Privacy Policy

Effective date: June 7, 2026

Last updated: June 7, 2026

Table of Contents

Who We Are
What Data We Collect
How We Use Your Data
Legal Basis for Processing (GDPR)
How We Store and Protect Your Data
Data Retention
How to Delete Your Data
How We Share Your Data
Third-Party Services
Cookies and Tracking
Children's Privacy
Your Privacy Rights
International Data Transfers
Data Breach Procedures
Changes to This Policy
Contact Us

1. Who We Are

MELL 4 ("MELL", "the App", "we", "our", "us") is an AI-powered personal assistant application available on Android (Google Play) and iOS (Apple App Store). The App is developed and operated by the iMatrix team.

We are committed to protecting your privacy and handling your personal data transparently, securely, and in compliance with applicable data protection laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act 2018, and other applicable privacy frameworks worldwide.

This Privacy Policy explains in full detail how we collect, use, store, share, retain, and delete your personal data when you use the App, visit our website, or otherwise interact with our services. Please read this policy carefully. By using the App, you acknowledge that you have read and understood this Privacy Policy.

2. What Data We Collect

We collect only the data that is necessary to provide, maintain, and improve the App's functionality. Below is a complete and detailed list of all categories of data we may collect:

2.1 Information You Provide Directly

Account credentials: When you create an account, we collect your email address, display name, and profile picture URL. Authentication is handled through Firebase Authentication (Google Sign-In or email link authentication). We do not store your raw password — authentication tokens are managed securely by Firebase.
Chat messages and prompts: All text, voice transcriptions, and files you send to the AI assistant are transmitted to our servers for processing. This includes the full content of your conversations with the AI.
Uploaded files and attachments: Images, PDFs, documents, audio files, and any other files you attach to conversations for AI analysis or processing.
AI-generated media: Images, music tracks, videos, and audiobooks generated at your request are stored on our servers so you can access them later from your media gallery.
Feedback and ratings: Star ratings, text comments, and any other information you voluntarily submit through the in-app feedback form.
Support communications: When you contact us through the App or by email, we collect your name, email address, and the full content of your message.

2.2 Information Collected Automatically

Usage data: Which features and AI modes you use, interaction frequency, session duration, and feature preferences. This is collected in anonymized form to improve the App.
Device information: Device model, operating system name and version, app version, language and region settings, and timezone.
Connection data: IP address, network connection type (Wi-Fi or cellular), and approximate geographic region derived from IP address.
Performance and diagnostic data: Crash reports, stack traces, error logs, API response latency, and other diagnostic information to help us identify, reproduce, and fix bugs.
Billing and subscription data: Current credit balance, Pro subscription tier and status, subscription renewal dates, and purchase transaction history. Subscription management is handled through RevenueCat and the respective platform app store (Google Play or Apple App Store).

2.3 Device Permissions

The App may request the following device permissions. Each permission is requested only at the moment a feature that requires it is used. You can deny or revoke any permission at any time through your device Settings app without affecting core chat functionality:

Camera: To take photos and record video for AI vision analysis and media generation.
Microphone: For voice input (speech-to-text dictation) and audio recording for voice mode.
Photo Library / Media Storage: To upload existing images and files from your device, and to save AI-generated media to your local storage.
Location (Approximate and Precise): For weather information, maps, and location-aware AI responses. We do not track your location in the background. Location data is accessed only when you explicitly use a feature that requires it.
Contacts: For optional contact-related AI features. We do not upload your entire contact list — only individual contacts you choose to share.
Calendar: For optional calendar-related AI features. We access only calendar events you explicitly choose to share with the AI.

2.4 Data We Do NOT Collect

Full credit card numbers, bank account details, or complete payment instrument data — all payments are processed exclusively by Google Play or Apple App Store. We receive only an anonymized purchase token and subscription status.
Precise real-time GPS location without your explicit, per-use opt-in.
Biometric identifiers (fingerprints, face scans, voiceprints).
Health, genetic, or biometric data as defined by GDPR and CCPA.
Government-issued identification numbers (social security number, passport number, driver's license number).
Contents of private messages or data from other apps on your device.
Web browsing history from your device or browser.

