GDPR Compliance

1. Introduction

Foundational Creations ("Company," "we," "us," or "our") is committed to protecting the privacy and personal data of users in the European Union (EU) and European Economic Area (EEA). This page provides information about how we comply with the General Data Protection Regulation (GDPR) (EU) 2016/679.

This GDPR information supplements our Privacy Policy and provides additional details specifically relevant to EU/EEA residents.

2. Data Controller

Foundational Creations is the data controller responsible for your personal data collected through the LoveVerse application and website.

3. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

3.1 Contract Performance (Article 6(1)(b))

Processing necessary to provide our Service:

• Account creation and management
• Song generation based on your stories
• Payment processing
• Content delivery
• Customer support

3.2 Legitimate Interests (Article 6(1)(f))

Processing for our legitimate business interests:

• Service improvement and optimization
• Fraud prevention and security
• Analytics and performance monitoring
• Bug fixing and troubleshooting

We have conducted a Legitimate Interest Assessment (LIA) for each of these purposes to ensure our interests do not override your rights and freedoms.

3.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

• Marketing communications
• Non-essential cookies
• Optional analytics
• Newsletter subscriptions

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.4 Legal Obligation (Article 6(1)(c))

Processing required by law:

• Tax and financial reporting
• Responding to legal requests
• Compliance with court orders

4. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

4.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data along with information about how we process it.

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

4.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and no other legal basis applies
• You object to processing and no overriding legitimate grounds exist
• The data has been unlawfully processed
• The data must be erased for legal compliance

4.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

4.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

4.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI content generation does not produce such effects, but if you have concerns, please contact us.

4.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred.

5. Exercising Your Rights

To exercise any of these rights, please contact us:

• Email: privacy@foundationalcreations.com
• Subject Line: GDPR Request - [Your Right]

We will respond to your request within:

• Standard: 30 days
• Complex requests: Up to 90 days (we will inform you of any extension)

We may request identity verification to ensure we are responding to the data subject or their authorized representative.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the EEA, including the United States. We ensure appropriate safeguards are in place:

6.1 Transfer Mechanisms

• Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs with our service providers.
• Data Processing Agreements: All processors have signed DPAs compliant with Article 28 GDPR.
• Technical Measures: Encryption in transit and at rest for all transferred data.

6.2 Third-Country Transfers

We may transfer data to the following countries/organizations:

• United States (with SCCs and supplementary measures)
• Countries with EU adequacy decisions

7. Data Retention

We retain personal data only as long as necessary for the purposes collected or as required by law:

• Account data: Until account deletion + 30 days backup retention
• Generated content: Until account deletion or as needed for Service
• Story content: Processed immediately, not stored after generation
• Analytics data: 26 months (aggregated/anonymized may be kept longer)
• Legal records: As required by law (typically 7 years)

8. Data Protection Measures

We implement appropriate technical and organizational measures:

8.1 Technical Measures

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Regular security assessments and penetration testing
• Intrusion detection and monitoring systems
• Secure development practices (OWASP guidelines)

8.2 Organizational Measures

• Data protection training for all employees
• Access control based on least privilege principle
• Incident response procedures
• Vendor due diligence and management
• Regular policy reviews and updates

9. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (unless unlikely to result in risk to rights and freedoms)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document all breaches regardless of reporting requirements

10. Children's Data

Our Service is not directed at children under 16 years of age in the EU/EEA. We do not knowingly collect personal data from children under 16 without parental consent. If we learn that we have collected such data without proper consent, we will delete it promptly.

11. Data Processing Records

We maintain records of processing activities as required by Article 30 of the GDPR, including:

• Categories of data processed
• Purposes of processing
• Categories of recipients
• International transfers
• Retention periods
• Technical and organizational measures

12. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing operations likely to result in high risk to individuals, including our AI processing systems.

13. Contact Information

For GDPR-related inquiries or to exercise your rights:

• Company: Foundational Creations
• Data Protection Email: privacy@foundationalcreations.com
• General Support: support@foundationalcreations.com
• Website: https://loveverse.foundationalcreations.com

We are committed to working with you and, where applicable, relevant supervisory authorities to resolve any concerns about our data protection practices.