2. Definitions

2.1 For the purposes of this Privacy Policy, the following definitions shall apply in accordance with the GDPR and applicable data protection legislation.

2.2 "Personal data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2.3 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Processing includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

2.4 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Privacy Policy, the Controller is ftc.store.

2.5 "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

2.6 "Consent" means any freely given, specific, informed, and unambiguous indication of the individual's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2.7 "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

3. Principles of Data Processing

3.1 The Controller processes all personal data in accordance with the fundamental principles established by the GDPR. The Controller processes personal data lawfully, fairly, and in a transparent manner in relation to the individual. The Controller collects personal data only for specified, explicit, and legitimate purposes and does not further process personal data in a manner that is incompatible with those purposes.

3.2 The Controller adheres to the principle of data minimization, which means that personal data collected and processed must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Controller ensures that personal data is accurate and, where necessary, kept up to date. The Controller limits the storage of personal data to a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data is processed.

3.3 The Controller processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. The Controller is able to demonstrate compliance with all of these principles through comprehensive documentation, regular audits and assessments, appropriate policies and procedures, and staff training on data protection requirements.

4. Legal Basis for Processing Personal Data

4.1 The Controller processes personal data only when there is a valid legal basis for doing so, as required by Article 6 of the GDPR.

4.2 The Controller may process personal data where the individual has given consent to the processing of his or her personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. Where the Controller relies on consent as the legal basis for processing, the individual has the right to withdraw that consent at any time.

4.3 The Controller may process personal data where processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract. This legal basis applies to the processing of personal data that is objectively necessary to deliver the goods or services that the individual has requested.

4.4 The Controller may process personal data where processing is necessary for compliance with a legal obligation to which the Controller is subject. This legal basis applies where the Controller must process personal data in order to comply with a legal requirement imposed by European Union law or the law of a Member State to which the Controller is subject.

4.5 The Controller may process personal data where processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data. Before relying on this legal basis, the Controller conducts a balancing test to assess whether the legitimate interest is proportionate and whether it overrides the individual's rights and interests.

5. Categories of Personal Data Collected

5.1 The Controller collects identification and contact data, which includes the individual's full name, email address, postal address including street address, city, postal code and country, telephone number, and date of birth for the purpose of verifying that the individual is at least eighteen years of age.

5.2 The Controller collects account and authentication data, which includes username or account identifier, password in encrypted form, account creation date and time, and information about login history including dates, times, and IP addresses of login attempts for security purposes.

5.3 The Controller collects transaction and order data, which includes order identification numbers, details of products or services ordered, pricing information including taxes, shipping costs and discounts applied, order date and time, order status information, delivery information, and purchase history.

5.4 The Controller collects payment and financial data necessary to process payments. The Controller does not directly collect or store complete payment card details such as full credit card numbers or security codes. Payment card information is provided directly to the Controller's payment service providers who are certified as compliant with the Payment Card Industry Data Security Standard. The Controller receives from payment service providers only limited information such as the last four digits of the card number, the card type, and the expiration date.

5.5 The Controller collects communication and correspondence data when individuals contact the Controller, which includes the content of email messages, messages sent through contact forms, customer service interactions, and metadata associated with communications such as date, time, and subject matter.

5.6 The Controller collects technical and device data automatically when individuals access the ftc.store website, which includes Internet Protocol addresses, device type, operating system and version, browser type and version, and information about the internet service provider.

5.7 The Controller collects usage and behavioral data that describes how individuals interact with the website, which includes pages visited, date and time of page views, how the individual arrived at the website, actions taken such as products viewed and items added to shopping cart, and session duration.

5.8 The Controller collects age verification data to ensure compliance with the requirement that only individuals aged eighteen years or older may use the ftc.store website and services. The Controller collects date of birth during account registration to verify that the individual has reached the required minimum age.

5.9 The Controller does not knowingly collect personal data from individuals under the age of eighteen years. If the Controller becomes aware that personal data has been collected from an individual under eighteen years of age, the Controller will take immediate steps to delete such data and to terminate any account created by such individual.

6. Purposes of Personal Data Processing and Legal Basis

6.1 The Controller processes personal data for the purpose of account creation and management. This processing is necessary to establish the contractual relationship between the individual and the Controller, to create a unique user account that can be accessed securely, to verify that the individual meets the minimum age requirement of eighteen years, and to enable the individual to access account features. The legal basis for this processing is that it is necessary for the performance of the contract between the individual and the Controller.