3. How We Use Your Data

Every use of your data is tied to a specific, legitimate purpose. Here is exactly how we use each category of data:

3.1 To Provide the Core Service

Processing your chat messages, prompts, and uploaded files through AI models (Gemma, Gemini, DeepSeek) to generate responses, images, music, video, audiobooks, and other creative outputs.
Storing your conversation history so you can review, continue, and search past chats across sessions.
Managing your user account: authentication, session management, profile data synchronization across devices.
Delivering real-time notifications about AI response completion and important service updates.

3.2 To Manage Subscriptions and Credits

Tracking your credit balance, credit consumption rates per AI feature, and credit top-up history.
Validating your Pro subscription status, tier, and feature entitlements.
Processing subscription renewals, upgrades, downgrades, and cancellations.
Enforcing usage limits for free-tier users in accordance with our fair use policy.

3.3 To Improve and Maintain the App

Analyzing anonymized, aggregated usage patterns to identify which features are most valuable and where improvements are needed.
Using crash reports, error logs, and performance metrics to identify, reproduce, and fix bugs.
Reviewing anonymized feedback to guide product roadmap decisions.
Measuring API latency and optimizing server response times.
Detecting, preventing, and addressing technical issues, fraud, and abuse.

3.4 To Communicate With You

Sending essential service notifications: account changes, security alerts, subscription status updates, and billing reminders.
Responding to your support requests, feedback submissions, and privacy inquiries.

3.5 What We Do NOT Do With Your Data

We do NOT sell your personal data to any third party. Ever.
We do NOT use your personal data for advertising, marketing, or promotional purposes.
We do NOT use your chat content or AI prompts to train, fine-tune, or improve AI models. Our AI model providers (Google, DeepSeek) process prompts for inference only via API access and contractually do not use your data for model training.
We do NOT share your personal data with data brokers, advertising networks, or analytics companies.
We do NOT engage in automated decision-making or profiling that produces legal or similarly significant effects concerning you.
We do NOT monetize your data in any way beyond the direct subscription fees you choose to pay.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following lawful bases:

Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to provide the App's core functionality — user authentication, chat message processing, credit management, subscription delivery, and conversation history storage. Without this processing, we cannot provide the service.
Consent (Art. 6(1)(a) GDPR): Access to device-level permissions (camera, microphone, location, contacts, calendar) is only activated with your explicit, freely given, informed consent. You can withdraw consent at any time through your device Settings or the App's settings.
Legitimate interests (Art. 6(1)(f) GDPR): Collection of anonymized usage analytics, crash diagnostics, security monitoring, fraud prevention, and service improvement. We have conducted a legitimate interest assessment and concluded that these interests do not override your fundamental rights and freedoms.
Legal obligation (Art. 6(1)(c) GDPR): Retention of billing and purchase transaction records for the period required by applicable tax, accounting, and commercial laws.

5. How We Store and Protect Your Data

5.1 Storage Infrastructure

Firebase / Google Cloud Platform (GCP): Authentication credentials, user profile data, user preferences, conversation metadata, and feedback submissions are stored in Firebase Firestore and Firebase Authentication services. Data is stored in GCP data centers located within the European Union.
iMatrix Backend Servers (Hetzner, Frankfurt, Germany): Chat history content, AI-generated media files, credits ledger, and billing records are stored on our dedicated physical and virtual server infrastructure. All backend servers are located in Hetzner data centers in Frankfurt, Germany (EU).
Object Storage (S3-compatible MinIO): AI-generated media files (images, music tracks, video files, audiobook files) are stored in our self-hosted S3-compatible object storage, also physically located in the EU on our Hetzner infrastructure.

