client (Controller).
Security Measures
Footprints AI is committed to protecting Personal Data through robust technical and organizational measures, ensuring confidentiality, integrity, and availability in compliance with GDPR and ISO 27001/27701 standards. As a Data Controller for limited internal data (e.g., user logins, recruitment) and a Data Processor for client-controlled data (e.g., pseudonymized shopper or campaign data), we implement industry-standard safeguards across all operations, including website interactions, platform usage, sales, recruitment, tool testing, and third-party integrations. All data is processed and stored within the European Union (Microsoft Azure West Europe, Netherlands). Below is an overview of our key security measures.
Security of Processing
We apply a combination of technical, organisational, and contractual measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:
Technical measures
Encryption in transit and at rest – TLS 1.2+ for all data in transit; AES-256 for data at rest.
Access controls – Role-based access management (RBAC), enforced MFA for all platform accounts.
Data segregation – Each retailer’s platform instance is logically separated from others.
Logging & monitoring – Continuous system and security monitoring with automated alerts.
Backup & recovery – Encrypted backups stored in EU data centres with defined recovery time objectives (RTO).
Organisational measures
Security policies – Formalised access control, incident response, and change management policies.
Staff training – Annual security and privacy awareness training for all employees.
Least privilege principle – Users receive only the minimum access needed for their role.
Compliance measures
ISO 27001 certified Information Security Management System (ISMS).
Vendor management – Data Processing Agreements (DPAs) in place with all sub-processors; annual vendor security reviews.
Incident response – 24/7 escalation procedures and regulatory notification timelines in line with GDPR Art. 33–34.
Technical Measures
Encryption:
- Data at rest is encrypted using AES-256 in Microsoft Azure (e.g., Azure SQL, Storage).
- Data in transit is secured with TLS 1.2+ for all API, webhook, and website communications.
- Confidential computing is used where available for sensitive processing (e.g., AI-driven profiling).
Access Controls:
- Role-Based Access Control (RBAC) with least-privilege principles, enforced via Azure Identity and Access Management (IAM).
- Multi-Factor Authentication (MFA) with one-time passwords (OTP) for all platform and administrative access.
- IP-based access restrictions and just-in-time access for privileged accounts.
Network Security:
- Isolated Virtual Networks (VNets) and private endpoints in Azure to prevent public exposure.
- Microsoft Bastion for secure, browser-based access to virtual machines.
- No public endpoints for client data; all access logged and monitored.
Monitoring and Logging:
- Security Information and Event Management (SIEM) tools for real-time monitoring of system and user activity.
- Audit logs retained for at least 12 months, covering login attempts, data access, and configuration changes.
- Automated alerts for suspicious activity, reviewed by our security team within SLA-defined timelines.
Secure Development:
- Regular penetration testing (every 6 months and per retailer onboarding) by accredited third-party firms.
- Secure coding practices and security architecture reviews to mitigate vulnerabilities.
- Quarterly vulnerability scans, with issues (e.g., Node.js version updates, session durations) promptly resolved.
Endpoint Protection:
- Microsoft Defender for Endpoint deployed on all workstations and servers for malware detection, quarantine, and behavioral analysis.
- Laptops use BitLocker (Windows) or FileVault (MacOS); no local storage of client data.
- Automated patching for operating systems and software.
Organizational Measures
Information Security Management System (ISMS):
- Aligned with ISO 27001/27701, approved by executive management, and reviewed annually.
- Covers risk management, access control, incident response, and compliance.
Incident Response:
- Formal Incident Response Policy with defined roles, escalation paths, and communication protocols.
- Security incidents reported to clients within 8 hours of detection (contact: support@footprints-ai.com).
- Notification to the National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours if a breach poses risks to rights and freedoms.
Data Processing Agreements (DPAs):
- Signed with all subprocessors (e.g., Microsoft Azure, Google) to ensure GDPR-compliant safeguards, including encryption and access controls.
- Microsoft Azure operates under the EU-approved Data Protection Addendum.
Employee Training:
- Weekly 4-hour “Product, Policies, People” workshops every Friday to align staff on security practices and platform updates.