6.2 The Controller processes personal data for the purpose of processing and fulfilling orders. This processing is necessary to verify order details, process payment, arrange for delivery of purchased goods, provide order confirmations and shipping notifications, handle any issues that arise during order fulfillment, and maintain records of the transaction for accounting, tax, and legal purposes. The legal basis for this processing is that it is necessary for the performance of the contract between the individual and the Controller.

6.3 The Controller processes personal data for the purpose of payment processing and fraud prevention. The legal basis for this processing is that it is necessary for the performance of the contract and that it is necessary for the legitimate interests of the Controller in preventing fraud and protecting the security of the payment system.

6.4 The Controller processes personal data for the purpose of customer service and support. This processing is necessary to understand and respond to inquiries, provide technical support, assist with order-related issues, process returns and refunds, resolve complaints and disputes, and improve the quality of customer service. The legal basis for this processing is that it is necessary for the performance of the contract where the inquiry relates to an existing order or account, and that it is necessary for the legitimate interests of the Controller in providing quality customer service.

6.5 The Controller processes personal data for the purpose of legal compliance and regulatory obligations. The Controller is required to maintain financial records as required by tax and commercial law, prepare and file tax returns and reports, and respond to inquiries from regulatory bodies. The legal basis for this processing is that it is necessary for compliance with legal obligations to which the Controller is subject.

6.6 The Controller processes personal data for the purpose of website operation and security. This processing ensures the website functions properly, identifies and fixes technical issues, monitors website performance, prevents unauthorized access, detects and blocks malicious activity, and protects the website infrastructure from security threats. The legal basis for this processing is that it is necessary for the legitimate interests of the Controller in operating a secure and functional website.

6.7 The Controller processes personal data for the purpose of analyzing website usage and improving services. The Controller processes usage data in aggregated or anonymized form to understand how users interact with the website, identify popular products and features, determine areas where users experience difficulties, and make data-driven decisions about website improvements. The legal basis for this processing is that it is necessary for the legitimate interests of the Controller in understanding customer needs and improving services.

6.8 The Controller processes personal data for the purpose of preventing and detecting fraud, abuse, and illegal activity. This processing identifies patterns consistent with fraudulent orders, detects unauthorized account access, prevents the use of stolen payment information, and protects the Controller's business from financial losses. The legal basis for this processing is that it is necessary for the legitimate interests of the Controller in protecting its business operations and preventing financial crime.

6.9 The Controller does not process personal data for purposes of direct marketing, promotional communications, or newsletters. The Controller does not send marketing emails or promotional materials to individuals. All communications sent by the Controller are transactional in nature, relating to specific orders, account matters, or customer service inquiries.

6.10 The Controller does not use cookies, tracking pixels, or similar tracking technologies on the ftc.store website. Any data collected about website usage is collected through server logs and is used solely for the operational purposes described in this Privacy Policy.

7. Mandatory and Voluntary Personal Data

7.1 Certain personal data is mandatory for the creation of an account. In order to create an account, the individual must provide full name, email address, password, and date of birth. If the individual does not provide this mandatory information, the Controller cannot create an account.

7.2 Certain personal data is mandatory for the processing of orders. In order to place an order, the individual must provide full name, email address, shipping address, billing address if different from shipping address, and payment information. If the individual does not provide this mandatory information, the Controller cannot process the order.

7.3 Telephone number is voluntary for most purposes but may be beneficial for delivery notifications and customer service communications. Providing a telephone number facilitates faster resolution of delivery issues, but if the individual chooses not to provide a telephone number, the order can still be processed.

7.4 Age verification information is mandatory for all users. All users must provide their date of birth during account creation or before completing a purchase. If an individual does not provide accurate age verification information or if the information indicates that the individual is under eighteen years of age, the Controller will not allow the individual to create an account or place orders.

8. Data Retention Periods

8.1 The Controller retains personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce agreements.

8.2 The Controller retains account data for the duration of the time that the account remains active. If an individual closes their account or requests deletion, the Controller deletes the account profile data within thirty days of account closure, except for data that must be retained longer due to legal requirements.

8.3 The Controller retains order and transaction data for a period of ten years from the date of the transaction. This extended retention period is required by tax legislation, accounting laws, and consumer protection legislation. Order and transaction data subject to this ten-year retention period includes order identification numbers, product descriptions and quantities, pricing information, payment records, delivery information, invoices, and receipts.

