Legal

    GDPR Compliance

    Last updated: April 8, 2026

    1. Introduction to GDPR

    The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations processing personal data of individuals within the European Union and European Economic Area, regardless of where the organization is located. At AHA-Innovations, we are fully committed to GDPR compliance and protecting the privacy rights of all our users.

    This document outlines how we comply with GDPR requirements and explains your rights as a data subject under this regulation.

    2. Data Controller Information

    AHA-Innovations acts as the data controller for personal data we collect and process through our GoHighLevel automation platform. As the data controller, we determine the purposes and means of processing your personal data.

    • Company Name: AHA-Innovations
    • Data Protection Officer: dpo@aha-innovations.com
    • Privacy Contact: privacy@aha-innovations.com
    • General Contact: suppor@aha-innovations.com

    Under GDPR, we must have a valid legal basis for processing your personal data. We process personal data based on the following legal grounds:

    • Consent (Article 6(1)(a)): Where you have given clear, informed consent for us to process your personal data for specific purposes, such as marketing communications or optional analytics.
    • Contract Performance (Article 6(1)(b)): Where processing is necessary to fulfill our contractual obligations to you, including providing our platform services and processing payments.
    • Legal Obligation (Article 6(1)(c)): Where processing is required to comply with legal obligations, such as tax reporting, anti-money laundering requirements, or court orders.
    • Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate business interests, such as fraud prevention, security monitoring, and platform improvement, provided these interests don't override your fundamental rights.
    • Vital Interests (Article 6(1)(d)): In rare cases where processing is necessary to protect someone's life or physical safety.

    4. Your Rights Under GDPR

    GDPR grants you comprehensive rights regarding your personal data. These rights are fundamental to data protection and we are committed to facilitating their exercise:

    • Right to Information (Articles 13-14): You have the right to be informed about how your personal data is collected, used, and processed. This notice serves that purpose.
    • Right of Access (Article 15): You can request copies of your personal data and information about how we process it, including the purposes, categories of data, and recipients.
    • Right to Rectification (Article 16): You can request correction of inaccurate personal data and completion of incomplete data.
    • Right to Erasure (Article 17): Also known as the "right to be forgotten," you can request deletion of your personal data under specific circumstances.
    • Right to Restrict Processing (Article 18): You can request that we limit how we process your personal data in certain situations.
    • Right to Data Portability (Article 20): You can request your personal data in a structured, machine-readable format for transfer to another service provider.
    • Right to Object (Article 21): You can object to processing based on legitimate interests or for direct marketing purposes.
    • Rights Related to Automated Decision-Making (Article 22): You have rights regarding automated decision-making and profiling.
    • Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.

    5. How to Exercise Your Rights

    We've made it easy for you to exercise your GDPR rights. Here's how:

    • Online Portal: Access your account dashboard to view, update, or delete your personal data
    • Email Request: Contact us at privacy@aha-innovations.com with your specific request
    • Data Protection Officer: Reach out to our DPO at dpo@aha-innovations.com for complex matters
    • Identity Verification: We may need to verify your identity before processing requests to protect your data

    Response Timeline: We will respond to your request within 30 days. For complex requests, we may extend this by an additional 60 days and will inform you of any delay with an explanation.

    No Cost: Exercising your rights is generally free of charge. We may charge a reasonable fee for excessive or repetitive requests.

    6. Data Retention Principles

    We follow strict data retention principles in compliance with GDPR requirements:

    • Purpose Limitation: We retain personal data only for as long as necessary to fulfill the specific purposes for which it was collected
    • Legal Requirements: Some data must be retained to comply with legal, accounting, or regulatory obligations (typically 7 years for financial records)
    • Active Accounts: Account data is retained while your subscription is active and for a reasonable period afterward for reactivation
    • Automatic Deletion: We have automated systems to delete data when retention periods expire
    • Regular Reviews: We conduct periodic reviews to ensure data is not retained longer than necessary

    7. International Data Transfers

    As a global platform, we may transfer your personal data outside the European Economic Area (EEA). We ensure adequate protection through:

    • Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
    • Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide appropriate safeguards
    • Binding Corporate Rules: Internal data protection policies for multinational organizations
    • Certification Schemes: Recognized data protection certification programs
    • Explicit Consent: Your specific consent for transfers where other safeguards aren't available

    We regularly assess the adequacy of protection in destination countries and update our safeguards as needed.

    8. Data Breach Procedures

    We have comprehensive procedures to handle personal data breaches in compliance with GDPR requirements:

    • Detection: 24/7 monitoring systems to detect potential breaches quickly
    • Assessment: Immediate evaluation of breach scope, impact, and risk to individuals
    • Containment: Swift action to contain the breach and prevent further data loss
    • Regulatory Notification: Report to supervisory authorities within 72 hours when required
    • Individual Notification: Inform affected individuals without undue delay when there's high risk to their rights
    • Documentation: Maintain detailed records of all breaches and response actions
    • Review: Post-incident analysis to improve security measures and prevent recurrence

    9. Supervisory Authority

    You have the right to lodge a complaint with a supervisory authority if you believe we have violated GDPR. You can contact:

    • Your Local Authority: The supervisory authority in your EU member state
    • Our Lead Authority: The supervisory authority where our main establishment is located
    • Alternative Authorities: Any supervisory authority where you have concerns about our processing

    We encourage you to contact us first so we can address your concerns directly, but this doesn't affect your right to lodge a complaint.

    10. Privacy by Design and Default

    We implement privacy by design and by default principles throughout our platform:

    • Data Minimization: We collect only the personal data necessary for specific purposes
    • Purpose Limitation: Data is processed only for the purposes for which it was collected
    • Storage Limitation: Data is kept only as long as necessary
    • Security: Appropriate technical and organizational measures protect personal data
    • Transparency: Clear information about data processing is provided
    • User Control: Privacy-friendly default settings and user control options

    11. Changes to This GDPR Notice

    We may update this GDPR compliance notice to reflect changes in our practices or legal requirements. When we make significant changes, we will:

    • Update the "Last updated" date
    • Notify you via email or in-app notification
    • Highlight key changes in the notification
    • Seek renewed consent where required

    12. Contact Information

    For any questions about our GDPR compliance or to exercise your rights, please contact:

    • Data Protection Officer: dpo@aha-innovations.com
    • Privacy Team: privacy@aha-innovations.com
    • General Support: suppor@aha-innovations.com

    We are committed to protecting your privacy rights and will respond to all inquiries promptly and transparently.