- Annual GDPR and cybersecurity training for all employees.
Asset Management:
- Formal process for classifying and handling information assets (e.g., confidential, internal).
- No use of physical media (e.g., disks, USBs); all data stored in secure cloud environments (Azure, Google Workspace).
Decommissioning:
- Secure wiping of devices using industry-standard tools (e.g., DoD 5220.22-M standard) before reuse or disposal.
- Cloud-based data purged per retention policies, with logs confirming deletion.
Security of Processing
We apply a combination of technical, organisational, and contractual measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:
Technical measures
Encryption in transit and at rest – TLS 1.2+ for all data in transit; AES-256 for data at rest.
Access controls – Role-based access management (RBAC), enforced MFA for all platform accounts.
Data segregation – Each retailer’s platform instance is logically separated from others.
Logging & monitoring – Continuous system and security monitoring with automated alerts.
Backup & recovery – Encrypted backups stored in EU data centres with defined recovery time objectives (RTO).
Organisational measures
Security policies – Formalised access control, incident response, and change management policies.
Staff training – Annual security and privacy awareness training for all employees.
Least privilege principle – Users receive only the minimum access needed for their role.
Compliance measures
ISO 27001 certified Information Security Management System (ISMS).
Vendor management – Data Processing Agreements (DPAs) in place with all sub-processors; annual vendor security reviews.
Incident response – 24/7 escalation procedures and regulatory notification timelines in line with GDPR Art. 33–34.
Technical Measures
Encryption:
- Data at rest is encrypted using AES-256 in Microsoft Azure (e.g., Azure SQL, Storage).
- Data in transit is secured with TLS 1.2+ for all API, webhook, and website communications.
- Confidential computing is used where available for sensitive processing (e.g., AI-driven profiling).
Access Controls:
- Role-Based Access Control (RBAC) with least-privilege principles, enforced via Azure Identity and Access Management (IAM).
- Multi-Factor Authentication (MFA) with one-time passwords (OTP) for all platform and administrative access.
- IP-based access restrictions and just-in-time access for privileged accounts.
Network Security:
- Isolated Virtual Networks (VNets) and private endpoints in Azure to prevent public exposure.
- Microsoft Bastion for secure, browser-based access to virtual machines.
- No public endpoints for client data; all access logged and monitored.
Monitoring and Logging:
- Security Information and Event Management (SIEM) tools for real-time monitoring of system and user activity.
- Audit logs retained for at least 12 months, covering login attempts, data access, and configuration changes.
- Automated alerts for suspicious activity, reviewed by our security team within SLA-defined timelines.
Secure Development:
- Regular penetration testing (every 6 months and per retailer onboarding) by accredited third-party firms.
- Secure coding practices and security architecture reviews to mitigate vulnerabilities.
- Quarterly vulnerability scans, with issues (e.g., Node.js version updates, session durations) promptly resolved.
Endpoint Protection:
- Microsoft Defender for Endpoint deployed on all workstations and servers for malware detection, quarantine, and behavioral analysis.
- Laptops use BitLocker (Windows) or FileVault (MacOS); no local storage of client data.
- Automated patching for operating systems and software.
Organizational Measures
Information Security Management System (ISMS):
- Aligned with ISO 27001/27701, approved by executive management, and reviewed annually.
- Covers risk management, access control, incident response, and compliance.
Incident Response:
- Formal Incident Response Policy with defined roles, escalation paths, and communication protocols.
- Security incidents reported to clients within 8 hours of detection (contact: support@footprints-ai.com).
- Notification to the National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours if a breach poses risks to rights and freedoms.
Data Processing Agreements (DPAs):
- Signed with all subprocessors (e.g., Microsoft Azure, Google) to ensure GDPR-compliant safeguards, including encryption and access controls.
- Microsoft Azure operates under the EU-approved Data Protection Addendum.
Employee Training:
- Weekly 4-hour “Product, Policies, People” workshops every Friday to align staff on security practices and platform updates.
- Annual GDPR and cybersecurity training for all employees.
