GDPR Compliance
TigerLabel is committed to protecting the rights and privacy of individuals in the European Union. We comply with the General Data Protection Regulation (GDPR) and provide transparent data processing practices.
1Our Commitment to GDPR
The General Data Protection Regulation (GDPR) represents a significant step forward in data protection rights for individuals. At TigerLabel, we fully embrace these principles and have implemented comprehensive measures to ensure compliance.
Privacy by Design
Data protection integrated into every aspect of our platform from the ground up
Privacy by Default
Strictest privacy settings enabled by default, minimal data collection
Transparency
Clear communication about data processing activities and your rights
GDPR Compliance Framework
- Appointed dedicated Data Protection Officer (DPO)
- Maintained comprehensive Records of Processing Activities (ROPA)
- Conducted Data Protection Impact Assessments (DPIAs)
- Implemented technical and organizational security measures
- Established data breach notification procedures
- Regular staff training on GDPR requirements
2Data Processing Activities
We maintain detailed records of our data processing activities in accordance with Article 30 of the GDPR. Here's an overview of how we process personal data:
Processing as a Controller
When you use TigerLabel's platform, we act as a data controller for:
Account Management
Data: Name, email, company, job title, password, profile photo
Purpose: Provide access to platform, authenticate users, communicate service updates
Legal Basis: Contract performance, legitimate interests
Billing & Payments
Data: Billing address, payment method, transaction history
Purpose: Process payments, send invoices, comply with tax regulations
Legal Basis: Contract performance, legal obligation
Platform Analytics
Data: Usage patterns, feature engagement, performance metrics
Purpose: Improve platform, develop new features, optimize user experience
Legal Basis: Legitimate interests
Marketing Communications
Data: Email address, communication preferences, engagement history
Purpose: Send product updates, newsletters, promotional content
Legal Basis: Consent (opt-in only)
Processing as a Processor
When you upload data for labeling, we act as a data processor on your behalf:
Labeling Data
Data: Images, videos, text, audio files uploaded by you
Purpose: Provide data annotation and labeling services as instructed by you
Your Instructions: We process this data solely according to your documented instructions via our Data Processing Agreement (DPA)
Important: You remain the data controller for any personal data contained in your labeling projects. We do not use your project data for any purpose other than providing the services you requested.
3Legal Bases for Processing
Under GDPR, we must have a valid legal basis for processing your personal data. Here are the legal bases we rely on:
Contract Performance
GDPR Article 6(1)(b)
Processing necessary to provide our services to you:
- • Account creation and management
- • Platform access and authentication
- • Data labeling services
- • Customer support
Consent
GDPR Article 6(1)(a)
Where you have given clear consent:
- • Marketing communications
- • Optional analytics cookies
- • Product updates and newsletters
- • Data used for AI model training
Legitimate Interests
GDPR Article 6(1)(f)
For our legitimate business interests:
- • Platform improvement and optimization
- • Fraud prevention and security
- • Usage analytics (aggregated)
- • Business operations and management
Legal Obligation
GDPR Article 6(1)(c)
To comply with legal requirements:
- • Tax and accounting records
- • Responding to legal requests
- • Regulatory compliance
- • Breach notifications
Balancing Test
When relying on legitimate interests, we conduct a balancing test to ensure our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests at any time.
4Your Rights Under GDPR
The GDPR provides EU residents with several rights regarding their personal data. We are committed to facilitating the exercise of these rights.
Right to Access
Obtain confirmation whether we process your personal data and receive a copy of your data
Right to Rectification
Request correction of inaccurate or incomplete personal data
Right to Erasure
Request deletion of your personal data ("right to be forgotten")
Right to Restriction
Request limitation of processing your personal data
Right to Data Portability
Receive your data in a structured, machine-readable format
Right to Object
Object to processing based on legitimate interests or for direct marketing
Right to Lodge a Complaint
If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with your local supervisory authority:
- • Ireland (Lead Authority): Data Protection Commission (DPC)
- • Find your authority: EDPB Member List
5Data Protection Officer
In accordance with Article 37 of the GDPR, we have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with GDPR requirements.
DPO Responsibilities
- Monitor GDPR compliance
- Advise on Data Protection Impact Assessments
- Provide training to staff
- Cooperate with supervisory authorities
- Act as point of contact for data subjects
Contact Our DPO
Our DPO is available to answer questions about your data protection rights and how we process personal data.
Postal Address
TigerLabel, Inc.
Attn: Data Protection Officer
123 Market Street, Suite 500
San Francisco, CA 94103
United States
6International Data Transfers
TigerLabel is headquartered in the United States. When we transfer personal data from the EU/EEA to the United States or other countries, we ensure appropriate safeguards are in place as required by Chapter V of the GDPR.
Transfer Mechanisms
Standard Contractual Clauses (SCCs)
We use the European Commission's Standard Contractual Clauses (2021/914) for transfers to the United States and other third countries. These clauses provide contractual guarantees for the protection of your personal data.
Download our SCCsAdequacy Decisions
Where available, we rely on adequacy decisions by the European Commission that recognize certain countries as providing adequate data protection (e.g., UK, Switzerland, Japan).
Regional Data Storage
Enterprise customers can choose to store their data in EU-based data centers (Frankfurt, Ireland) to minimize international transfers. Contact sales for details.
Additional Safeguards
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication requirements
- Regular security audits and penetration testing
- Transparent data processing practices
- Right to object to international transfers
7Sub-processors
We work with trusted third-party service providers (sub-processors) to help us deliver our services. All sub-processors are contractually bound to comply with GDPR requirements.
| Sub-processor | Service | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | USA, EU | SCCs |
| Stripe | Payment processing | USA | SCCs |
| SendGrid | Email delivery | USA | SCCs |
| Google Analytics | Analytics (optional) | USA | Consent + SCCs |
| Intercom | Customer support | USA | SCCs |
Sub-processor Notification
We will notify customers at least 30 days before adding new sub-processors or making material changes to existing sub-processors. You have the right to object to the use of a sub-processor. For the most current list, visit our Sub-processor page.
8Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Active account + 90 days | Service provision, contract |
| Project data | Per customer settings | Your instructions |
| Billing records | 7 years | Tax, legal obligations |
| Marketing data | Until unsubscribe + 30 days | Consent withdrawn |
| Analytics data | 26 months | Legitimate interests |
| Support tickets | 3 years | Customer service, legal |
Secure Deletion
When personal data is no longer needed, we securely delete it using:
- Cryptographic erasure for encrypted data
- Secure deletion protocols for storage media
- Removal from all backups within 90 days
- Anonymization where deletion is not possible
10How to Exercise Your Rights
We make it easy for you to exercise your GDPR rights. Here's how:
Self-Service Options
Account Settings
Update personal information, change preferences, download data
Privacy Dashboard
View data processing activities, manage consents, export data
Delete Account
Permanently delete your account and associated data
Contact Us
For requests that require manual processing or assistance:
Data Protection Officer
dpo@tigerlabel.comPrivacy Request Form
Submit online requestWhat to Expect
Acknowledgment (1 business day)
We confirm receipt of your request
Identity Verification (if needed)
We may need to verify your identity to protect your data
Processing (up to 30 days)
We process your request and provide a response
Extension (if complex)
We may extend by 2 months for complex requests (we'll notify you)
No Charge
We do not charge a fee for exercising your rights, unless your request is manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee or refuse to act on the request.