GDPR | Retarga

Last updated: June 28, 2026

1. Introduction

The General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) is an EU law that gives individuals in the European Economic Area (EEA) strong rights over their personal data. This page explains how we comply with GDPR in our capacity as an independent freelance team operating through the Upwork platform, using Zoho Mail for communications, Cloudflare for infrastructure, and Cookiebot for consent management.

2. Our Role Under the GDPR

In relation to this informational website, we act as the data controller for the personal data collected through the contact form and any website analytics. Our technology providers act as data processors:

Zoho Corporation — processes contact form emails as our email provider
Cloudflare, Inc. — processes IP addresses and request data as our infrastructure provider
Usercentrics A/S (Cookiebot) — processes consent records as our consent management platform

When services are contracted through Upwork, Upwork Inc. may act as a separate data controller or processor according to their own GDPR documentation. We do not act as a data processor for clients' end-users' personal data unless explicitly agreed in a written Data Processing Agreement (DPA) as part of a project scope on Upwork.

3. Lawful Basis for Processing (Art. 6 GDPR)

We rely on the following lawful bases:

Consent (Art. 6(1)(a)) — contact form submissions and non-essential cookie placement
Legitimate interests (Art. 6(1)(f)) — Cloudflare security and DDoS protection, website operation
Contract performance (Art. 6(1)(b)) — service delivery through Upwork
Legal obligation (Art. 6(1)(c)) — where required by applicable law

4. GDPR Principles We Follow (Art. 5)

Lawfulness, fairness, and transparency — we only collect data with a valid legal basis and inform you clearly through this policy
Purpose limitation — data is collected for specified, explicit, and legitimate purposes only; not further processed incompatibly
Data minimisation — we collect only data that is necessary for the stated purpose
Accuracy — we take reasonable steps to ensure data is accurate and, where necessary, kept up to date
Storage limitation — data is not kept longer than necessary (see retention periods in our Privacy Policy)
Integrity and confidentiality — appropriate security measures are applied to protect data against unauthorised access, loss, or destruction

5. Your Rights as a Data Subject

As a data subject in the EEA or UK, you have the following rights, which we will honour within 30 calendar days of a valid, verified request:

Right of Access (Art. 15)

Obtain a copy of the personal data we hold about you and information on how it is processed.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data without undue delay.

Right to Erasure (Art. 17)

Request deletion of your data in certain circumstances (e.g., consent withdrawn, data no longer necessary).

Right to Restriction (Art. 18)

Limit how we process your data while a dispute is pending or an objection is considered.

Right to Portability (Art. 20)

Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests; we must cease unless compelling grounds override your interests.

Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time without affecting the lawfulness of prior consent-based processing.

Right Not to Be Subject to Automated Decisions (Art. 22)

We do not engage in automated decision-making or profiling that produces significant legal effects.

6. Data Transfers Outside the EEA

Some of our third-party processors are based in or transfer data to the United States. We ensure these transfers are covered by appropriate safeguards:

Upwork Inc. — participates in the EU-U.S. Data Privacy Framework and provides SCCs
Cloudflare, Inc. — provides a GDPR-compliant Data Processing Addendum and relies on SCCs per Commission Decision 2021/914/EU
Zoho Corporation — provides a Data Processing Addendum and relies on SCCs for EEA data transfers

7. Consent Management (Cookiebot)

We use Cookiebot by Usercentrics A/S (Denmark, EU) as our Consent Management Platform. Cookiebot automatically blocks non-essential cookies until you provide consent. This ensures compliance with the EU ePrivacy Directive and GDPR Article 7. Consent records are stored by Cookiebot for audit purposes for 12 months.

8. Security Measures (Art. 32)

Appropriate technical and organisational measures we apply include:

HTTPS/TLS encryption for all web communications (enforced by Cloudflare)
DDoS protection and Web Application Firewall (WAF) via Cloudflare
Access controls limiting who can view contact form submissions in Zoho Mail
Secure, encrypted project communications via Upwork's platform
Regular review of our data handling practices

9. Data Breach Notification (Art. 33–34)

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected data subjects without undue delay where required.

10. Supervisory Authority

If you believe we have not handled your data in accordance with the GDPR, you have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities can be found at edpb.europa.eu.

11. Contact for GDPR Requests

To submit a data subject access request or exercise any of your rights, contact us via our contact form or at info@retarga.org. Please include "GDPR Request" in your message subject. We will respond within 30 calendar days.

GDPR Compliance