GDPR Compliance
How Opti4U complies with the General Data Protection Regulation.
Last updated: May 21, 2026
1. Our commitment to GDPR
Opti4U is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679. As a company headquartered in France, GDPR compliance is foundational to how we build and operate our platform. We act as a Data Processor on behalf of our customers (Data Controllers) when processing delivery and route data.
2. Legal basis for processing
We process personal data under the following legal bases: contractual necessity (to provide our route optimization and delivery tracking services), legitimate interest (to improve our platform and prevent fraud), consent (for marketing communications and optional analytics), and legal obligation (for tax and regulatory requirements).
3. Data subject rights
We support all GDPR data subject rights including the right of access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and objection. Requests can be submitted through your account dashboard, via email to privacy@opti4u.com, or through our API. We respond to all valid requests within 30 days.
4. Data processing agreements
We enter into Data Processing Agreements (DPAs) with all customers who process personal data through our platform. Our standard DPA covers data processing scope, security obligations, sub-processor management, breach notification procedures, and data deletion upon contract termination. DPAs are available for download from your account settings.
5. Sub-processors
We use a limited number of sub-processors to deliver our services, all located within the EU/EEA or in countries with adequate data protection. Our current sub-processors include: Vercel (application hosting and analytics), AWS (server infrastructure), Cloudflare (DNS and security), and Google Analytics (website analytics). We notify customers 30 days before adding new sub-processors.
6. Data breach notification
In the event of a personal data breach, we will notify affected Data Controllers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Our notification will include the nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and measures taken to mitigate the breach. We maintain a detailed incident response plan and conduct regular breach simulation exercises.