8.4 The Controller retains customer service communications for a period that depends on the nature of the communication. Email inquiries and responses are retained until the issue has been resolved, plus one year thereafter. Support tickets are retained for three years after closure. Communications related to complaints are retained for three years from the date of final resolution.

8.5 The Controller does not send marketing communications or newsletters and therefore does not maintain marketing email lists. All communications sent by the Controller are transactional in nature.

8.6 The Controller retains website analytics and usage data in identifiable form for a period of twenty-six months. After twenty-six months, usage data is either securely deleted or irreversibly anonymized. Server logs containing IP addresses are retained for six months for security monitoring purposes and then deleted or anonymized.

8.7 The Controller does not use cookies or similar tracking technologies, and therefore there are no cookierelated retention periods.

8.8 The Controller does not store complete payment card information. Limited payment information received from payment processors is retained as part of transaction records for the full ten-year retention period applicable to orders and transactions.

8.9 The Controller retains backup copies of data for a period of ninety days. Data that has been deleted from active systems may persist in backup systems for up to ninety days before being permanently deleted from all systems.

8.10 The Controller may retain personal data beyond the standard retention periods where retention is necessary for the establishment, exercise, or defense of legal claims. Where legal proceedings have been commenced or where there is a reasonable likelihood that a claim may be brought, personal data relevant to the legal matter is retained until the matter has been finally resolved.

9. Sharing of Personal Data with Third Parties

9.1 The Controller may share personal data with third parties only when necessary to provide services, comply with legal obligations, or with the individual's explicit consent. The Controller never sells personal data to third parties.

9.2 The Controller shares personal data with payment service providers for the purpose of processing payments. Payment card information is transmitted directly from the individual's browser to the payment service provider using secure encryption. The legal basis for sharing data with payment service providers is that it is necessary for the performance of the contract. The Controller uses only payment service providers that are certified as compliant with the Payment Card Industry Data Security Standard.

9.3 The Controller shares personal data with shipping and delivery service providers for the purpose of delivering purchased goods. The Controller provides to the delivery service the recipient's name, delivery address, and telephone number if provided. The legal basis for sharing data with delivery service providers is that it is necessary for the performance of the contract.

9.4 The Controller shares personal data with information technology service providers who provide essential technical infrastructure and services, including web hosting companies, cloud storage providers, and email service providers. The legal basis for sharing data with IT service providers is that it is necessary for the legitimate interests of the Controller in operating a functional and secure website. The Controller has data processing agreements with all IT service providers.

9.5 The Controller may share personal data with professional advisors including lawyers, accountants, auditors, and tax advisors when necessary to obtain professional services. The legal basis for sharing data with professional advisors is that it is necessary for the legitimate interests of the Controller in obtaining professional advice and services. Professional advisors are subject to professional confidentiality obligations.

9.6 The Controller may share personal data with government authorities, law enforcement agencies, regulators, courts, and other public bodies when required or permitted by law. The legal basis for sharing data with governmental authorities is that it is necessary for compliance with legal obligations to which the Controller is subject.

9.7 All third parties with whom the Controller shares personal data are carefully selected based on their ability to protect personal data and comply with applicable laws. Where third parties act as processors of personal data on behalf of the Controller, the Controller enters into written data processing agreements that comply with Article 28 of the GDPR.

10. International Data Transfers

10.1 The Controller's primary operations are located within the European Economic Area. The Controller stores personal data primarily on servers located within the European Economic Area. However, some third-party service providers may be located in countries outside the European Economic Area.

10.2 When personal data is transferred to a country outside the European Economic Area, the Controller ensures that appropriate safeguards are in place. The Controller may transfer personal data to third countries that have been determined by the European Commission to ensure an adequate level of data protection through an adequacy decision.

10.3 When personal data is transferred to a third country that has not been subject to an adequacy decision, the Controller relies on Standard Contractual Clauses approved by the European Commission. The Controller ensures that all processors located in third countries that receive personal data enter into Standard Contractual Clauses.

10.4 In addition to implementing Standard Contractual Clauses, the Controller conducts a transfer impact assessment to verify that the laws and practices of the destination country do not impair the effectiveness of the safeguards provided by the Standard Contractual Clauses.

11. Data Security Measures

11.1 The Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.

11.2 The Controller implements encryption to protect personal data both in transit and at rest. All data transmitted between individuals' devices and the Controller's servers is encrypted using Transport Layer Security protocol. Personal data stored in the Controller's databases is encrypted using industry-standard encryption algorithms. Passwords are processed using cryptographic hash functions with salt. Payment card information is never stored by the Controller and is handled exclusively by payment service providers who maintain Payment Card Industry Data Security Standard compliance.

