GDPR Compliance Through Privacy-by-Design
Think for yourself, schmuck! Question authority. Including the authority of companies who claim "we need all your data for better service." Data you don't collect can't be stolen. Data you delete can't leak.
Nothing is true. Everything is permitted. Except violating GDPR—that costs €20M or 4% of global revenue, whichever hurts more. Amazon: €746M fine. Google: €50M fine. Meta: €1.2B fine. Compliance isn't optional.
Hack23's Privacy Policy implements systematic data protection across three products: CIA (political transparency), Black Trigram (educational gaming), CIA Compliance Manager (security assessment). Data minimization, 90-day IP retention, account lifetime + 2 years maximum retention, privacy-by-design, Swedish DPA compliance. This demonstrates our cybersecurity consulting expertise through measurable privacy implementation.
ILLUMINATION: GDPR fines are expensive. Data breaches are more expensive. The cheapest option? Don't collect data you don't need. Revolutionary simplicity.
Data Controller: Hack23 AB (Swedish Company, EU Jurisdiction)
Legal accountability for your personal data:
| Information | Details |
|---|
| Legal Name | Hack23 AB |
| Organization Number | 559534-7807 (Swedish company) |
| Registered Address | Carl Grimbergsgatan 25, 413 13 Göteborg, Sweden |
| Data Protection Contact | privacy@hack23.com |
| CEO/DPO | James Pether Sörling |
Swedish jurisdiction = Swedish Data Protection Authority (Integritetsskyddsmyndigheten) oversight. EU GDPR fully applicable. Complaints can be filed with Swedish DPA or your local EU data protection authority.
JURISDICTION ILLUMINATION: Swedish company = Swedish privacy law + EU GDPR. Nordic countries have strong privacy traditions. This isn't California—this is Vikings who take privacy seriously.
Three Products, Systematic Privacy Implementation
Privacy policy applies across all Hack23 AB products with product-specific data handling:
🏛️ CIA (Citizen Intelligence Agency)
Political transparency platform. User accounts, activity dashboards, Swedish parliamentary data analysis. Data collected: Name, email, IP (90 days), activity tracking. Purpose: Personalized political transparency. Legal basis: Contract + Legitimate Interest. Retention: Account lifetime + 2 years.
CIA Platform | Security Policy
🎮 Black Trigram
Educational gaming platform. Player profiles, game progress, achievements, Korean martial arts learning. Data collected: Name, email, game statistics, device info. Purpose: Game state persistence, learning progress. Legal basis: Contract. Retention: Account lifetime.
Black Trigram Game | Security Policy
🛡️ CIA Compliance Manager
Security compliance tool. Organization accounts, security assessments, compliance reports. Data collected: Organization info, user accounts, assessment data. Purpose: Compliance automation. Legal basis: Contract. Retention: Account lifetime + 2 years (audit trail).
Compliance Manager | Security Policy
PRODUCT ILLUMINATION: Three different products, one systematic privacy framework. Data collection varies by product purpose. Retention aligned with business need. No data hoarding.
Data We Collect: Minimization Through Classification
All data classified per Privacy Classification Framework:
| Data Type | Privacy Level | Purpose | Legal Basis | Retention |
|---|
| Name | Personal Identifier | Account identification, communication | Contract / Legitimate Interest | Account lifetime + 2 years |
| Email Address | Personal Identifier | Authentication, notifications, support | Contract | Account lifetime + 2 years |
| IP Address | Personal Identifier | Security, fraud prevention, analytics | Legitimate Interest | 90 days (logs) |
| Device ID | Personal | Session management, security | Legitimate Interest | Session duration |
| Application Events | Personal | Feature usage analytics, UX improvement | Legitimate Interest | 12 months |
| Game Progress | Personal | Save game state, achievements | Contract | Account lifetime |
| Analytics Data | Pseudonymized | Traffic analysis, content optimization | Legitimate Interest | 14 months |
Data minimization enforced: No social security numbers collected. No financial data stored (payment processors handle transactions). No health data. No biometric data. No location tracking beyond IP geolocation for security.
MINIMIZATION ILLUMINATION: Every data field has documented purpose and retention period. If we can't justify collection, we don't collect. If we can't justify retention, we delete. Data minimization isn't philosophy—it's operational practice.
GDPR Article 5: Seven Principles of Lawful Processing
Hack23 implements all seven GDPR data protection principles:
1. Lawfulness, Fairness, Transparency
Legal basis documented for all processing. Contract for account services, Legitimate Interest for security/analytics, Consent for marketing (opt-in). Privacy policy public, clear language, no legal jargon hiding intent.
