The General Data Protection Regulation is part of how we build the product, not an afterthought. This statement summarises our GDPR posture for prospective customers, regulators, and tenants whose data flows through Empowa-powered operators, including those operating in jurisdictions where GDPR does not apply directly but where equivalent privacy expectations do.
1. Roles
For website visits, demo requests, and our marketing activities, Empowa is the data controller. See our Privacy Notice for what that means in practice.
For tenant and applicant data flowing through the Empowa platform, Empowa is a data processor acting on behalf of each operator (the controller). Each operator signs a Data Processing Agreement that governs that activity.
2. Lawful bases
Operators rely on a combination of contract performance, legal obligation, and legitimate interests as the lawful basis for processing tenant data. The precise basis depends on the data and the activity, and is documented in the operator’s privacy notice.
3. Data minimisation
The platform is engineered around data minimisation. We collect what is needed to underwrite, contract, and pay, nothing more, and we make retention rules explicit and configurable.
4. Data subject rights
Tenants whose data is processed through Empowa-powered operators can exercise GDPR rights by contacting their operator, who will route the request through the platform. For website-related rights, contact us at greg.schneider@empowa.io.
5. International transfers
Where personal data is transferred between jurisdictions, we use Standard Contractual Clauses, the UK International Data Transfer Addendum, or other appropriate safeguards. Where European data must remain in Europe under an operator’s policy, the platform supports that configuration.
6. Security
We architect to ENISA cloud-security baselines, encrypt data in transit and at rest, and run formal access controls and audit logging on every change to tenant or applicant data.
7. Breach notification
We follow the GDPR 72-hour breach notification standard. Any breach affecting tenant or applicant data is notified to the relevant operator without undue delay.
8. Contact and DPO
For any GDPR question, contact greg.schneider@empowa.io. We can route sensitive enquiries to our Data Protection Officer.