5.2 Security Measures

Encryption in transit: All data transmitted between your device and our servers, and between our internal services, is encrypted using TLS 1.3 (HTTPS) with strong cipher suites.
Encryption at rest: All stored data is encrypted at rest using AES-256 encryption. Database volumes, object storage, and backups all use server-side encryption.
Access controls: Strict role-based access controls (RBAC) limit data access to the minimum necessary personnel. Internal administrative access requires multi-factor authentication, is logged, and is subject to periodic audit.
API authentication: All backend API endpoints require valid authentication. End-user requests require Firebase ID tokens. Internal service-to-service communication uses short-lived HMAC-signed requests.
Network isolation: Our backend infrastructure is protected by firewalls and runs internal service communication over a private network (10.0.0.0/8). Public internet exposure is limited to the API gateway and edge proxy only.
Rate limiting and DDoS protection: All public API endpoints are rate-limited to prevent abuse and brute-force attacks.
Regular maintenance: We apply security patches to all server operating systems, container images, and dependencies on an ongoing basis. We monitor for vulnerabilities in our software supply chain.

6. Data Retention — How Long We Keep Your Data

We retain your data only as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. Below are the specific retention periods for each data category:

Data Category	Active Retention Period	After Account Deletion
Account data (email, display name, profile picture URL)	While account is active	Permanently deleted within 30 calendar days
Chat history and conversations (all messages, prompts, AI responses)	While account is active, or until manually deleted by user	Permanently deleted within 30 calendar days
AI-generated media files (images, music, video, audiobooks)	While account is active, or until manually deleted by user	Permanently deleted within 30 calendar days
Uploaded files and document attachments	While the associated conversation exists	Deleted with the associated conversation
User preferences and settings (theme, language, onboarding state)	While account is active	Permanently deleted within 30 calendar days
Billing and purchase transaction history	7 years (statutory tax and accounting requirement)	Anonymized: all personal identifiers (name, email, account ID) permanently removed. Financial transaction records retained for legal compliance period.
Feedback submissions (ratings and comments)	12 months from submission date	Permanently deleted within 30 calendar days
Crash logs and diagnostic data	90 days from collection date	Automatically expire and are permanently deleted
Server access logs (IP addresses, request timestamps)	90 days	Automatically rotated and permanently deleted
Anonymized, aggregated usage analytics	Indefinitely (cannot identify any individual)	Retained in non-personal, aggregated statistical form
Encrypted database backups	Per backup rotation schedule (30-day cycle)	Fully purged within 30 additional days after deletion from active databases

7. How to Delete Your Data

You have full, meaningful control over your data. Below are all the methods available for deleting your data:

7.1 In-App Self-Service Deletion

Delete a single conversation: Open the App → navigate to any chat → tap the menu icon (⋮ or •••) in the top-right corner → select "Delete Conversation" → confirm. The entire conversation including all messages, AI responses, and any attached files or generated media associated with that conversation is immediately and permanently removed from our active servers. This action is irreversible.
Delete individual messages: Within any conversation → long-press on a specific message → tap "Delete". Only the selected message is removed. The rest of the conversation remains intact.
Delete AI-generated media files: Open the App → navigate to the Media Gallery → long-press on any item → tap "Delete". The file is permanently deleted from our object storage and will no longer be accessible.
Clear all conversations: Open the App → Settings → Privacy → "Clear All Conversations" → confirm. All chat history and all associated media files across all conversations are permanently deleted. Your account and subscription remain active.
Delete your entire account and all associated data: Open the App → Settings → Account → "Delete Account". You will be asked to re-authenticate and type the word "DELETE" to confirm. Upon confirmation:
- Your account is immediately deactivated (you are logged out and cannot log back in).
- All personal data — profile, chat history, AI-generated media, uploaded files, preferences, feedback — is permanently and irreversibly erased from our active databases within 48 hours.
- Billing records are anonymized: all personal identifiers (name, email, account ID, IP addresses) are permanently stripped. Anonymized transaction records are retained for the statutory 7-year period.
- You receive a confirmation email at your registered email address once deletion is fully complete.
- This action is final and cannot be undone. You may create a new account in the future, but past data cannot be recovered under any circumstances.