11.3 The Controller implements robust access controls to ensure that personal data is accessed only by authorized personnel who have a legitimate business need to access the data. Access rights are granted on the principle of least privilege and are reviewed regularly. The Controller implements multi-factor authentication for access to systems containing personal data. Administrative access to systems and databases is logged and monitored.

11.4 The Controller uses secure, professionally managed hosting infrastructure. The servers on which personal data is stored are located in secure data centers with physical security measures including perimeter fencing, security guards, surveillance cameras, and access control systems.

11.5 The Controller implements network security measures including firewalls to filter network traffic and intrusion detection systems to monitor for suspicious activity. The Controller's network is configured to segregate systems based on their security requirements.

11.6 The Controller maintains a regular schedule of software updates and security patches. Operating systems, web servers, database systems, and all other software components are kept up to date with the latest security patches.

11.7 The Controller implements backup and disaster recovery procedures to protect against data loss. Personal data is backed up regularly to secure, geographically separate locations. Backups are encrypted and the Controller regularly tests backup restoration procedures.

11.8 The Controller implements monitoring and logging to detect security incidents. System logs record access to personal data and other security-relevant events. Automated monitoring systems analyze logs in real time to detect potential security incidents.

11.9 The Controller provides security awareness training to all employees who have access to personal data. Training covers the importance of data protection, the Controller's policies and procedures, how to recognize and report security incidents, and safe computing practices.

11.10 The Controller has implemented policies and procedures for responding to personal data breaches. Where a breach is likely to result in a risk to the rights and freedoms of individuals, the Controller will notify the relevant supervisory authority within seventy-two hours. Where a breach is likely to result in a high risk to individuals, the Controller will notify affected individuals without undue delay.

12. Age Restrictions and Protection of Minors

12.1 The ftc.store website and services are intended for use only by individuals who have reached the age of eighteen years. The Controller does not knowingly offer services to, collect personal data from, or process personal data of individuals who are under eighteen years of age.

12.2 All individuals who create accounts on the ftc.store website are required to provide their date of birth during the registration process. The Controller's registration system automatically calculates the individual's age and compares it to the required minimum age of eighteen years. If the system determines that the individual is under eighteen years of age, the registration process is immediately terminated and no account is created.

12.3 If the Controller becomes aware that it has collected personal data from an individual under the age of eighteen years, the Controller will take immediate action to delete all personal data associated with the individual, including account information, order history, and any communications. If payment has been processed for an order placed by someone under eighteen years of age, the Controller will refund the payment.

12.4 Parents or legal guardians who become aware that their child under the age of eighteen years has created an account or made a purchase on ftc.store should contact the Controller immediately using the contact details provided in Section 19 of this Privacy Policy.

13. Rights of Individuals Under the GDPR

13.1 The GDPR provides individuals with specific rights regarding their personal data.

13.2 The right of access entitles individuals to obtain from the Controller confirmation as to whether or not personal data concerning them is being processed and, where such processing is occurring, to access that personal data. The individual is entitled to receive a copy of the personal data undergoing processing. The first copy is provided free of charge.

13.3 The right to rectification entitles individuals to obtain from the Controller the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.

13.4 The right to erasure, also known as the "right to be forgotten," entitles individuals to obtain erasure of personal data concerning them where the personal data is no longer necessary in relation to the purposes for which it was collected, where the individual withdraws consent and there is no other legal ground for processing, where the individual objects to processing and there are no overriding legitimate grounds, or where the personal data has been unlawfully processed. The right to erasure does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.

13.5 The right to restriction of processing entitles individuals to obtain restriction of processing where the individual contests the accuracy of the personal data, where the processing is unlawful and the individual opposes erasure and requests restriction instead, where the Controller no longer needs the personal data but the individual requires it for legal claims, or where the individual has objected to processing pending verification of whether legitimate grounds override the individual's interests.

13.6 The right to data portability entitles individuals to receive the personal data concerning them which they have provided to the Controller in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

13.7 The right to object entitles individuals to object on grounds relating to their particular situation to processing based on legitimate interests. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims.

13.8 Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The Controller does not make decisions based solely on automated processing that produce legal effects or similarly significantly affect individuals.

13.9 Individuals have the right to withdraw consent at any time where processing is based on consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

13.10 Individuals have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the GDPR. Contact details for supervisory authorities in European Economic Area countries can be found at https://edpb.europa.eu/about-edpb/board/members_en.

