Legal
GDPR & Data Processing Agreement
Last updated: June 2026
This page describes how ReviewX complies with the EU General Data Protection Regulation (GDPR) and UK GDPR. Business and Enterprise customers who require a signed Data Processing Agreement (DPA) should refer to the DPA Terms section below.
1. Data Controller Details
For the purposes of GDPR and UK GDPR, the data controller is:
- Company
- GCentrix Ltd
- Registered in
- England and Wales
- Company No.
- 15482930
- Address
- 42 Farringdon Street, London, EC4A 4AB, United Kingdom
- ICO Reg. No.
- ZB712044
- DPO Contact
- [email protected]
Where GCentrix processes personal data on behalf of a Business or Enterprise customer (e.g., personal data embedded within retrieved review documents), GCentrix acts as a data processor and the customer is the data controller for that data.
2. Lawful Basis for Processing
We rely on the following lawful bases under Article 6 GDPR to process personal data:
- —Contract (Art. 6(1)(b)) — processing your account data (name, email, password) and usage data is necessary to perform the contract with you when you register for and use the Service.
- —Legitimate interests (Art. 6(1)(f)) — processing server logs, IP addresses, and aggregated analytics to detect fraud, maintain security, debug issues, and improve the Service. We have conducted a legitimate interests assessment confirming these interests are not overridden by your rights.
- —Legal obligation (Art. 6(1)(c)) — retaining certain financial and transaction records to comply with UK tax law and financial regulations.
- —Consent (Art. 6(1)(a)) — for optional marketing communications only. You may withdraw consent at any time by clicking "Unsubscribe" in any email or contacting [email protected].
3. International Data Transfers
ReviewX stores data using cloud infrastructure that may involve transfers of personal data outside the UK / EEA. We ensure all such transfers are protected by appropriate safeguards:
- —AWS S3 (object storage) — data is stored in AWS eu-west-2 (London) region by default. Cross-region replication, if enabled for disaster recovery, is governed by AWS's Standard Contractual Clauses (SCCs / UK IDTA addendum).
- —MongoDB Atlas (database) — deployed in the EU / UK region with SCCs in place for any transfers to Atlas support infrastructure.
- —Standard Contractual Clauses — for transfers to countries without an adequacy decision, we use the European Commission's approved SCCs (2021) and/or the UK IDTA.
4. Your Rights Under GDPR
Data subjects have the following rights, exercisable by contacting [email protected]:
- —Right of access (Art. 15): obtain confirmation and a copy of data we hold.
- —Right to rectification (Art. 16): correct inaccurate personal data.
- —Right to erasure (Art. 17): "right to be forgotten", subject to legal holds.
- —Right to restriction (Art. 18): limit processing in certain circumstances.
- —Right to data portability (Art. 20): receive data in JSON format.
- —Right to object (Art. 21): object to legitimate-interest based processing.
- —Rights related to automated decision-making (Art. 22): ReviewX does not make solely automated decisions with significant legal effects.
We will respond to all valid requests within 30 calendar days. We may ask you to verify your identity before processing a request. If you are unsatisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO) or the relevant EEA supervisory authority.
5. DPA Terms for Business & Enterprise Customers
If you are a Business or Enterprise subscriber and you process personal data of your customers or employees via ReviewX, a Data Processing Agreement is required under GDPR Article 28. Key terms of our standard DPA are:
- —Scope — GCentrix processes personal data only as documented in our Privacy Policy and on documented instructions from you as the controller.
- —Sub-processors — we maintain a public sub-processor list. We will give you 30 days' notice before adding new sub-processors that process your data, giving you the right to object.
- —Security — we implement technical and organisational measures (TOMs) including encryption at rest (AES-256), encryption in transit (TLS 1.3), role-based access control, and regular vulnerability assessments.
- —Breach notification — we will notify you within 72 hours of becoming aware of a personal data breach affecting your data.
- —Audit rights — on reasonable written notice, you may request a summary of our most recent security audit or questionnaire (enterprise tier).
- —Deletion — upon termination of your account, we will delete or return all personal data within 30 days, per our retention schedule.
To request a signed DPA, email [email protected] with subject line "DPA Request — [Your Company Name]". We will respond within 5 business days with a draft for review.
6. Contact the DPO
Our Data Protection Officer can be contacted for any GDPR-related enquiries, complaints, or requests:
Email: [email protected]
Post: Data Protection Officer, GCentrix Ltd, 42 Farringdon Street, London, EC4A 4AB, United Kingdom
Response time: We aim to acknowledge all GDPR enquiries within 5 business days and provide a full response within 30 calendar days.