What are my rights under GDPR?

Under GDPR, you have the right to: Access your data and know what we hold about you; Rectification to correct inaccurate information; Erasure (right to be forgotten) to request deletion; Restriction to limit how we process your data; Data Portability to receive your data in machine-readable format; Object to certain types of processing; and protection from solely automated decision-making.

How do I exercise my GDPR rights?

To exercise your GDPR rights, email privacy@howtolaw.co.nz with 'GDPR Data Subject Request' in the subject line. Include your full name, email address, and a clear description of which right you wish to exercise. We will respond within one month, free of charge. Identity verification may be required for security purposes.

How long do you keep my data?

Retention periods vary by data type: Analytics data (26 months), Marketing consents (until withdrawn or 3 years of inactivity), Affiliate transaction records (7 years for legal compliance), Legal records (as required by law), and Support communications (2 years from last contact). When retention periods expire, data is deleted or anonymized.

How is my data protected?

We protect your data with 256-bit SSL/TLS encryption, secure hosting infrastructure with firewalls and intrusion detection, role-based access controls, data minimization practices, regular security assessments, staff training, vendor management, and incident response procedures. In case of a data breach likely to risk your rights, we notify you and the relevant supervisory authority within 72 hours.

What happens when data is transferred outside the EU?

When we transfer your data outside the EEA, we implement appropriate safeguards including European Commission-approved Standard Contractual Clauses, working with partners in countries with adequacy decisions where possible, conducting partner due diligence, and providing transparency about international transfers. When you visit dating platforms through our links, you become subject to their privacy policies.

GDPR Compliance Statement

Last Updated: December 29, 2025

Who This Statement Applies To

This GDPR Compliance Statement applies to all visitors and users of howtolaw.co.nz who are located in the European Union (EU) or European Economic Area (EEA). Under the General Data Protection Regulation (GDPR), you have specific rights regarding how your personal information is collected, processed, stored, and shared.

Howtolaw.co.nz is an informational website providing reviews and guidance about Asian dating platforms. We are committed to protecting your privacy and ensuring transparency about our data practices in compliance with GDPR requirements.

If you are located outside the EU/EEA, different privacy regulations may apply to you. Please refer to our Privacy Policy for comprehensive information about our data practices worldwide.

Legal Bases for Processing Your Data

Under GDPR Article 6, we process your personal data only when we have a lawful basis to do so. Our processing activities rely on the following legal grounds:

Consent (Article 6(1)(a))

We process data based on your explicit consent for:

Newsletter subscriptions: When you opt in to receive updates about dating site reviews and international dating guidance
Marketing cookies: When you accept cookies that help us understand your preferences and improve your experience
Affiliate link tracking: When you click through to dating platforms via our referral links

You may withdraw your consent at any time through the mechanisms described in the "How to Exercise Your Rights" section below.

Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate business interests, which include:

Operating our affiliate business: Tracking referrals to dating platforms to receive commissions that support our free content
Website analytics: Understanding how visitors use our site to improve content quality and user experience
Security and fraud prevention: Protecting our website and users from malicious activity, spam, and abuse
Content improvement: Analyzing which reviews and guides are most helpful to optimize our information resources

We have carefully balanced these interests against your rights and freedoms and implement appropriate safeguards.

Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal requirements, including:

IMBRA compliance: For U.S.-based users, we maintain disclosure documentation as required by the International Marriage Broker Regulation Act
Tax and financial records: Maintaining affiliate transaction records as required by applicable tax laws
Law enforcement requests: Responding to valid legal requests from authorities when required by law

Your Rights Under GDPR

As an EU/EEA resident, you have comprehensive rights regarding your personal data. We respect these rights and provide clear mechanisms for you to exercise them.

Summary of Your GDPR Rights

Access: Know what data we hold about you
Rectification: Correct inaccurate information
Erasure: Request deletion of your data (right to be forgotten)
Restriction: Limit how we process your data
Portability: Receive your data in a machine-readable format
Objection: Stop certain types of processing
Automated decisions: Protection from solely automated decision-making

Right to Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about:

The purposes of processing
The categories of personal data involved
The recipients or categories of recipients to whom data has been disclosed
The retention period or criteria for determining that period
Your other GDPR rights

Right to Rectification (Article 16)

You can request correction of inaccurate personal data we hold about you. You also have the right to complete any incomplete personal data, including by providing a supplementary statement.