13.11 Individuals have the right to an effective judicial remedy and the right to receive compensation for material or non-material damage resulting from an infringement of the GDPR.

14. How to Exercise Your Rights

14.1 To exercise any of the rights described in Section 13, individuals should submit a request to the Controller by sending an email to support@ftc.store or by sending a letter by postal mail to the Controller's address as specified in Section 19 of this Privacy Policy.

14.2 All requests must include sufficient information to enable the Controller to identify the individual making the request and to locate their personal data. Individuals should clearly state which right they wish to exercise and provide sufficient detail about what they are requesting.

14.3 The Controller must verify the identity of individuals making requests before responding. For requests submitted by email from an email address that matches the email address in the Controller's records, the Controller may accept the email address as sufficient verification. For requests involving particularly sensitive data or from unrecognized email addresses, the Controller may request additional verification.

14.4 The Controller will respond to requests without undue delay and in any event within one month of receipt of the request. Where requests are complex or numerous, the Controller may extend the period of response by two further months, in which case the Controller will inform the individual of the extension and the reasons within one month of receipt of the request.

14.5 The Controller provides information on action taken on requests free of charge. However, where requests are manifestly unfounded or excessive, the Controller may charge a reasonable fee or refuse to act on the request.

14.6 If the Controller decides not to take action on a request, the Controller will inform the individual within one month of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

15. Right to Object - Special Provisions

15.1 The individual has the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. According to Article 21, Paragraph 4 of the GDPR the right to object shall be explicitly brought to the attention of the individual and shall be presented clearly and separately from any other information.

15.2 The individual has the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller or processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data, in particular where the individual is a child, including profiling based on any of these provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims. The individual can exercise this right by submitting a written request to the Controller, either by post at the address specified in Section 19 of this Privacy Policy or by e-mail to support@ftc.store.

15.3 Where personal data are processed for direct marketing purposes, the individual has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the individual objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. However, as noted in Section 6 of this Privacy Policy, the Controller does not process personal data for direct marketing purposes.

16. Changes to This Privacy Policy

16.1 The Controller may update this Privacy Policy from time to time to reflect changes in processing practices, legal requirements, or business operations.

16.2 When the Controller makes changes to this Privacy Policy, the updated version will be posted on the ftc.store website with a new "Last Updated" date. Material changes to the Privacy Policy will be highlighted on the website.

16.3 For significant changes that materially affect how personal data is processed or that reduce the protections afforded to individuals, the Controller may notify affected individuals by email or through prominent notice on the website.

16.4 Individuals are encouraged to review this Privacy Policy periodically to stay informed about how the Controller processes personal data.

17. Supervisory Authority and Complaints

17.1 Individuals who believe that the Controller has not complied with this Privacy Policy or with applicable data protection law have the right to lodge a complaint with a supervisory authority.

17.2 The supervisory authority is an independent public authority established by a Member State of the European Union to monitor the application of the GDPR and protect the fundamental rights and freedoms of individuals in relation to processing of personal data.

17.3 Individuals may lodge a complaint with the supervisory authority in the Member State of their habitual residence, their place of work, or the place of the alleged infringement.

17.4 Contact information for supervisory authorities in all European Economic Area countries is available on the website of the European Data Protection Board at https://edpb.europa.eu/about-edpb/board/members_en. 17.5 The Controller encourages individuals to contact the Controller first to attempt to resolve any concerns, but individuals are not required to do so before lodging a complaint with a supervisory authority.

18. Legal Remedies and Compensation

18.1 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each individual has the right to an effective judicial remedy where the individual considers that their rights under the GDPR have been infringed as a result of the processing of their personal data in non-compliance with the GDPR.

18.2 Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the Controller for the damage suffered.

18.3 Claims for compensation may be brought before the courts of the Member State where the Controller has an establishment or where the individual has their habitual residence.

19. Contact Information

19.1 For questions, concerns, or to exercise rights regarding personal data, individuals may contact the Controller using the following information: Controller: ftc.store Email: support@ftc.store.

9.2 The Controller will respond to all inquiries within one month of receipt, or within two months for complex inquiries with notification of the extension provided within the first month.

19.3 Individuals may contact the Controller to request additional information about any aspect of this Privacy Policy, to obtain clarification about how their personal data is processed, to exercise their rights under the GDPR, to report suspected security incidents or data breaches, or to raise any other privacy-related concerns.