Compliance

GDPR Compliance

How Septimus Cultura protects your data and complies with the General Data Protection Regulation.

Last updated: April 9, 2026

Our Commitment

Septimus Cultura is built with privacy at its core. As a B2B platform that handles sensitive hydrogen plant engineering data, we recognize the critical importance of data protection — not only as a legal obligation, but as a foundational pillar of trust with our clients. We comply with the General Data Protection Regulation (EU 2016/679), the Spanish Organic Law 3/2018 (LOPDGDD), and the Swedish implementation of GDPR.

Our Data Protection Principles

Data Minimization

We collect only the data that is strictly necessary to deliver our services. Email for communications, authentication for access, and plant parameters for optimization — nothing more.

Data Anonymization

Our platform applies an anonymization layer to hydrogen plant technical data before processing. Client-specific identifiers are stripped so that optimization results cannot be reverse-engineered to identify the source.

Transparency

We are transparent about what data we collect, why we collect it, and how it is processed. Our Privacy Policy and Cookie Policy provide comprehensive disclosures.

Lawful Processing

Every data processing activity has a documented legal basis under GDPR Article 6: consent, contractual necessity, or legitimate interest — clearly stated and never assumed.

Security by Design

We enforce HTTPS with HSTS preloading, implement comprehensive security headers, use environment-level key management, and maintain strict access controls across all systems.

Breach Notification

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected individuals without undue delay under Article 34.

Data Subject Rights

We honor all GDPR data subject rights: access, rectification, erasure, restriction, portability, and objection. Requests are processed within 30 days.

Accountability

We maintain records of processing activities, conduct data protection impact assessments where required, and ensure our sub-processors meet equivalent compliance standards.

Sub-Processors

We engage the following sub-processors, each bound by data processing agreements that ensure GDPR-equivalent protections.

Clerk

Authentication and identity services

GlobalSOC 2 Type II, GDPR DPA availableView DPA →

Supabase

Cloud infrastructure and data storage

GlobalSOC 2 Type II, GDPR compliant, DPA availableView DPA →

Vercel

Website hosting and analytics (consent-gated)

GlobalSOC 2 Type II, GDPR DPA availableView DPA →

International Data Transfers

Some of our sub-processors operate infrastructure outside the European Economic Area (EEA). When data is transferred internationally, we ensure compliance through:

  • Standard Contractual Clauses (SCCs) — EU-approved contractual safeguards incorporated into our DPAs with each sub-processor.
  • Adequacy assessments — we evaluate the data protection landscape of receiving countries and implement supplementary measures where necessary.
  • Encryption in transit and at rest — all data is encrypted using industry-standard protocols regardless of geographic location.

Exercising Your Rights

Under GDPR, you have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data. You also have the right to withdraw consent at any time.

To exercise any right, contact us at:

Data Protection — Septimus Cultura

Email: contact@septimuscultura.com

We will respond within 30 days of receiving your request.

Supervisory Authorities

If you believe your data protection rights have been violated, you may lodge a complaint with:

  • Agencia Española de Protección de Datos (AEPD) www.aepd.es
  • Integritetsskyddsmyndigheten (IMY) www.imy.se

See also: Privacy Policy · Cookie Policy