2. Purpose Limitation
Data used only for stated purposes. Email for authentication? Not used for unsolicited marketing. IP for security? Not sold to advertisers. Purpose specified at collection, documented in policy.
3. Data Minimization
Collect only necessary data. No "just in case" data collection. No 50-field registration forms. Ask for name and email—not life history. Minimization = reduced liability.
4. Accuracy
Keep data correct and current. Users can update profiles. Incorrect data corrected promptly. Outdated data deleted per retention schedule. Data quality = data protection.
5. Storage Limitation
Delete when no longer needed. IP logs: 90 days. Analytics: 12-14 months. Account data: Lifetime + 2 years maximum. Automated deletion enforced. Infinite retention = infinite liability.
7. Accountability
Prove compliance, not just claim it. Public ISMS documentation, Data Processing Agreements with suppliers, breach notification procedures (72 hours to DPA), data protection impact assessments (DPIA) for high-risk processing.
GDPR ILLUMINATION: Article 5 isn't suggestions—it's law. Violate any principle = GDPR non-compliance = regulatory action. These seven principles drive all data processing decisions.
Your Rights Under GDPR: Eight Data Subject Rights
GDPR grants you eight rights over your personal data. Hack23 honors all eight:
| Right | What It Means | How to Exercise | Response Time |
|---|
| Right to Access | Request copy of your personal data | Email privacy@hack23.com | 30 days (GDPR maximum) |
| Right to Rectification | Correct inaccurate personal data | Update profile or email request | 30 days |
| Right to Erasure | "Right to be forgotten"—delete your data | Account deletion or email request | 30 days (includes backups) |
| Right to Restriction | Limit processing while disputing accuracy | Email privacy@hack23.com | 30 days |
| Right to Data Portability | Receive your data in machine-readable format | Email privacy@hack23.com (JSON export) | 30 days |
| Right to Object | Object to processing based on legitimate interest | Email privacy@hack23.com | Immediate cessation, 30 days confirmation |
| Rights re Automated Decision-Making | Not subject to purely automated decisions | Not applicable (no automated profiling) | N/A |
| Right to Lodge Complaint | Complain to data protection authority | Swedish DPA (Integritetsskyddsmyndigheten) | N/A (regulatory process) |
All requests processed within 30 days (GDPR maximum). Most requests completed within 7-14 days. No fees for first request. Excessive/repetitive requests may incur administrative fee (GDPR Article 12).
RIGHTS ILLUMINATION: These aren't corporate goodwill—they're legal requirements. Exercise them. Companies that don't honor GDPR rights face regulatory enforcement. We respond within 30 days because law requires it.
ISMS Policy Integration: Privacy Across Security Framework
Privacy Policy integrated with complete Hack23 ISMS framework:
| ISMS Policy | Privacy Integration |
|---|
| Data Classification Policy | Privacy levels (Personal Identifier, Personal, Pseudonymized, Anonymous) drive data protection controls |
| Cryptography Policy | AES-256 encryption for personal data at rest, TLS 1.3 in transit, KMS key management |
| Access Control Policy | Least privilege access to personal data, MFA enforcement, audit logging |
| Backup Recovery Policy | Encrypted backups, retention aligned with GDPR, deletion includes backup purging |
| Incident Response Plan | Personal data breach notification procedures (72 hours to DPA, prompt to users) |
| Third Party Management | Data Processing Agreements (DPA) required for all processors, supplier security assessment |
INTEGRATION ILLUMINATION: Privacy isn't standalone policy—it's systematic integration across security framework. One ISMS, multiple privacy applications. Encryption + access control + incident response = comprehensive data protection.
Conclusion: Privacy Through Systematic Data Minimization
Data you don't collect can't be stolen. Data you delete can't leak. Data you minimize reduces liability.
Hack23's privacy approach: Data minimization (collect only necessary), systematic retention (90 days for IPs, account lifetime + 2 years maximum), privacy-by-design (GDPR Article 25), full data subject rights (30-day response), Swedish DPA compliance.
Our Privacy Policy isn't marketing document—it's operational framework integrated with ISMS. All privacy practices documented, auditable, enforceable. Trust through transparency beats trust through promises.
Security through transparency beats security through hope. Privacy policy public. ISMS framework public. Data protection practices measurable. GDPR compliance verifiable.
FINAL ILLUMINATION: GDPR isn't punishment—it's forcing companies to do what they should have done anyway. Collect less. Store securely. Delete promptly. Honor rights. Or pay fines that make insurance companies nervous.