Update privacy policy for GDPR compliance

src/privacy-policy.md

@@ -51,9 +51,10 @@ Our Service is designed for businesses and their representatives. We do not offe
  - **Online activity data**, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our marketing emails or clicked links within them.
 
 **Cookies and similar technologies**. Like many online services, we, our service providers, and our business partners may use the following technologies:
+ - **Cookies**, which are text files that websites store on a visitor‘s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, helping us understand user activity and patterns, and facilitating analytics.
 
+You can manage your cookie preferences at any time through the <a class="underline cursor-pointer" type="button" data-cc="show-preferencesModal">cookie banner</a> available on the site. No analytics, functional or advertising cookies are set without your prior consent.
 
- - **Cookies**, which are text files that websites store on a visitor‘s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, helping us understand user activity and patterns, and facilitating analytics.
  - **Web beacons**, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.
 
 **Data about others**. Users of the Service may have the opportunity to refer friends or other contacts to us and share their contact information with us. Please do not refer someone to us or share their contact information with us unless you have their permission to do so.
@@ -107,7 +108,8 @@ You have the following choices with respect to your personal information.
 
 **Opt-out of marketing communications.**  You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by <a href="#how-to-contact-us">contacting us</a>.  Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.
 
-**Cookies.** Most browser settings let you delete and reject cookies placed by websites. Many browsers accept cookies by default until you change your settings. If you do not accept cookies, you may not be able to use all functionality of the Service and it may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit <a href="https://allaboutcookies.org">https://allaboutcookies.org</a>.
+
+**Cookies and consent management.** You can manage your cookie preferences at any time using the <a class="underline cursor-pointer" type="button" data-cc="show-preferencesModal">cookie banner</a> on our site. No analytics or advertising cookies will be set without your explicit consent. Most browsers allow you to delete and reject cookies. If you do not accept cookies, some features of the site may not be available. For more information about cookies and how to manage them, visit <a href="https://allaboutcookies.org">https://allaboutcookies.org</a>.
 
 **Do Not Track.** Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit.  We currently do not respond to “Do Not Track” or similar signals.  To find out more about “Do Not Track,” please visit <a href="https://allaboutdnt.com">https://allaboutdnt.com</a>.
 
@@ -123,7 +125,7 @@ We employ technical, organizational and physical safeguards designed to protect
 
 ## <span name="international-data-transfer">International data transfer</span>
 
-We are headquartered in the United States and may use service providers that operate in other countries. Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.
+We are headquartered in the United States and may use service providers that operate in other countries, including the European Economic Area (EEA). Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country.
 
 ## <span name="children">Children</span>
 
@@ -133,6 +135,31 @@ The Service is not intended for use by children under 16 years of age. If we lea
 
 We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service. If required by law we will also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via email or another manner through the Service.  Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy.
 
+## <span name="european-users">Additional Information for European Users</span>
+
+If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the following additional information applies to you.
+
+**Legal Bases for Processing**
+We process your personal information on the following legal bases:
+* **Consent:** For marketing communications and the use of non-essential cookies (Analytics, Functional, and Advertising).
+* **Contractual Necessity:** To provide the Service and support you have requested.
+* **Legitimate Interests:** To protect our Service, prevent fraud (such as via reCAPTCHA), and improve our product offerings.
+
+**Your Rights**
+Under the GDPR, you have the following rights:
+* **Right to Access/Portability:** Request a copy of your data in a structured format.
+* **Right to Erasure:** Request that we delete your personal information.
+* **Right to Object/Restrict:** Object to our processing of your data for legitimate interests or request we limit how we use it.
+* **Right to Withdraw Consent:** Withdraw your consent for cookies or marketing at any time.
+* **Right to Complain:** You have the right to lodge a complaint with your local Data Protection Authority.
+
+To exercise any of these rights, please follow the instructions in the [How to contact us](#how-to-contact-us) section below. We will respond to your request within 30 days.
+
+**International Transfers**
+When we transfer data to the United States, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
+* **Standard Contractual Clauses (SCCs):** We use specific contracts approved by the European Commission.
+* **Data Center Selection:** We utilize EU-based data centers (e.g., HubSpot EU1 region) where available to minimize transfer risks.
+
 ## <span name="how-to-contact-us">How to contact us</span>
 
  - **Email:** `contact@flowfuse.com`