PLEASE READ THIS GENERAL DATA PROTECTION REGULATIONS (GDPR) POLICY CAREFULLY

OVERVIEW OF OUR PRIVACY POLICY

This GDPR Policy explains how Color Card Administrator (CCA) processes personal data in connection with its services and interactions with individuals located in the European Economic Area (EEA) and the United Kingdom (UK).

CCA is a U.S.-based company and does not operate infrastructure or host data within the EU or UK. However, GDPR may apply when CCA offers goods or services to individuals in these regions.

This Policy should be read together with:

• Privacy Policy
  
• Cookie Policy
  
• Data Retention Policy
  
• Data Processing Agreement (DPA), where applicable
  

COMPANY INFORMATION

Legal Name: Color Card Administrator (CCA)
Company Type: Privately held company
Headquarters:
7898 Ostrow Street, Suite E
San Diego, CA 92111
United States

SCOPE OF GDPR APPLICABILITY

CCA processes personal data under GDPR in limited circumstances:

• When EU/UK customers place orders for business cards via CCA platforms
  
• When individuals from the EU/UK interact with CCA services
  
• When CCA acts as a data processor on behalf of business clients
  

CCA does not maintain offices, servers, or operational infrastructure within the EU/UK.

ROLES AND RESPONSIBILITIES

Depending on the context:

DATA CONTROLLER

CCA acts as a data controller when:

• Managing its own business operations
  
• Handling customer support inquiries
  
• Processing direct orders
  

DATA PROCESSOR

CCA acts as a data processor when:

• Processing personal data on behalf of enterprise clients
  
• Producing and shipping business cards as instructed
  

A Data Processing Agreement (DPA) governs such relationships where required.

CATEGORIES OF PERSONAL DATA

CCA processes only data necessary for defined purposes:

IDENTIFICATION DATA

• Name
  
• Business name
  
• Job title
  

CONTACT DATA

• Email address
  
• Phone number
  
• Shipping address
  

TRANSACTION DATA

• Order details
  
• Payment-related metadata (processed via third-party providers)
  

TECHNICAL DATA

• IP address
  
• Device/browser information (via cookies or analytics tools)
  

CCA does not intentionally collect special category (sensitive) data.

PURPOSES OF PROCESSING

Personal data is processed for:

• Order fulfillment (printing and shipping business cards)
  
• Customer account management
  
• Customer support
  
• Billing and transaction processing
  
• Legal and compliance obligations
  
• Service improvement and analytics (where applicable)
  

CCA limits processing to what is necessary and proportionate.

LEGAL BASES FOR PROCESSING (GDPR ARTICLE 6)

CCA relies on the following legal bases:

• Contractual Necessity to fulfill orders and services
  
• Legitimate Interests business operations, fraud prevention, service improvement
  
• Legal Obligations compliance with applicable laws
  
• Consent where required (e.g., cookies, marketing communications)
  

CCA does not rely on consent where another lawful basis is more appropriate.

INTERNATIONAL DATA TRANSFERS

All personal data is processed and stored in the United States.

Since the U.S. is not deemed to provide an adequate level of protection under GDPR, CCA uses appropriate safeguards where required, such as:

• Standard Contractual Clauses (SCCs)
  
• Contractual commitments with customers and vendors
  

CCA does not claim participation in frameworks unless formally certified.

DATA SHARING AND SUBPROCESSORS

CCA shares personal data only when necessary:

SERVICE PROVIDERS

• Payment processors
  
• Printing and fulfillment vendors
  
• Shipping/logistics providers
  
• IT and hosting providers (U.S.-based)
  

LEGAL REQUIREMENTS

• Government authorities where required by law
  

CCA ensures vendors are contractually bound to:

• Process data only as instructed
  
• Implement reasonable security measures
  

DATA RETENTION

CCA retains personal data only as long as necessary for:

• Contractual obligations
  
• Legal compliance
  
• Business operations
  

Retention periods are defined in the Data Retention Policy.

Data is securely deleted or anonymized when no longer required.

DATA SUBJECT RIGHTS (EU/UK INDIVIDUALS)

Individuals may have the following rights:

• Right of access
  
• Right to rectification
  
• Right to erasure
  
• Right to restrict processing
  
• Right to data portability
  
• Right to object
  
• Right to withdraw consent
  

Requests can be submitted via: Contact us form

CCA responds within applicable legal timelines (typically 30 days).

DATA SECURITY

CCA implements reasonable administrative, technical, and organizational safeguards, including:

• Access controls
  
• Secure transmission (e.g., HTTPS)
  
• Vendor due diligence
  
• Limited data access based on role
  

CCA does not represent its security as guaranteed or absolute.

COOKIES AND TRACKING

CCA uses cookies and similar technologies as described in its Cookie Policy.
Where required:

• Consent is obtained before non-essential cookies are used
  
• Users may manage preferences via the consent banner
  

DATA BREACH NOTIFICATION

In the event of a personal data breach:

• CCA will assess the risk promptly
  
• Notify affected parties and/or controllers as required
  
• Support regulatory notification obligations where applicable
  

EU/UK REPRESENTATION

CCA currently does not designate an EU or UK representative, based on:

• Limited and occasional processing
  
• Nature of services (primarily B2B order fulfillment)
  

CCA will reassess this requirement periodically.

CHILDRENS DATA

CCA services are not directed to children under 13 (or a higher age where required by applicable law), and CCA does not knowingly collect such data.

CHANGES TO THIS POLICY

CCA may update this GDPR Policy to reflect:

• Legal developments
  
• Operational changes
  

Updated versions will be posted with a revised effective date.

CONTACT INFORMATION

For GDPR-related inquiries or data requests:

Click Here to contact us.
Address:
Color Card Administrator (CCA)
7898 Ostrow Street, Suite E
San Diego, CA 92111
United States