Asset Management:
- Formal process for classifying and handling information assets (e.g., confidential, internal).
- No use of physical media (e.g., disks, USBs); all data stored in secure cloud environments (Azure, Google Workspace).
Decommissioning:
- Secure wiping of devices using industry-standard tools (e.g., DoD 5220.22-M standard) before reuse or disposal.
- Cloud-based data purged per retention policies, with logs confirming deletion.
Additional Notes
- Client Data Security: Client data (e.g., shopper profiles, campaign metrics) is processed in isolated private cloud instances, with no cross-client access. Microsoft Azure’s SOC 2 Type II and ISO 27001 certifications ensure infrastructure security.
- Subprocessor Oversight: Limited subprocessors (e.g., Azure, Google) are audited for compliance; no third-party access to client data beyond hosting and approved integrations.
- Continuous Improvement: Our ISMS undergoes internal audits annually and external assessments (e.g., penetration testing), ensuring ongoing effectiveness.
- Client Data Security: Client data (e.g., shopper profiles, campaign metrics) is processed in isolated private cloud instances, with no cross-client access. Microsoft Azure’s SOC 2 Type II and ISO 27001 certifications ensure infrastructure security.
- Subprocessor Oversight: Limited subprocessors (e.g., Azure, Google) are audited for compliance; no third-party access to client data beyond hosting and approved integrations.
- Continuous Improvement: Our ISMS undergoes internal audits annually and external assessments (e.g., penetration testing), ensuring ongoing effectiveness.
Cookies and Similar Technologies
Footprints AI uses cookies and similar technologies on ourwebsite (www.footprints-ai.com) and, where applicable, within our SaaS retail media platform to enhance user experience, analyze usage, and deliver personalized content.
As a Data Controller for website interactions and limited platform data (e.g., user logins), we ensure that cookie usage complies with GDPR, the ePrivacy Directive, and ISO 27001/27701 standards. All data is processed and stored within the European Union (Microsoft Azure West Europe,Netherlands). This chapter explains the types, purposes, and management of cookies and similar technologies.
Types and Purposes of Cookies
Cookies are small text files stored on your device to facilitate website and platform functionality. Similar technologies include pixels, web beacons, and local storage. The table below outlines the categories, purposes, and retention periods of cookies we use.
As a Data Controller for website interactions and limited platform data (e.g., user logins), we ensure that cookie usage complies with GDPR, the ePrivacy Directive, and ISO 27001/27701 standards. All data is processed and stored within the European Union (Microsoft Azure West Europe,Netherlands). This chapter explains the types, purposes, and management of cookies and similar technologies.
Types and Purposes of Cookies
Cookies are small text files stored on your device to facilitate website and platform functionality. Similar technologies include pixels, web beacons, and local storage. The table below outlines the categories, purposes, and retention periods of cookies we use.
How We Use Cookies
Website: Cookies enhance navigation, analyze traffic, and personalize content (e.g., tailored ads for lead generation). Strictly necessary cookies are enabled by default; others require explicit consent via our cookie banner.
Platform: Cookies support user authentication and, for advertisers, campaign performance tracking. Client-controlled data (e.g., shopper analytics) is pseudonymized and processed per client instructions in their private cloud.
Consent Management: We use a cookie consent tool on our website to allow users to accept or reject non-essential cookies (functional, analytics, marketing). Consent is recorded and can be withdrawn at any time via the Cookie Policy page.
Pseudonymization: Analytics and marketing cookies collect pseudonymized data (e.g., hashed IP addresses) to minimize privacy risks.
Managing Cookies
Website Users: You can manage cookie preferences through the cookie banner or browser settings. Disabling cookies may limit website functionality.
Platform Users: Cookies are managed per client configurations; contact your organization’s Data Controller for details.
Withdrawal of Consent: Update preferences via the Cookie Policy page or contact dpo@footprints-ai.com. Withdrawal does not affect prior processing legality.
Security and Compliance
Data Protection: Cookie data is encrypted (AES-256 at rest, TLS 1.2+ in transit) and stored in the EU (Microsoft Azure West Europe).
