GDPR Compliance
Last updated: March 1, 2026
Performance Web Marketing ("PWM") is committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page outlines how we process personal data in accordance with GDPR requirements and explains your rights as a data subject.
1. Data Controller
Performance Web Marketing acts as the data controller for personal data collected through our website and marketing activities. For data processed on behalf of our clients' advertising campaigns, we act as a data processor.
Contact: hello@performancewebmarketing.com
Location: New York, NY, USA
2. Legal Basis for Processing
We process personal data under the following legal bases as defined by GDPR Article 6:
- Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies. You may withdraw consent at any time.
- Contractual Necessity (Art. 6(1)(b)): To deliver services you have requested, including performance audits and campaign management.
- Legitimate Interest (Art. 6(1)(f)): For website analytics, security, and improving our services. We balance our interests against your rights and freedoms.
- Legal Obligation (Art. 6(1)(c)): To comply with applicable laws, such as tax and accounting regulations.
3. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of Access (Art. 15): Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to Restrict Processing (Art. 18): Request that we limit how we use your data.
- Right to Data Portability (Art. 20): Receive your data in a structured, commonly used format.
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.
- Right to Lodge a Complaint: File a complaint with a supervisory authority in your EU member state.
4. Data We Collect
We collect and process the following categories of personal data:
- Identity Data: Name, job title, company name
- Contact Data: Email address, phone number
- Technical Data: IP address, browser type, device information, cookies
- Usage Data: Pages visited, time on site, referral source
- Business Data: Website URL, advertising budget, marketing goals (provided voluntarily)
5. International Data Transfers
As a US-based company, personal data may be transferred to and processed in the United States. For transfers of personal data from the EEA, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission, and we participate in the EU-U.S. Data Privacy Framework where applicable.
6. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Audit request data: Up to 24 months
- Client engagement data: Duration of engagement plus 6 years (legal/accounting requirements)
- Website analytics data: 14 months (GA4 default)
- Marketing consent records: Until consent is withdrawn plus 3 years
7. Data Protection Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls and authentication mechanisms
- Regular security assessments
- Staff training on data protection
- Incident response procedures
8. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Articles 33 and 34.
9. Exercising Your Rights
To exercise any of your GDPR rights, please contact us at:
Performance Web Marketing
Email: hello@performancewebmarketing.com
Subject line: "GDPR Request - [Your Right]"
We will respond to all legitimate requests within 30 days. In some cases, we may need to verify your identity before processing your request. If your request is complex, we may extend the response period by an additional 60 days, and we will notify you of this extension.
10. Updates
This GDPR compliance page may be updated to reflect changes in our data processing practices or regulatory requirements. We encourage you to review this page periodically.