GDPR Compliance

General Data Protection Regulation

Our Commitment to GDPR

MXBuildium is fully committed to compliance with the General Data Protection Regulation (GDPR). We respect your privacy rights and have implemented comprehensive measures to ensure your personal data is processed lawfully, fairly, and transparently.

This page outlines how we comply with GDPR requirements and what rights you have regarding your personal data.

GDPR Principles

We process personal data in accordance with the following GDPR principles:

1. Lawfulness, Fairness & Transparency

We process data lawfully, fairly, and in a transparent manner. You are always informed about how and why we use your data.

2. Purpose Limitation

We collect data for specified, explicit, and legitimate purposes only.

3. Data Minimization

We only collect data that is adequate, relevant, and limited to what is necessary.

4. Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date.

5. Storage Limitation

We keep personal data only as long as necessary for the purposes for which it was collected.

6. Integrity & Confidentiality

We implement appropriate security measures to protect personal data.

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request access to your personal data and obtain a copy of the data we process about you.

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data under certain circumstances.

Right to Restrict Processing

You can request restriction of processing your personal data in certain situations.

Right to Data Portability

You can request to receive your personal data in a structured, commonly used format, or have it transferred to another controller.

Right to Object

You can object to processing of your personal data for direct marketing or based on legitimate interests.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority.

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract Performance: Processing necessary to perform our services under contract with you
  • Legitimate Interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, security)
  • Legal Obligation: Processing required to comply with legal obligations
  • Consent: Processing based on your explicit consent for specific purposes

International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all third-party processors
  • Transfer to countries with adequacy decisions from the European Commission
  • Binding Corporate Rules where applicable

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. You can contact our DPO regarding any GDPR-related questions or concerns:

Email: dpo@mxbuildium.com

Address: Data Protection Officer, MXBuildium, 123 Property Lane, San Francisco, CA 94102

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach poses a high risk, we will also notify affected individuals without undue delay.

Exercising Your Rights

To exercise any of your GDPR rights, please:

  1. Log in to your account and visit the Privacy Settings page
  2. Email us at privacy@mxbuildium.com with your request
  3. Contact our Data Protection Officer at dpo@mxbuildium.com

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, and we will inform you of any such extension.

Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including:

  • Account data: Duration of account + 7 years (for legal and tax purposes)
  • Transaction records: 7 years (legal requirement)
  • Support tickets: 3 years
  • Marketing data: Until consent is withdrawn or 2 years of inactivity

Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information.

Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. Any material changes will be communicated to you via email or through a prominent notice on our platform.

This GDPR compliance information is current as of November 20, 2025. For the most up-to-date information, please refer to our Privacy Policy.