Subprocessors: Analytics/marketing cookies may involve subprocessors (e.g., Google Analytics) under DPAs, with EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) for any non-EU processing.
Audits: Cookie usage is reviewed quarterly as part of our ISO 27001/27701-compliant Information Security Management System (ISMS).
Additional Notes
No Automated Decisions: Cookies do not support automated decision-making with legal effects (GDPR Art. 22).
Client Data: Platform cookies for campaign analytics are governed by client (Controller) privacy policies.
Cookie Policy: For detailed information, including specific cookie names and providers, see https://www.footprints-ai.com/cookie-policy.
Website: Cookies enhance navigation, analyze traffic, and personalize content (e.g., tailored ads for lead generation). Strictly necessary cookies are enabled by default; others require explicit consent via our cookie banner.
Platform: Cookies support user authentication and, for advertisers, campaign performance tracking. Client-controlled data (e.g., shopper analytics) is pseudonymized and processed per client instructions in their private cloud.
Consent Management: We use a cookie consent tool on our website to allow users to accept or reject non-essential cookies (functional, analytics, marketing). Consent is recorded and can be withdrawn at any time via the Cookie Policy page.
Pseudonymization: Analytics and marketing cookies collect pseudonymized data (e.g., hashed IP addresses) to minimize privacy risks.
Managing Cookies
Website Users: You can manage cookie preferences through the cookie banner or browser settings. Disabling cookies may limit website functionality.
Platform Users: Cookies are managed per client configurations; contact your organization’s Data Controller for details.
Withdrawal of Consent: Update preferences via the Cookie Policy page or contact dpo@footprints-ai.com. Withdrawal does not affect prior processing legality.
Security and Compliance
Data Protection: Cookie data is encrypted (AES-256 at rest, TLS 1.2+ in transit) and stored in the EU (Microsoft Azure West Europe).
Subprocessors: Analytics/marketing cookies may involve subprocessors (e.g., Google Analytics) under DPAs, with EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) for any non-EU processing.
Audits: Cookie usage is reviewed quarterly as part of our ISO 27001/27701-compliant Information Security Management System (ISMS).
Additional Notes
No Automated Decisions: Cookies do not support automated decision-making with legal effects (GDPR Art. 22).
Client Data: Platform cookies for campaign analytics are governed by client (Controller) privacy policies.
Cookie Policy: For detailed information, including specific cookie names and providers, see https://www.footprints-ai.com/cookie-policy.
Special Cases: Automated Processing and Profiling
Footprints AI leverages automated processing and profiling to deliver AI-driven retail media solutions, including audience segmentation, predictive analytics (e.g., via Footprints AI Copilot), and shopper behavior analysis through proprietary tools like Retail Analytics. These processes primarily involve pseudonymized or anonymized data to minimize privacy risks and are conducted in compliance with GDPR, particularly Article 22, which prohibits automated decision-making with legal or similarly significant effects unless specific conditions are met. As a Data Controller for limited internal data and a Data Processor for client-controlled data, we ensure transparency and safeguards in all automated processing activities. All data is processed and stored within the European Union (Microsoft Azure West Europe, Netherlands).
Automated Processing and Profiling Activities
Retail Analytics Testing
Description: Our Retail Analytics tool uses Wi-Fi triangulation and mobile device detection to generate anonymized shopping pattern statistics (e.g., areas of interest, walking paths) during testing at our offices. This supports research and development to improve tool functionality.
Data Processed: Pseudonymized technical data (e.g., MAC addresses).
Purpose: Test and enhance Retail Analytics for commercial and marketing insights.
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) for R&D, balanced against minimal privacy impact due to pseudonymization.
GDPR Art. 22 Compliance: No automated decisions with legal or significant effects are made. Outputs are anonymized statistics with no individual impact.
Role: Data Controller.
Platform-Based Audience Profiling
Description: The Footprints AI platform, including tools like Copilot, processes pseudonymized shopper data (e.g., hashed device IDs, loyalty card numbers, transaction data) to create behavioral clusters and affinity profiles for targeted advertising.
