Skip to main content
Voight processes personal data in line with Regulation (EU) 2016/679 (the General Data Protection Regulation). This page summarises our posture; the full technical and procedural detail is in the downloadable PDF below (35 pages, versioned, dated).

Quick reference

FieldValue
Data ControllerVoight Inc. (USA)
GDPR Main EstablishmentSpain (Article 4(16))
Supervisory AuthorityAEPD — Agencia Española de Protección de Datos
Lawful BasisContract — Article 6(1)(b)
Sub-processorsVercel, Railway, Privy
International Transfers2021 EU Standard Contractual Clauses
Privacy Contactteam@voight.xyz
Document Version1.0 — May 2026

Download the full document

Voight GDPR Compliance Documentation

35 pages · 130 KB · Version 1.0 · May 2026Full alignment record covering controller identity, scope of processing, lawful basis, data subject rights, international transfers (TIA included), breach procedure, sub-processor register, and Records of Processing Activities (Article 30).

What’s in the PDF

The full compliance document covers, in order:
  1. Document control and revision history
  2. Executive summary
  3. Identity of the Controller — legal form, establishment, supervisory authority
  4. Scope of processing — Voight as controller (account data) vs Voight as processor (telemetry)
  5. Lawful basis under Article 6
  6. Purposes of processing
  7. Data subject rights — how to exercise each of the ten rights under Articles 12–22
  8. Data retention — tier-based (7d Free / 90d Pro / 1y Enterprise)
  9. Security measures (Article 32) — encryption, access control, PII scrubbing
  10. Sub-processors register (Article 28)
  11. International data transfers — 2021 SCCs + supplementary measures (Articles 44–49)
  12. Personal data breach procedure (Articles 33–34)
  13. Cookies and ePrivacy
  14. Children’s data (Article 8)
  15. Records of Processing Activities (Article 30)
  16. Governance and accountability
Plus four annexes — sub-processor register, personal data catalogue, Transfer Impact Assessment summary, and document version history.

Key commitments at a glance

  • One lawful basis. Voight relies only on contract performance (Article 6(1)(b)). No consent fatigue, no behavioural profiling, no marketing opt-ins.
  • Privacy by design. The SDK runs three local privacy filters before any payload leaves the customer process. See Privacy overview and PII patterns.
  • Minimal sub-processors. Three only: Vercel (hosting), Railway (database), Privy (auth). All SOC 2 Type II, all with published GDPR DPAs.
  • No data sale. Personal data is never sold, never shared with advertisers, never used for any purpose other than delivering the service.
  • 30-day response window. Data subject requests are honoured within 30 days as required by Article 12(3).
  • No DPO and no EU Representative required. Voight does not meet the Article 37 DPO threshold and is established in the EU via Spain, removing the Article 27 representative requirement.

How to exercise your rights

Email team@voight.xyz from the address tied to your account. State the right you wish to exercise (access, rectification, erasure, restriction, portability, objection) and any specific detail. We respond within 30 days. For erasure of specific agents and their events, the dashboard offers self-service controls — see Data handling. Account-level deletion is handled by email.

Lodge a complaint

If you believe Voight has not honoured your rights, you can lodge a complaint with our lead supervisory authority: Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6, 28001, Madrid, Spain www.aepd.es · sedeagpd.gob.es Or with the supervisory authority of your country of residence (Article 77 GDPR).

See also