Right to Erasure / Right to be Forgotten (Article 17)

You can request deletion of your personal data when:

The data is no longer necessary for the purposes for which it was collected
You withdraw consent on which processing is based and no other legal ground exists
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
Erasure is required to comply with a legal obligation

Please note that we may retain certain information when we have a legal obligation or legitimate interest to do so (such as financial records required for tax compliance).

Right to Restriction of Processing (Article 18)

You can request that we limit processing of your personal data when:

You contest the accuracy of the data (during verification)
Processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You have objected to processing pending verification of our legitimate grounds

Right to Data Portability (Article 20)

Where technically feasible, you can receive personal data you provided to us in a structured, commonly used, and machine-readable format (such as CSV or JSON). You can also request that we transmit this data directly to another controller.

This right applies when processing is based on consent or contract performance and is carried out by automated means.

Right to Object (Article 21)

You can object to processing of your personal data when:

Processing based on legitimate interests: You can object at any time, and we must stop unless we demonstrate compelling legitimate grounds that override your interests
Direct marketing: You can object at any time, and we will stop processing your data for marketing purposes immediately
Scientific or historical research: You can object unless processing is necessary for a public interest task

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making that has legal or similarly significant effects.

International Data Transfers

As an international dating information website, some of your personal data may be transferred to and processed in countries outside the European Economic Area, including the United States and countries where the dating platforms we review operate.

Safeguards for Data Transfers

When we transfer your personal data outside the EEA, we implement appropriate safeguards to ensure adequate protection:

Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with service providers and partners processing data outside the EEA
Adequacy Decisions: Where possible, we work with partners in countries that have received an adequacy decision from the European Commission, confirming they provide adequate data protection
Partner Due Diligence: We carefully evaluate the data protection practices of dating platforms and other third parties before recommending or linking to them
Transparency: We disclose in our reviews when dating platforms may transfer data internationally, so you can make informed decisions

Dating Platform Partners

When you click our affiliate links to visit dating platforms (such as SakuraDate, NaomiDate, MagnoliaDate, AsiaFlame, or ShantiDate), you leave our website and become subject to those platforms' privacy policies. Many of these platforms operate internationally and may transfer your data to Asia, the United States, or other regions.

We encourage you to review each platform's privacy policy and GDPR compliance measures before creating an account or providing personal information.

How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Our retention periods vary by data type:

Analytics Data

Retention Period: 26 months

Google Analytics and similar tools automatically delete user-level and event-level data after 26 months. This includes browsing behavior, page views, and interaction patterns. IP addresses are anonymized immediately upon collection.

Marketing Consents and Communications

Retention Period: Until consent is withdrawn or 3 years of inactivity

If you subscribe to our newsletter or provide consent for marketing communications, we retain your contact information and consent records until you unsubscribe or have not engaged with our content for 3 years, whichever comes first.

Affiliate Transaction Records

Retention Period: 7 years from transaction date

We retain records of affiliate referrals and commissions for 7 years to comply with tax and financial record-keeping requirements in applicable jurisdictions.

Legal and Compliance Records

Retention Period: As required by law

Records maintained for legal compliance (such as IMBRA disclosures, responses to legal requests, or documentation of consent) are retained for the period required by applicable law, typically 3-7 years.

User Inquiries and Support Communications

Retention Period: 2 years from last communication

If you contact us with questions or concerns, we retain your correspondence for 2 years to provide continuity of support and maintain a record of our relationship.

Deletion and Anonymization

When retention periods expire, we either delete personal data permanently or anonymize it so that it can no longer be associated with you. Anonymized data may be retained indefinitely for statistical and research purposes.