Data Processed: Pseudonymized shopper data (e.g., age, gender, interests, purchase history) and campaign performance metrics.
Purpose: Enable retailers and advertisers to target high-intent audiences and optimize campaigns, with up to 96% predictive accuracy (not guaranteed).
Legal Basis: Processed as a Data Processor per client (Data Controller) instructions under GDPR Art. 28, based on client agreements and their legal bases (e.g., consent, contractual necessity).
GDPR Art. 22 Compliance: Profiling does not produce legal or significant effects; outputs are used for campaign targeting under client control, with human oversight.
Role: Data Processor.
Third-Party Integrations
Description: Integration with client-approved platforms (e.g., Google, Meta) involves automated processing to synchronize data (e.g., audience segments, campaign metrics) for retargeting and performance reporting.
Data Processed: Client-provided or third-party data (e.g., demographics, interests) per client instructions.
Purpose: Automate campaign management, enhance targeting efficiency, and provide centralized reporting.
Legal Basis: Processed as a Data Processor per client instructions (GDPR Art. 28), aligned with client privacy policies.
GDPR Art. 22 Compliance: No automated decisions with legal or significant effects; profiling is client-directed with human review.
Role: Data Processor.
Safeguards and Transparency
Pseudonymization and Anonymization: All profiling uses pseudonymized data (e.g., hashed IDs) to prevent direct identification. Retail Analytics outputs are anonymized to eliminate individual traceability.
Client Control: For platform and integration data, clients (Data Controllers) determine profiling purposes and ensure compliance with their privacy policies and legal bases (e.g., user consent).
Security Measures: Data is processed in secure, EU-based private clouds (Microsoft Azure West Europe) with AES-256 encryption, TLS 1.2+, and role-based access controls (RBAC). Regular penetration testing and ISO 27001/27701 audits ensure robust protection.
Transparency: We inform clients of profiling activities via Data Processing Agreements (DPAs). For Retail Analytics testing, visitors to our offices are notified of data collection where applicable.
Data Subject Rights: You can exercise GDPR rights (e.g., access, objection) for Controller data (see Chapter 10). For Processor data, contact the client (Data Controller); we assist in fulfilling requests.
Notes
No Legal Effects: Our automated processing and profiling do not produce legal or similarly significant effects under GDPR Art. 22, as they are limited to analytics, targeting, and R&D without individual decision-making.
Oversight: Client-directed profiling includes human review to ensure accuracy and compliance.
Contact: For inquiries about profiling, contact dpo@footprints-ai.com (Controller data) or the relevant client (Processor data).
Automated Processing and Profiling Activities
Retail Analytics Testing
Description: Our Retail Analytics tool uses Wi-Fi triangulation and mobile device detection to generate anonymized shopping pattern statistics (e.g., areas of interest, walking paths) during testing at our offices. This supports research and development to improve tool functionality.
Data Processed: Pseudonymized technical data (e.g., MAC addresses).
Purpose: Test and enhance Retail Analytics for commercial and marketing insights.
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) for R&D, balanced against minimal privacy impact due to pseudonymization.
GDPR Art. 22 Compliance: No automated decisions with legal or significant effects are made. Outputs are anonymized statistics with no individual impact.
Role: Data Controller.
Platform-Based Audience Profiling
Description: The Footprints AI platform, including tools like Copilot, processes pseudonymized shopper data (e.g., hashed device IDs, loyalty card numbers, transaction data) to create behavioral clusters and affinity profiles for targeted advertising.
Data Processed: Pseudonymized shopper data (e.g., age, gender, interests, purchase history) and campaign performance metrics.
Purpose: Enable retailers and advertisers to target high-intent audiences and optimize campaigns, with up to 96% predictive accuracy (not guaranteed).
Legal Basis: Processed as a Data Processor per client (Data Controller) instructions under GDPR Art. 28, based on client agreements and their legal bases (e.g., consent, contractual necessity).
GDPR Art. 22 Compliance: Profiling does not produce legal or significant effects; outputs are used for campaign targeting under client control, with human oversight.
