Start Free Trial

GDPR Compliance

Last updated: March 1, 2026

Bespoke Analytics, operated by Sterling Consulting Services, is committed to complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR for users in the European Union and United Kingdom.

This page supplements our Privacy Policy and explains how we handle the data of EU/UK data subjects. For questions, contact us at sterlingconsultingservices@hotmail.com.

Data Controller

Sterling Consulting Services acts as the data controller for personal data collected through the Bespoke Analytics platform. As controller, we determine the purposes and means of processing your personal data.

Contact: sterlingconsultingservices@hotmail.com

Lawful Basis for Processing

We process personal data on the following lawful bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — Processing your name, email, and account data to provide the analytics service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)) — Aggregate analytics to improve the product, fraud prevention, and security monitoring, where these interests are not overridden by your data protection rights.
  • Legal obligation (Art. 6(1)(c)) — Retaining billing records and responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a)) — Marketing communications, where you have explicitly opted in. You may withdraw consent at any time.

Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
  • Right to restriction (Art. 18) — Request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20) — Receive your personal data in a structured, machine-readable format (JSON/CSV) and transfer it to another controller.
  • Right to object (Art. 21) — Object to processing based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decisions (Art. 22) — We do not make solely automated decisions that produce significant legal effects on you.

To exercise any of these rights, email sterlingconsultingservices@hotmail.com. We will respond within 30 days (extendable to 90 days for complex requests, with notification). We may need to verify your identity before processing your request.

International Data Transfers

Bespoke Analytics is primarily operated in the United States. When we transfer personal data from the EU/UK to the US, we rely on the following safeguards:

  • EU-U.S. Data Privacy Framework — Where our sub-processors participate in the DPF (including Google/Firebase and Stripe).
  • Standard Contractual Clauses (SCCs) — For transfers to processors not covered by an adequacy decision, we use the European Commission's approved SCCs.

A list of our sub-processors and their transfer mechanisms is available on request.

Data Retention

  • Account data — Retained for the duration of your account. Deleted within 30 days of account closure.
  • Query history — Retained as long as your account is active, or until you delete specific queries.
  • Billing records — Retained for 7 years to comply with financial regulations.
  • Security logs — Retained for 12 months.

Sub-Processors

We use the following sub-processors to provide our service. Each has been assessed for GDPR compliance and appropriate data processing agreements are in place:

  • Anthropic (AI processing) — United States
  • Google Firebase (Authentication) — United States / EU
  • Railway (Database hosting) — United States
  • Vercel (Application hosting) — United States / Global CDN
  • Stripe (Payment processing) — United States / EU
  • Resend (Email delivery) — United States

Data Processing Agreement (DPA)

If your organization requires a Data Processing Agreement (DPA) for GDPR compliance — common for EU-based businesses and organizations handling personal data of EU citizens — please contact us at sterlingconsultingservices@hotmail.com. We will provide a signed DPA within 5 business days.

Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state or with the UK Information Commissioner's Office (ICO) for UK residents.

Contact

For all GDPR-related inquiries, rights requests, or to request a DPA:

Sterling Consulting Services
Email: sterlingconsultingservices@hotmail.com
Subject line: “GDPR Request — [Your Name]”