7.2 Deletion by Email Request

If you cannot access the App — for example, if you have already deleted it from your device, lost access to your account credentials, or are a former user — you can request complete data deletion by sending an email. Please use the following template:

To: support@imatrix.tv
Subject: "Data Deletion Request — MELL 4"
Body must include: The email address associated with your MELL 4 account.
Body may optionally include: Your account display name (helps us locate your account faster).
Processing time: We will complete your deletion request within 14 calendar days of receiving all required information.
Verification: If we need to verify your identity to prevent fraudulent deletion requests, we may respond and ask for one additional verification step. Any information provided for verification purposes is used solely for that purpose and deleted immediately after verification.

7.3 What Happens After Deletion — Detailed Timeline

Immediate (within seconds): Your account is deactivated. You can no longer log in. All API access using your credentials is revoked.
Within 48 hours: All personal data is permanently erased from active databases (Firebase Firestore, PostgreSQL, MySQL) and object storage (S3/MinIO).
Within 30 calendar days: Encrypted database backups that may contain your data are rotated and fully purged from backup storage.
Within 90 calendar days: Server access logs and API request logs containing your IP address are automatically rotated and permanently deleted.
Permanently retained (anonymized): Billing transaction records, stripped of all personally identifiable information, are retained for the statutory 7-year period. Aggregated, anonymized usage statistics that cannot identify you are retained indefinitely.

7.4 Data Portability

Under GDPR Article 20, you have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format. To request a data export:

To: support@imatrix.tv
Subject: "Data Export Request — MELL 4"
Format: Your data will be provided in JSON format (or CSV if preferred).
Processing time: We will provide your data within 30 calendar days of receiving your verified request.

We share your data only as strictly necessary and as described in this section. We never sell your data.

8.1 Service Providers (Data Processors)

We engage the following service providers who act as data processors on our behalf. Each provider is contractually bound by a Data Processing Agreement (DPA) to process your data only according to our documented instructions and to implement appropriate technical and organizational security measures:

Google / Firebase (Google LLC): Provides authentication services (Firebase Authentication) and real-time database services (Firebase Firestore). Data is stored in Google Cloud Platform data centers in the EU. Google is certified under the EU-US Data Privacy Framework. Firebase Privacy Policy
RevenueCat (RevenueCat, Inc.): Manages cross-platform subscription state, purchase receipt validation, and entitlement tracking for in-app purchases and auto-renewing subscriptions. RevenueCat Privacy Policy
Hetzner Online GmbH: Provides dedicated physical and cloud server infrastructure for our backend services and object storage. All servers are physically located in Frankfurt, Germany (EU). Hetzner Privacy Policy

8.2 AI Model Providers

When you send a message or prompt to the AI assistant, the content of your message (text, image data, or file content) is transmitted to the relevant AI model provider's inference API for processing. This is essential to generate the AI response:

Google Gemini API (Google LLC): Used for conversational chat, image analysis, document understanding, and multimodal tasks. API terms prohibit the use of customer data for model training.
DeepSeek API: Used for advanced text generation, coding assistance, and complex reasoning tasks. API terms prohibit the use of customer data for model training.

Both providers process prompts for inference only. Prompts may be temporarily retained by the provider for abuse and safety monitoring (typically up to 30 days) and are then permanently deleted. We have verified through each provider's terms of service and data processing agreements that your prompts are not used for model training or improvement.

8.3 App Store Platforms

Google Play (Google LLC): Processes subscription payments and manages auto-renewing subscriptions for Android users.
Apple App Store (Apple Inc.): Processes subscription payments and manages auto-renewing subscriptions for iOS users.

Your payment instrument details (credit/debit card number, bank account, etc.) are processed directly by Google Play or Apple — we never receive, access, or store your complete payment details. We receive only a subscription status and anonymized purchase token.

8.4 Legal Disclosures

We may disclose your personal data if required to do so by applicable law or in response to a valid and enforceable request by a public authority with proper legal jurisdiction (e.g., a court order, subpoena, or government agency demand). We will notify you of any such disclosure unless we are legally prohibited from doing so. We will challenge overly broad or unlawful requests where possible.