Role: Data Processor.
Third-Party Integrations
Description: Integration with client-approved platforms (e.g., Google, Meta) involves automated processing to synchronize data (e.g., audience segments, campaign metrics) for retargeting and performance reporting.
Data Processed: Client-provided or third-party data (e.g., demographics, interests) per client instructions.
Purpose: Automate campaign management, enhance targeting efficiency, and provide centralized reporting.
Legal Basis: Processed as a Data Processor per client instructions (GDPR Art. 28), aligned with client privacy policies.
GDPR Art. 22 Compliance: No automated decisions with legal or significant effects; profiling is client-directed with human review.
Role: Data Processor.
Safeguards and Transparency
Pseudonymization and Anonymization: All profiling uses pseudonymized data (e.g., hashed IDs) to prevent direct identification. Retail Analytics outputs are anonymized to eliminate individual traceability.
Client Control: For platform and integration data, clients (Data Controllers) determine profiling purposes and ensure compliance with their privacy policies and legal bases (e.g., user consent).
Security Measures: Data is processed in secure, EU-based private clouds (Microsoft Azure West Europe) with AES-256 encryption, TLS 1.2+, and role-based access controls (RBAC). Regular penetration testing and ISO 27001/27701 audits ensure robust protection.
Transparency: We inform clients of profiling activities via Data Processing Agreements (DPAs). For Retail Analytics testing, visitors to our offices are notified of data collection where applicable.
Data Subject Rights: You can exercise GDPR rights (e.g., access, objection) for Controller data (see Chapter 10). For Processor data, contact the client (Data Controller); we assist in fulfilling requests.
Notes
No Legal Effects: Our automated processing and profiling do not produce legal or similarly significant effects under GDPR Art. 22, as they are limited to analytics, targeting, and R&D without individual decision-making.
Oversight: Client-directed profiling includes human review to ensure accuracy and compliance.
Contact: For inquiries about profiling, contact dpo@footprints-ai.com (Controller data) or the relevant client (Processor data).
Your Rights as a Data Subject
As a data subject under Regulation (EU) 2016/679 (GDPR), you have specific rights regarding the processing of your Personal Data by Footprints AI. We act as a Data Controller for limited internal data (e.g., user login credentials, recruitment data, website interactions) and as a Data Processor for client-controlled data (e.g., pseudonymized shopper or campaign data). This chapter explains your rights, how to exercise them, and our processes for handling requests. All data is processed and stored within the European Union (Microsoft Azure West Europe), ensuring GDPR compliance.
Your GDPR Rights
You have the following rights concerning your Personal Data:
Right to Access (Art. 15): You can request confirmation of whether we process your Personal Data and obtain a copy of it, including details on purposes, categories, recipients, and retention periods. Additional copies may incur a reasonable fee based on administrative costs.
Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete Personal Data.
Right to Erasure (“Right to be Forgotten,” Art. 17): You can request deletion of your Personal Data when it is no longer necessary, you withdraw consent, or it is processed unlawfully, unless we are required to retain it (e.g., for legal obligations).
Right to Restriction of Processing (Art. 18): You can request restriction of processing if you contest data accuracy, the processing is unlawful, we no longer need the data but you require it for legal claims, or you object pending verification of our legitimate interests.
Right to Data Portability (Art. 20): You can request your Personal Data in a structured, commonly used, machine-readable format (e.g., .csv) and transmit it to another controller, where processing is based on consent or a contract and is automated.
Right to Object (Art. 21): You can object to processing based on legitimate interests (e.g., marketing) or for direct marketing purposes, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Avoid Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or significant effects. Our platform (e.g., Retail Analytics, AI Copilot) does not make such decisions.
Right to Withdraw Consent (Art. 7): Where processing is based on consent (e.g., newsletters, recruitment data retention), you can withdraw it at any time without affecting prior processing legality.
