Quick Links
Our GDPR Commitment
Once Interactive, Inc. is committed to ensuring the privacy and protection of personal data belonging to individuals in the European Economic Area (EEA) and the United Kingdom. This page describes how we comply with the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR as incorporated into UK law by the Data Protection Act 2018. We treat GDPR compliance not as a checklist, but as a foundational standard for how we handle all personal data.
1 - Scope & Applicability
This GDPR Compliance Statement applies to the processing of personal data of individuals located in the European Economic Area (EEA) or the United Kingdom ("Data Subjects"), whether they are:
Visitors to our website at onceinteractive.com;
Prospective clients who submit inquiries or requests;
Existing clients based in or receiving services within the EEA or UK;
Contacts at client organizations whose personal data we process in the course of delivering services;
Third-party individuals whose personal data is shared with us by our clients as part of marketing campaigns or digital projects.
Once Interactive is a U.S.-based entity headquartered in Las Vegas, Nevada. Where we offer services to individuals in the EEA or UK, or monitor the behavior of such individuals, we are subject to GDPR requirements regardless of our location.
2 - Data Controller vs. Data Processor
When We Are a Data Controller
Once Interactive acts as a Data Controller when we independently determine the purposes and means of processing personal data. This includes:
Processing data of website visitors and prospective clients;
Managing our own marketing and communications lists;
Processing information of client contacts for business relationship management.
As a Data Controller, we bear full responsibility for ensuring our processing activities are lawful, fair, and transparent.
When We Are a Data Processor
Once Interactive acts as a Data Processor when we process personal data on behalf of our clients according to their documented instructions. This occurs when:
Managing and optimizing paid advertising campaigns using client's customer data;
Implementing email marketing campaigns using client-provided contact lists;
Accessing client website visitor data through analytics tools for reporting;
Operating client CRM or marketing automation systems on their behalf.
In such cases, our clients act as the Data Controller and we process data strictly in accordance with our service agreements and applicable Data Processing Agreements (DPAs).
Note for Clients
If you are an Once Interactive client with EU/UK customers, you may require a Data Processing Agreement (DPA) with us. Please contact us at hello@onceinteractive.com to request one.
3 - Lawful Basis for Processing
Under Article 6 of the GDPR, all processing of personal data must have a lawful basis. Once Interactive relies on the following bases depending on the context:
Article 6(1)(b)
Contractual Necessity
Processing necessary to enter into or perform a contract with you — for example, delivering agreed digital marketing or web development services.
Article 6(1)(a)
Consent
Where you have freely given, specific, informed, and unambiguous consent — such as subscribing to marketing emails or accepting non-essential cookies.
Article 6(1)(f)
Legitimate Interests
For purposes such as improving our services, preventing fraud, communicating with existing clients, and securing our systems. We always balance these interests against your rights.
Article 6(1)(c)
Legal Obligation
Where processing is necessary to comply with a legal obligation, such as tax, accounting, or anti-money laundering regulations.
Where we process special category data (e.g., health information), we rely on explicit consent under Article 9(2)(a) or another applicable exception. We do not routinely collect special category data through our website or services.
4 - Personal Data We Process
The following table outlines the categories of personal data we process as a Controller, the lawful basis, and the source:
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without appropriate safeguards.
5 - Data Subject Rights
Under the GDPR, you have the following rights with respect to your personal data. We will respond to all verified requests within one calendar month, extendable by two additional months for complex requests (with notice).
To exercise any of these rights, please contact us at hello@onceinteractive.com. We may ask for proof of identity to verify your request before acting on it. We will not charge a fee for reasonable requests; however, we may charge a reasonable fee for manifestly unfounded or excessive requests.
6 - International Data Transfers
Once Interactive is based in the United States. When we collect or process personal data from individuals in the EEA or UK, this constitutes a transfer of personal data to a third country. The United States does not currently have an adequacy decision from the European Commission for all transfers.
