All systems operational Kyiv, UA · Mon–Fri 09:00–18:00 EET
+380 44 235 88 10 info@codeforgetful.com

Legal

GDPR & Data Protection

Last updated: 1 January 2026

Code Forgetful LLC serves clients in Ukraine and the European Union. Where we process the personal data of individuals located in the EU or the EEA, we do so in compliance with Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR). This page explains our obligations under the GDPR and the rights available to data subjects.

1. Data Controller Identity

The data controller responsible for your personal data is:

  • Company name: Code Forgetful LLC
  • Registered address: 7 Baseina Street, Office 14, Kyiv 01004, Ukraine
  • Data protection contact: privacy@codeforgetful.com

We have designated a data protection contact who can address any question about how we process personal data. You may also correspond with us by post at the address above, marking your envelope "Data Protection".

2. Scope of This Notice

This notice applies to personal data processed by Code Forgetful in its capacity as a data controller — primarily data we collect through this website (contact form submissions, cookie analytics) and in connection with client relationships. Where Code Forgetful processes personal data on behalf of a client (for example, during software development work that involves client-owned data), we act as a data processor; the client's own privacy notice governs those activities, and we are bound by a Data Processing Agreement.

3. Lawful Bases for Processing

We process personal data under the following lawful bases pursuant to Article 6 of the GDPR:

  • Consent (Art. 6(1)(a)): where you have freely given, specific, informed and unambiguous consent — for example, by submitting our contact form or accepting non-essential cookies. You have the right to withdraw consent at any time; withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Contract performance (Art. 6(1)(b)): where processing is necessary to enter into or perform a contract with you, including managing our client relationship, project delivery and invoicing.
  • Legitimate interests (Art. 6(1)(f)): where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights. Legitimate interests we rely on include operating and improving our website, preventing fraud and abuse, and managing routine business administration. We carry out a Legitimate Interests Assessment before relying on this basis.
  • Legal obligation (Art. 6(1)(c)): where we are required to process data to comply with a legal obligation under Ukrainian or EU law, including tax, accounting and anti-money-laundering requirements.

4. Your Rights as a Data Subject

Under the GDPR, data subjects have the following rights. You may exercise any of these rights by contacting us at privacy@codeforgetful.com. We will respond within one calendar month of receiving your verified request; complex or numerous requests may be extended by a further two months, in which case we will notify you within the first month.

4.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about: the purposes of processing, the categories of data, who it has been shared with, the retention period, and your other rights under the GDPR. The first copy is provided free of charge; for further copies we may charge a reasonable administrative fee.

4.2 Right to Rectification (Art. 16)

If the personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected without undue delay. We will notify any third parties to whom we have disclosed the data of any correction, unless this proves impossible or involves disproportionate effort.

4.3 Right to Erasure — "Right to be Forgotten" (Art. 17)

You have the right to request the deletion of your personal data where:

  • the data is no longer necessary for the purposes for which it was collected;
  • you withdraw consent and there is no other lawful basis for processing;
  • you object to processing and there are no overriding legitimate grounds;
  • the data has been unlawfully processed; or
  • erasure is required to comply with a legal obligation.

Erasure may not be possible where we are required to retain data by law (for example, for accounting purposes) or where the data is necessary for establishing, exercising or defending legal claims. Where erasure is not possible, we will restrict processing and notify you.

4.4 Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your personal data (i.e., store it but not use it) in the following circumstances:

  • you contest the accuracy of the data, pending verification;
  • the processing is unlawful but you prefer restriction to erasure;
  • we no longer need the data but you require it for legal claims; or
  • you have objected to processing pending our assessment of whether legitimate grounds override your interests.

We will lift the restriction when the grounds no longer apply, and will notify you before doing so.

4.5 Right to Data Portability (Art. 20)

Where we process your data on the basis of consent or contract performance, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and to transmit it to another controller. This right applies only to data you have provided to us directly.

4.6 Right to Object (Art. 21)

You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)), including any profiling based on that ground. Upon receipt of your objection we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or that the processing is necessary for legal claims.

Where we process your data for direct marketing purposes, you have an absolute right to object at any time and we will cease processing for that purpose immediately.

4.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based solely on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent for cookie analytics, use the cookie settings link in the site footer. To withdraw consent for contact form data, email privacy@codeforgetful.com.

4.8 Rights Related to Automated Decision-Making (Art. 22)

We do not subject individuals to solely automated decision-making, including profiling, that produces legal or similarly significant effects. If we implement any such process in future, we will update this notice and ensure appropriate safeguards are in place.

5. How to Exercise Your Rights

To exercise any of the above rights, send a written request to privacy@codeforgetful.com or by post to our registered address. Please include: your full name, email address associated with any data you have provided us, a clear description of the right you wish to exercise and, where relevant, specific details of the data in question.

We may need to verify your identity before acting on a request to protect against unauthorised access. Identity verification will be proportionate and will not require excessive personal data. We will not charge a fee for acting on a request unless it is manifestly unfounded or repetitive, in which case we may charge a reasonable administrative fee or decline the request, notifying you of our reasons.

6. International Transfers of Personal Data

Our primary operations and data storage are located in Ukraine and within the European Economic Area. Where we engage service providers that process personal data in third countries outside the EEA and without an EU adequacy decision, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Binding Corporate Rules where applicable; or
  • Transfer to countries that have received a formal adequacy decision from the European Commission.

A copy of the applicable safeguards can be provided on request by contacting privacy@codeforgetful.com.

7. Data Retention

We retain personal data only for as long as necessary for the stated purpose or as required by law. Our detailed retention schedule is described in our Privacy Policy (Section 5). After the applicable retention period, data is securely deleted or anonymised so that it can no longer be associated with any individual.

8. Security of Processing

We implement appropriate technical and organisational security measures — including encryption in transit (HTTPS/TLS), access controls, regular security assessments and staff training — to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.

9. Supervisory Authority

If you are located in the EU or EEA and consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state. A list of EU supervisory authorities is available at edpb.europa.eu.

For data subjects in Ukraine, oversight of data protection matters is provided by the Ukrainian Parliament Commissioner for Human Rights (Ombudsperson). We encourage you to contact us first so that we have the opportunity to address your concern directly.

10. Updates to This Notice

We may update this GDPR notice from time to time to reflect changes in our processing activities, legal requirements or guidance from supervisory authorities. The current version is always available on this page, with the effective date shown at the top. We will notify affected clients directly of any material changes.

11. Contact

For any data protection question or to exercise your rights, contact our data protection contact at privacy@codeforgetful.com or write to Code Forgetful LLC, 7 Baseina Street, Office 14, Kyiv 01004, Ukraine.