How to Exercise Your Rights
For Data We Control: For Personal Data where we act as Data Controller (e.g., user logins, recruitment data, website interactions), submit requests to our Data Protection Officer (DPO):
Email: dpo@footprints-ai.com
Postal Address: Footprints for Retail SRL, 108 Eminescu Street, 1st floor, District 2, Bucharest, Romania
For Data We Process: For client-controlled data (e.g., shopper or campaign data), direct requests to the relevant Data Controller (retailer or advertiser). We will assist Controllers in fulfilling requests per our Data Processing Agreements (DPAs).
Process: We verify identity (to protect your data), then respond within one month. Complex requests may take up to two additional months; we’ll notify you.
Security Concerns: For data breaches or security issues, contact support@footprints-ai.com.
Complaints
If you believe we have not adequately addressed your request, you may file a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro
Address: 28-30 G-ral Gheorghe Magheru Blvd., District 1, Bucharest, Romania
You may also seek redress through Romanian courts.
Notes on Exercising Rights
Client-Controlled Data: For shopper or campaign data, we act as a Data Processor and forward requests to the Controller within 48 hours. Contact details for Controllers are provided in their privacy policies or upon request.
Security Measures: Requests are handled securely (e.g., encrypted communications, identity verification) per ISO 27001/27701 standards.
Transparency: We maintain a Record of Processing Activities (ROPA) and audit logs to support right fulfillment, available to supervisory authorities.
Your GDPR Rights
You have the following rights concerning your Personal Data:
Right to Access (Art. 15): You can request confirmation of whether we process your Personal Data and obtain a copy of it, including details on purposes, categories, recipients, and retention periods. Additional copies may incur a reasonable fee based on administrative costs.
Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete Personal Data.
Right to Erasure (“Right to be Forgotten,” Art. 17): You can request deletion of your Personal Data when it is no longer necessary, you withdraw consent, or it is processed unlawfully, unless we are required to retain it (e.g., for legal obligations).
Right to Restriction of Processing (Art. 18): You can request restriction of processing if you contest data accuracy, the processing is unlawful, we no longer need the data but you require it for legal claims, or you object pending verification of our legitimate interests.
Right to Data Portability (Art. 20): You can request your Personal Data in a structured, commonly used, machine-readable format (e.g., .csv) and transmit it to another controller, where processing is based on consent or a contract and is automated.
Right to Object (Art. 21): You can object to processing based on legitimate interests (e.g., marketing) or for direct marketing purposes, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Avoid Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or significant effects. Our platform (e.g., Retail Analytics, AI Copilot) does not make such decisions.
Right to Withdraw Consent (Art. 7): Where processing is based on consent (e.g., newsletters, recruitment data retention), you can withdraw it at any time without affecting prior processing legality.
How to Exercise Your Rights
For Data We Control: For Personal Data where we act as Data Controller (e.g., user logins, recruitment data, website interactions), submit requests to our Data Protection Officer (DPO):
Email: dpo@footprints-ai.com
Postal Address: Footprints for Retail SRL, 108 Eminescu Street, 1st floor, District 2, Bucharest, Romania
For Data We Process: For client-controlled data (e.g., shopper or campaign data), direct requests to the relevant Data Controller (retailer or advertiser). We will assist Controllers in fulfilling requests per our Data Processing Agreements (DPAs).
Process: We verify identity (to protect your data), then respond within one month. Complex requests may take up to two additional months; we’ll notify you.
Security Concerns: For data breaches or security issues, contact support@footprints-ai.com.
Complaints
If you believe we have not adequately addressed your request, you may file a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro
Address: 28-30 G-ral Gheorghe Magheru Blvd., District 1, Bucharest, Romania
You may also seek redress through Romanian courts.
Notes on Exercising Rights
Client-Controlled Data: For shopper or campaign data, we act as a Data Processor and forward requests to the Controller within 48 hours. Contact details for Controllers are provided in their privacy policies or upon request.
Security Measures: Requests are handled securely (e.g., encrypted communications, identity verification) per ISO 27001/27701 standards.
Transparency: We maintain a Record of Processing Activities (ROPA) and audit logs to support right fulfillment, available to supervisory authorities.
