GDPR Compliance Policy

This GDPR Compliance Policy ("GDPR Policy") supplements our Privacy Policy and provides additional information specifically for individuals located in the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK) regarding their rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation.

CartoonTerritory, accessible at cartoonterritory.com ("Website," "we," "us," "our"), acts as the data controller for personal data processed through this Website. This Policy explains our obligations under GDPR and how we uphold your data protection rights.

CartoonTerritory is the data controller responsible for your personal data processed through this Website.

For any data protection inquiries, you may contact us at:

Email: gdpr@cartoonterritory.com

Under the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following lawful bases:

3.1 Legitimate Interests (Article 6(1)(f) GDPR)

We process certain data on the basis of our legitimate interests, which include:

• Ensuring the security and integrity of our Website
• Preventing fraud, abuse, and unauthorized access
• Performing aggregate analytics to improve the Website
• Maintaining server logs for operational and security purposes

We have conducted balancing tests to ensure our legitimate interests are not overridden by your fundamental rights and freedoms. Given that we process minimal data, do not create individual profiles, and do not use data for advertising, we have determined that our legitimate interests do not unduly impact your rights.

3.2 Legal Obligation (Article 6(1)(c) GDPR)

We may process personal data where necessary to comply with a legal obligation to which we are subject, such as responding to lawful requests from law enforcement or regulatory authorities.

3.3 Consent (Article 6(1)(a) GDPR)

Where we use non-essential cookies or tracking technologies (such as analytics cookies), we rely on your explicit consent, obtained through our cookie consent mechanism. You may withdraw your consent at any time by adjusting your browser settings or contacting us directly.

We process only limited categories of personal data:

Category	Examples	Lawful Basis
Technical identifiers	IP address (may be anonymized), device fingerprint	Legitimate interest
Connection data	Browser type, OS, language preference	Legitimate interest
Usage data	Pages viewed, access timestamps, referring URL	Consent (analytics)
Communication data	Email address, message content (only if you contact us)	Legitimate interest

We do not process special categories of personal data (Article 9 GDPR), including data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

As a data subject in the EU/EEA/UK, you have the following rights, which we are committed to upholding:

5.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to request a copy of that data along with information about how it is processed.

5.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data or completion of incomplete personal data without undue delay.

5.3 Right to Erasure / Right to Be Forgotten (Article 17)

You have the right to request the deletion of your personal data where:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

5.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing where:

• You contest the accuracy of the data (for the period needed to verify accuracy)
• The processing is unlawful and you oppose erasure, requesting restriction instead
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of whether our legitimate grounds override yours

5.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

5.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. Upon receiving such an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

5.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not engage in any such automated decision-making.

5.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

To exercise any of the rights described above, please contact us at:

Email: gdpr@cartoonterritory.com

When submitting a request, please provide:

• A clear description of the right you wish to exercise
• Sufficient information to allow us to verify your identity (we may request additional information for verification purposes)

We will respond to all valid requests within one (1) month of receipt. This period may be extended by up to two additional months for complex requests, in which case we will inform you of the extension and the reasons for it within the initial one-month period.

We do not charge a fee for processing legitimate requests. However, we reserve the right to charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, in accordance with Article 12(5) GDPR.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Type	Retention Period	Justification
Server access logs	Up to 90 days	Security and operational necessity
Analytics data	Up to 26 months	Aggregate trend analysis (anonymized where possible)
Communication records	Up to 36 months	Record-keeping for legal compliance

Upon expiry of the retention period, data is securely deleted or irreversibly anonymized.

Where personal data is transferred outside the EU/EEA to countries not recognized by the European Commission as providing an adequate level of data protection, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfer Impact Assessments where required
• Additional technical and organizational measures as appropriate

You may request a copy of the relevant safeguards by contacting us at the address provided above.

Given the nature and scope of our processing activities (minimal personal data, no profiling, no automated decision-making, no special category data), we have determined that a formal Data Protection Impact Assessment (DPIA) is not required under Article 35 GDPR. We will reassess this determination if our processing activities materially change.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR
• Document all breaches, including their effects and the remedial actions taken

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.

A list of EU/EEA supervisory authorities can be found at:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

For UK residents, complaints may be directed to the Information Commissioner's Office (ICO):
https://ico.org.uk/make-a-complaint/

We reserve the right to update this GDPR Policy from time to time. Material changes will be indicated by updating the "Last updated" date at the top of this page. We encourage you to review this Policy periodically.

For all GDPR-related inquiries, requests, or complaints, please contact:

Email: gdpr@cartoonterritory.com

We are committed to working with you to resolve any data protection concerns fairly and promptly.