GDPR Supplement

GDPR Controller and Processor Supplement

Last Updated: May 12, 2020

As noted in our Privacy Policies, Harvard Business Services, Inc. (the “Company,” we”, “us”) is both a data controller and a data processor under the EU General Data Protection Regulation. This Supplement on Processing Activities (“GDPR Supplement”) describes how the Company (physically located entirely in the U.S.) processes personal data under the GDPR. The Company recognizes that Article 30 of the GDPR imposes documentation requirements on data controllers and data processors. This GDPR Supplement describes how we comply with our obligations.

The Company is the data controller for the Website.  For our contact information, see the section in our general Privacy Policies headed “How to Contact Us”.

Categories of Data Subjects

Please see the Company’s Privacy Policy for information on the categories of persons from whom we collect data.

Categories of Personal Data

Please see the Company’s Privacy Policy for information on the categories of data we collect.

Purposes of Data Processing

The Company collects and processes personal data about Website users, persons with an account with the Company, and persons subscribed for our blog, podcasts, or other such materials for the following purposes:

• Maintaining and enhancing the Company’s products and services.
• Providing products and services to clients and client management.
• Account management.
• Direct marketing.
• Supporting network and system security.
• Complying with legal obligations.
• Conducting web analytics.

Categories of Personal Data Recipients

The Company discloses personal data to the following categories of recipients, a very small number of which may be (but none are currently) located in third countries:

• Business partners assisting in providing clients with certain services.

• Our professional advisors, such as lawyers (if necessary and only to the extent necessary) to enforce our rights under our agreement(s) with you or otherwise to defend ourselves in litigation or other disputes with you.

• Federal, state, and local law enforcement official (upon request or in response to an order or subpoena compelling disclosure).

• Third-parties that serve us with a valid documents and records subpoena.

• Third-party service providers, such as providers of IT system management.

The Company may make limited personal data transfers subject to the second sub-paragraph of Article 49(1) which are necessary for the Company’s compelling legitimate interests. The Company will comply with all reporting, disclosure, and sufficient analysis requirements of such sub-paragraph.

Personal Data Retention Periods

Except as otherwise permitted or required by applicable law or regulation, the Company retains personal data for as long as necessary to fulfill the purposes the Company collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes.

To determine the appropriate retention period for personal data, the Company considers the amount, nature, and sensitivity of personal data, the potential risk of harm from unauthorized use or disclosure of personal data, the purposes for processing the personal data, whether the employer can fulfill the purposes of processing by other means, and any applicable legal requirements. The Company does not retain payment information (e.g., credit card numbers, checking account numbers, etc.) after the payment is processed; such information is securely destroyed immediately after payment processing is complete.

Generally, the Company maintains client records of details regarding our formation and registered agent services indefinitely.  Other information is retained only for so long as there is a reason to retain it (e.g., blog and podcast info, questions put to our chatbot, or questions posed to or information collected by our sales and filing staff that do not result in a contract for services).

Technical and Organizational Security Measures

Please see our Privacy Policy for the technical and organizational security measures we take to protect your personal information and other information.

Changes to this Record of Processing Activities

The Company reserves the right to amend this GDPR Supplement in the same manner as the Company amends its Privacy Policy as a whole, which is described in the Privacy Policy.

Record of Processing Activities

This section describes how the Company processes personal data.

Data Processor Details:

Name: Harvard Business Services, Inc. (Data Processor)

Address: 16192 Coastal Highway, Lewes, DE 19958

Telephone Number: 1 (800) 345-2677

Website: www.delawareinc.com

Categories of Processing

Data Processor processes personal data on behalf of its clients, Website Users, and others (described in the Privacy Policy) for the following purpose(s):

• Research and analytics.
• Product development..
• Professional services.
• IT system management.
• Information security.