Changes to This Privacy Statement
Footprints AI may update this Privacy Statement to reflect changes in our data processing practices, business operations, or legal requirements, including compliance with Regulation (EU) 2016/679 (GDPR) and ISO27001/27701 standards.
As a Data Controller for limited internal data (e.g.,user logins, recruitment) and a Data Processor for client-controlled data(e.g., pseudonymized shopper or campaign data), we ensure that updates maintain transparency and protect your privacy.
All data is processed and stored within the European Union (Microsoft Azure West Europe, Netherlands).
Update Process
Reasons for Updates: We may revise this Statement to address:
- New platform features (e.g., enhancements to Footprints AI Copilot or Retail Analytics).
- Changes in data processing activities (e.g., new third-party integrations, updated retention periods).
- Legal or regulatory updates (e.g., GDPR amendments, new EU data protection laws).
- Improvements to clarity or user experience.
Notification: Significant changes (e.g., new data categories, purposes, or recipients) will be communicated to you via:
Prominent notice on our website (www.footprints-ai.com).
Email notifications to registered users (e.g., platform users, newsletter subscribers).
Alerts within the platform for employees, retailers, and advertisers.
Effective Date: Updates take effect upon posting on our website or as specified in notifications. The latest version supersedes all prior versions.
Review: We review this Statement at least annually to ensure alignment with our operations and legal obligations.
Your Rights and Actions Stay Informed: Check www.footprints-ai.com for the current Privacy Statement. The "Last Updated" date is displayed at the top.
Exercise Rights: If updates affect your Personal Data, you may exercise GDPR rights (e.g., access, objection, erasure) as outlined in Chapter 10.
Contact Us: For questions about updates, contact our Data Protection Officer at dpo@footprints-ai.com or support@footprints-ai.com.
Notes Transparency: We provide clear, timely notifications for significant changes to ensure you understand how your Personal Data is processed.
Client Data: For client-controlled data (e.g., shopper or campaign data), updates are coordinated with Data Controllers per Data Processing Agreements (DPAs).
Security: All updates are implemented with robust security measures (e.g., AES-256 encryption, ISO 27001/27701 compliance) to protect your data.
As a Data Controller for limited internal data (e.g.,user logins, recruitment) and a Data Processor for client-controlled data(e.g., pseudonymized shopper or campaign data), we ensure that updates maintain transparency and protect your privacy.
All data is processed and stored within the European Union (Microsoft Azure West Europe, Netherlands).
Update Process
Reasons for Updates: We may revise this Statement to address:
- New platform features (e.g., enhancements to Footprints AI Copilot or Retail Analytics).
- Changes in data processing activities (e.g., new third-party integrations, updated retention periods).
- Legal or regulatory updates (e.g., GDPR amendments, new EU data protection laws).
- Improvements to clarity or user experience.
Notification: Significant changes (e.g., new data categories, purposes, or recipients) will be communicated to you via:
Prominent notice on our website (www.footprints-ai.com).
Email notifications to registered users (e.g., platform users, newsletter subscribers).
Alerts within the platform for employees, retailers, and advertisers.
Effective Date: Updates take effect upon posting on our website or as specified in notifications. The latest version supersedes all prior versions.
Review: We review this Statement at least annually to ensure alignment with our operations and legal obligations.
Your Rights and Actions Stay Informed: Check www.footprints-ai.com for the current Privacy Statement. The "Last Updated" date is displayed at the top.
Exercise Rights: If updates affect your Personal Data, you may exercise GDPR rights (e.g., access, objection, erasure) as outlined in Chapter 10.
Contact Us: For questions about updates, contact our Data Protection Officer at dpo@footprints-ai.com or support@footprints-ai.com.
Notes Transparency: We provide clear, timely notifications for significant changes to ensure you understand how your Personal Data is processed.
Client Data: For client-controlled data (e.g., shopper or campaign data), updates are coordinated with Data Controllers per Data Processing Agreements (DPAs).
Security: All updates are implemented with robust security measures (e.g., AES-256 encryption, ISO 27001/27701 compliance) to protect your data.