8.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. You will be notified via email and/or a prominent notice in the App of any change in ownership or the use of your personal data, as well as any choices you may have.

9. Third-Party Services

The App integrates with the following third-party services. This Privacy Policy applies only to data we collect and process. Each third-party service has its own privacy policy, which we encourage you to review:

Google Firebase (Authentication, Firestore database, Cloud Messaging, Cloud Functions)
RevenueCat (cross-platform subscription management and receipt validation)
Google Gemini API (AI model inference for chat, vision, and document tasks)
DeepSeek API (AI model inference for text generation and reasoning)
Google Play Billing (Android in-app purchases)
Apple StoreKit (iOS in-app purchases)
Google Sign-In (OAuth authentication provider)

10. Cookies and Tracking Technologies

The MELL 4 mobile application does not use cookies, web beacons, or any browser-based tracking technologies.

Our landing page at mell.imatrix.tv is a static website that does not set any tracking cookies, does not use any analytics services, and does not deploy any fingerprinting or tracking scripts. The page loads only Google Fonts (which may set a minimal caching cookie) and no other third-party resources that engage in tracking.

The App stores minimal local data on your device solely for essential functionality:

Authentication token: Stored securely in the device's operating system keychain (iOS Keychain / Android Keystore) to keep you logged in between sessions. This token is not accessible to other apps and is not used for tracking.
Theme preference: Your choice of light, dark, or system-default theme, stored in local app storage. Not transmitted to any server.
Onboarding completion flag: A simple boolean value indicating you have completed the first-run onboarding flow. Stored locally and not transmitted.

We do not use any advertising identifiers (IDFA on iOS, AAID on Android), we do not deploy any third-party analytics SDKs (such as Google Analytics, Firebase Analytics, Mixpanel, Amplitude, or similar), and we do not track you across apps or websites.

11. Children's Privacy

MELL 4 is not directed at, intended for, or marketed to children. You must be at least 13 years of age (or the applicable age of digital consent in your jurisdiction, which may be 16 in certain EU member states) to create an account and use the App.

We do not knowingly collect, solicit, or process personal data from anyone under the applicable age of consent. If we become aware that a user under the applicable age has registered and provided personal data without verifiable parental consent, we will:

Immediately terminate the account.
Permanently delete all associated personal data from our active systems within 48 hours.
Purge the data from backups within the next backup rotation cycle.

If you are a parent or legal guardian and believe your child has provided us with personal data, please contact us immediately at support@imatrix.tv. We will respond promptly to investigate and, if confirmed, delete the data.

12. Your Privacy Rights

Depending on your jurisdiction, you have specific legal rights regarding your personal data. We honor all applicable rights regardless of your location. This section summarizes the key rights available to you:

12.1 Rights Under GDPR (EEA, United Kingdom, Switzerland)

Right of access (Art. 15): Obtain confirmation of whether we process your data and a copy of that data.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data. See Section 7 for detailed instructions.
Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transmit it to another controller. See Section 7.4.
Right to object (Art. 21): Object to processing based on our legitimate interests.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint (Art. 77): File a complaint with your local data protection supervisory authority if you believe our processing violates GDPR.

12.2 Rights Under CCPA/CPRA (California, USA)

Right to know: Request details about the categories and specific pieces of personal data we collect, the sources, the business purpose, and the categories of third parties with whom we share it.
Right to delete: Request deletion of personal data we have collected from you, subject to certain exceptions.
Right to correct: Request correction of inaccurate personal data we hold about you.
Right to opt-out of sale/sharing: We do not sell or share personal data as defined by the CCPA, so there is nothing to opt out of. We state this explicitly for clarity.
Right to limit use of sensitive personal information: We do not use or disclose sensitive personal information for purposes other than providing the service.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

12.3 Rights Under Other Jurisdictions

Brazil (LGPD): Rights to confirmation, access, correction, anonymization/blocking/deletion, portability, and revocation of consent.
Canada (PIPEDA): Rights to access, correction, and withdrawal of consent.
Australia (Privacy Act 1988): Rights to access and correction of personal information.