We ensure that any transfer of personal data to the U.S. is subject to appropriate safeguards in accordance with GDPR Chapter V. These safeguards may include:
Standard Contractual Clauses (SCCs) — the European Commission-approved contractual clauses incorporated into our agreements with clients and service providers, supplemented by a Transfer Impact Assessment (TIA) where required;
UK International Data Transfer Agreements (IDTAs) — for transfers from the UK;
Consent — where you have been explicitly informed of the risks and have provided specific consent (for non-repetitive, limited transfers).
We also ensure that our sub-processors who may process EEA/UK personal data have appropriate transfer mechanisms in place. A list of key sub-processors is available upon request.
7 - Data Processing Agreements
Where Once Interactive processes personal data on behalf of a client (acting as a Data Processor), GDPR Article 28 requires that we enter into a Data Processing Agreement (DPA). Our standard DPA includes provisions for:
Processing personal data only on documented instructions from the Controller;
Ensuring confidentiality obligations apply to all authorized personnel;
Implementing appropriate technical and organizational security measures;
Not engaging sub-processors without prior written authorization from the Controller;
Assisting the Controller in responding to Data Subject rights requests;
Supporting the Controller in fulfilling obligations related to security, breach notification, DPIAs, and prior consultation;
Deleting or returning all personal data upon termination of services;
Providing all necessary information to demonstrate compliance with Article 28.
Clients who require a DPA should contact us at hello@onceinteractive.com. We will provide our standard DPA template or review a client-provided DPA upon request.
8 - Data Retention
In accordance with the GDPR principle of storage limitation (Article 5(1)(e)), we retain personal data only for as long as necessary for the stated purposes. Our retention periods are as follows:
Client account and contractual data: 7 years post-contract termination (for legal/accounting purposes);
Marketing communications data: Until you withdraw consent or opt out, then 6 months post-opt-out;
Website analytics data: 26 months (anonymized thereafter);
Inquiry and contact data: 24 months from last meaningful contact;
Financial and billing records: 7 years (as required by US and applicable international accounting regulations).
Upon expiry of the applicable retention period, personal data is securely deleted or permanently anonymized. We maintain a data retention schedule and conduct periodic reviews to ensure compliance.
9 - Data Breach Procedures
In the event of a personal data breach, Once Interactive has procedures in place to ensure a prompt and coordinated response in line with our GDPR obligations under Articles 33 and 34:
Detection & Containment: Immediate steps to contain the breach and prevent further unauthorized access or disclosure;
Risk Assessment: Evaluation of the nature, scope, and likely consequences of the breach for affected individuals;
Supervisory Authority Notification: Where the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (or as soon as reasonably practicable);
Individual Notification: Where the breach is likely to result in a high risk to individuals, we will notify those affected without undue delay;
Documentation: All breaches are documented, including those that do not meet the notification threshold.
Where Once Interactive acts as a Data Processor, we will notify our client (the Data Controller) of any breach without undue delay and assist them in meeting their notification obligations.
To report a suspected data breach, please contact us at hello@onceinteractive.com. immediately.
10 - Data Protection Contact
Once Interactive has designated a Privacy Contact responsible for overseeing GDPR compliance and data protection matters. While the GDPR mandates formal appointment of a Data Protection Officer (DPO) only in specific circumstances (e.g., large-scale systematic monitoring or processing of special category data), we are committed to maintaining the equivalent standard of accountability through our designated Privacy Contact.
For all GDPR-related inquiries, data subject requests, DPA requests, or breach reports, please contact:
Once Interactive — Privacy
Email: hello@onceinteractive.com.
Las Vegas: +1.702.563.4480
Los Angeles: +1.310.955.7242
Facebook: facebook.com/onceinteractivelv
Instagram: instagram.com/onceinteractive
Mailing Address: 9205 W Russell Rd, Suite 240, Las Vegas, NV 89148, USA
11 - Supervisory Authority
If you are located in the EEA and you believe Once Interactive has not adequately addressed your data protection concerns, you have the right to lodge a complaint with the supervisory authority in your country of residence or place of work. A list of EEA supervisory authorities is available at edpb.europa.eu.