How We Protect Your Information

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

Technical Security Measures

SSL/TLS Encryption: All data transmitted to and from our website is encrypted using industry-standard 256-bit SSL/TLS encryption, the same security level used by major banks
Secure Hosting Infrastructure: Our website is hosted on secure servers with regular security patches, firewalls, and intrusion detection systems
Access Controls: Access to personal data is restricted to authorized personnel who need it to perform their job functions, using role-based access control and strong authentication
Data Minimization: We collect only the personal data necessary for specified purposes and avoid storing sensitive information whenever possible
Regular Security Assessments: We conduct periodic security reviews and vulnerability assessments to identify and address potential risks

Organizational Security Measures

Staff Training: Personnel with access to personal data receive training on GDPR requirements and data protection best practices
Data Protection Policies: We maintain internal policies governing data handling, retention, and security practices
Vendor Management: Third-party service providers are carefully vetted and contractually obligated to protect personal data
Incident Response Plan: We have procedures in place to detect, investigate, and respond to data security incidents

Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33 and 34 requirements.

How to Exercise Your Rights

We make it straightforward for you to exercise your GDPR rights. Here's how to submit requests and what to expect:

Submitting a Data Request

To exercise any of your GDPR rights (access, rectification, erasure, restriction, portability, or objection), please contact us using one of these methods:

Email: Send your request to [email protected] with the subject line "GDPR Data Subject Request"
Contact Form: Use our website contact form and select "Privacy/Data Request" as the inquiry type
Written Mail: Send a written request to our Data Protection Officer at the address listed in the contact section below

Information to Include in Your Request

To help us process your request efficiently and verify your identity, please include:

Your full name and the email address associated with any account or subscription
A clear description of which right you wish to exercise (e.g., "I request access to my personal data" or "I request deletion of my data")
Any additional information that will help us locate your data in our systems
Proof of identity (we may request additional verification for security purposes)

Response Timeframe

We will respond to your request without undue delay and within one month of receiving it, as required by GDPR Article 12(3). If your request is particularly complex or we receive multiple requests from you, we may extend this period by two additional months. We will inform you of any such extension within the first month and explain the reason for the delay.

Identity Verification

To protect your privacy and security, we must verify your identity before responding to data subject requests. We may ask for additional information or documentation to confirm you are the person whose data is being requested. This is a standard security practice to prevent unauthorized access to personal information.

Free of Charge

We do not charge a fee for processing data subject requests unless your request is clearly unfounded, repetitive, or excessive. In such cases, we may charge a reasonable fee or refuse to act on the request, and we will explain our reasoning.

Third-Party Data

Please note that we can only control data we collect directly. If you have concerns about personal data held by dating platforms you accessed through our affiliate links, you must contact those platforms directly to exercise your rights. We provide links to their privacy policies in our reviews.

Contact Our Data Protection Officer

For questions about this GDPR Compliance Statement, our data practices, or to exercise your rights, you can contact our Data Protection Officer:

Data Protection Officer

Email: [email protected]
Subject Line: GDPR Inquiry / Data Subject Request
Address: HowToLaw Data Protection Officer
5335 Gate Parkway
Jacksonville, FL 32256
United States

We aim to respond to all privacy inquiries within 48 business hours for general questions and within one month for formal data subject requests as required by GDPR.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement if you believe our processing of your personal data violates GDPR.

To find your local Data Protection Authority, visit the European Data Protection Board member list.

While you have the right to lodge a complaint with a supervisory authority, we encourage you to contact us first so we can attempt to resolve your concerns directly.

Changes to This Statement

We may update this GDPR Compliance Statement periodically to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website.

We encourage you to review this statement regularly to stay informed about how we protect your personal data and respect your rights under GDPR.

Quick Reference Summary

Your GDPR rights at a glance:

Access: Request a copy of your data
Correct: Fix inaccurate information
Delete: Exercise right to be forgotten
Restrict: Limit how we use your data
Port: Get your data in machine-readable format
Object: Stop certain processing activities

To exercise rights: Email [email protected] with "GDPR Data Subject Request" in subject line. We respond within one month, free of charge.

Data security: 256-bit SSL encryption, secure hosting, access controls, regular security reviews, incident response procedures.

Questions or complaints: Contact our Data Protection Officer or your local EU supervisory authority.

Related policies: Privacy Policy | Cookie Policy | Terms of Service