12.4 How to Exercise Your Rights

To exercise any of the rights listed above, send an email to support@imatrix.tv. Please specify which right you wish to exercise and provide sufficient information for us to locate your account. We will:

Acknowledge receipt of your request within 5 business days.
Respond substantively within the timeframe required by your jurisdiction (typically 30 calendar days for GDPR, 45 calendar days for CCPA).
Verify your identity before processing your request (to prevent fraudulent requests). Verification typically requires confirming your email address. In rare cases, we may ask for one additional piece of information.
Not charge any fee unless your request is manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or refuse to act.

13. International Data Transfers

Your personal data is primarily stored and processed on servers physically located in the European Union (Frankfurt, Germany — Hetzner data centers, and Google Cloud Platform EU regions).

Certain service providers we use may process data outside the EU/EEA. Specifically:

RevenueCat (USA): Subscription state data is processed on RevenueCat's infrastructure in the United States. RevenueCat is certified under the EU-US Data Privacy Framework and we have entered into Standard Contractual Clauses (SCCs) and a Data Processing Agreement with RevenueCat.
Google (USA): Firebase services store data in EU data centers. In limited cases, Google's technical support may involve access from outside the EU. Google is certified under the EU-US Data Privacy Framework.

Where international data transfers occur, we ensure appropriate safeguards are in place, including:

European Commission-approved Standard Contractual Clauses (SCCs)
Data Processing Agreements with binding contractual obligations
Technical measures (encryption at rest and in transit, pseudonymization where feasible)
Transfer impact assessments to verify the adequacy of protection

14. Data Breach Procedures

We take data security extremely seriously. In the unfortunate event of a personal data breach — defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data — we will execute the following response plan:

Detection and containment (immediate): Our monitoring systems detect anomalies. The affected systems are immediately isolated to contain the breach. Access credentials are rotated. We determine the scope: what data was affected, how many users are impacted, and the root cause.
Notification to supervisory authority (within 72 hours): If the breach is likely to result in a risk to individuals' rights and freedoms, we notify the competent data protection supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Notification to affected users (without undue delay): If the breach is likely to result in a high risk to your rights and freedoms, we notify you directly (via email and/or in-app notification) without undue delay. The notification will include:
- The nature of the breach
- The categories and approximate number of data records concerned
- The name and contact details of our data protection contact
- The likely consequences of the breach
- The measures we have taken or propose to take to address the breach and mitigate its effects
- Recommendations for steps you can take to protect yourself
Remediation and prevention: We fix the root cause, verify the fix, and implement additional safeguards to prevent recurrence. A post-incident review is conducted and documented.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the App's features, or applicable law. When we make changes:

Material changes: We will notify you through the App (via an in-app notification or prominent banner) and, for significant changes, also by email to your registered email address. Notice will be provided at least 14 calendar days before the changes take effect.
Non-material changes: Minor clarifications, formatting improvements, or typo fixes may be made without prior notice. The updated policy will be posted on this page.
The "Last updated" date at the top of this page will be revised to reflect the date of the most recent changes.
Consent: For changes that require your consent under applicable law, we will explicitly ask for your consent before the changes apply to you.
Archived versions: Previous versions of this Privacy Policy are available upon request by emailing support@imatrix.tv.

Your continued use of the App after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the App, cancel any active subscription, and delete your account.

16. Contact Us

For any questions, concerns, complaints, or requests regarding this Privacy Policy or our data practices:

Email: support@imatrix.tv
Subject line suggestions:
  "Privacy Inquiry — MELL 4" (for general questions)
  "Data Deletion Request — MELL 4" (for deletion requests — see Section 7.2)
  "Data Export Request — MELL 4" (for data portability — see Section 7.4)
Developer / Operator: iMatrix Team
Website: https://mell.imatrix.tv

For GDPR-specific inquiries, you may contact our EU representative at the same email address: support@imatrix.tv. For users in the United Kingdom, the same contact applies.

You also have the right to lodge a complaint with your local data protection supervisory authority. A directory of EU/EEA data protection authorities is maintained by the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en.