EU & UK Data Protection Addendum
Last updated: March 2026
This addendum supplements our Privacy Policy and applies specifically to users located in the European Union (EU), European Economic Area (EEA), and United Kingdom (UK). It is provided in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the UK General Data Protection Regulation (UK GDPR) as retained under the Data Protection Act 2018.
1. Data Controller
For the purposes of the GDPR and UK GDPR, the data controller is:
CatchDiff
Contact: support@catchdiff.com
2. Personal Data We Process
We process only the minimum personal data necessary to operate the Service:
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| IP address | Rate limiting (5 free comparisons/month) | Legitimate interest (Art. 6(1)(f)) | 1 calendar month |
| IP address + user agent | Consent logging (GDPR compliance) | Legal obligation (Art. 6(1)(c)) | 3 years |
| File names (not content) | Anonymous usage analytics | Legitimate interest (Art. 6(1)(f)) | 90 days |
| PDF content (in-memory only) | Performing the comparison | Contract performance (Art. 6(1)(b)) | Deleted immediately after comparison |
| Payment data (name, email) | Desktop app purchase processing | Contract performance (Art. 6(1)(b)) | As required by tax/accounting law |
3. Your Rights Under GDPR and UK GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — You may request correction of inaccurate data.
- Right to erasure / "right to be forgotten" (Art. 17) — You may request deletion of your personal data where there is no legitimate reason to continue processing it.
- Right to restriction of processing (Art. 18) — You may request that we restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20) — You may request a machine-readable copy of data you have provided to us.
- Right to object (Art. 21) — You may object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making (Art. 22) — CatchDiff does not use automated decision-making or profiling.
To exercise any of these rights, contact us at support@catchdiff.com. We will respond within 30 days.
4. International Data Transfers
CatchDiff uses the following third-party services which may involve international transfers of personal data:
- Vercel Inc. (USA) — web hosting. Data transfers are covered by the EU-US Data Privacy Framework and Vercel's Standard Contractual Clauses (SCCs). See vercel.com/legal/privacy-policy.
- Supabase Inc. (USA) — database. Data transfers use Standard Contractual Clauses. You may choose EU-region hosting. See supabase.com/privacy.
- Stripe Inc. (USA) — payment processing for desktop app purchases only. Covered by SCCs and Stripe's DPA. See stripe.com/privacy.
PDF document content is never transferred to any third party. Only the operational data listed in Section 2 is processed by the above services.
5. Cookies and Consent Records
CatchDiff stores a consent record in your browser's localStorage when you accept our terms. This is not a tracking cookie — it is a technical necessity to avoid asking for consent on every visit.
We also log your IP address, user agent, consent version, and timestamp to our database when you accept, as required by GDPR Art. 7(1) to demonstrate that consent was obtained. This record is retained for 3 years and is not used for any other purpose.
6. Right to Lodge a Complaint
If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your national supervisory authority:
- EU residents — contact the supervisory authority in your EU member state. Find your authority at edpb.europa.eu.
- UK residents — contact the Information Commissioner's Office (ICO) at ico.org.uk.
We encourage you to contact us first at support@catchdiff.com so we can try to resolve your concern directly.
7. Data Protection Officer
CatchDiff is a small service and is not required to appoint a Data Protection Officer under Art. 37 GDPR. For all data protection matters, contact support@catchdiff.com.
8. Changes to This Addendum
We may update this addendum to reflect changes in law or our practices. Material changes will be communicated by updating the date above and, where required, by re-requesting consent.