OUR COMMITMENT TO GDPR
DESIGNING FOR THE EUROPEAN MARKET
As a design collective originating in the US and migrating to the EU, Arowana recognizes the critical importance of European data protection standards, particularly the General Data Protection Regulation (GDPR).
WE VIEW SECURITY & PRIVACY NOT AS AN AFTERTHOUGHT, BUT AS A CORE PRINCIPLE OF OUR DESIGN PROCESS.
We require our collective to sign comprehensive NDAs, and adhere to Figma’s GDPR policies.We educate our American designers on the principals of GDPR and do not onboard them until they pass with 100% accuracy.
1: OUR COMMITMENTS INCLUDE:
PRIVACY BY DESIGN
We integrate privacy controls, consent mechanisms, and data minimization from the initial concept phase.
This ensures legal compliance from DAY ONE, reducing costly redesigns and legal risk.
This ensures legal compliance from DAY ONE, reducing costly redesigns and legal risk.
DATA MINIMIZATION
We design systems that only require the minimum necessary user data to function, limiting your firm’s liability.
This prevents unnecessary data collection and storage, mitigating the risk of a breach.
This prevents unnecessary data collection and storage, mitigating the risk of a breach.
CONTENT & TRANSPARENCY
We reject "Dark Patterns" and ensure all consent flows use clear, affirmative action, respecting the user's Right to Refuse.
This aligns your product with the EU's Digital Services Act and strengthens user trust.
This aligns your product with the EU's Digital Services Act and strengthens user trust.
DATA RESIDENCY
Where EU data residency is a strict requirement, we utilize client-provided EU-based enterprise tools (e.g., EU instances of Figma, AWS S3) for project files.
This ensures design assets remain within the required EU legal jurisdiction.
This ensures design assets remain within the required EU legal jurisdiction.
2: NO LIVE DATA ACCESS
We explicitly operate as a Design Partner and NOT as a Data Processor in the GDPR context. This means:
• We DO NOT request, store, or process your live customer data (PII).
• We DO NOT require access to your production database, staging environments, or user lists.
• We DO NOT use client user data for internal testing or portfolio work.
Instead, you’re investing directly in senior-level talent that is activated specifically for your project’s milestones. It’s a leaner, more intentional way to build, ensuring that every dollar of your budget goes toward the craft and every pixel is vetted by the same person who led the initial strategy.
• We DO NOT request, store, or process your live customer data (PII).
• We DO NOT require access to your production database, staging environments, or user lists.
• We DO NOT use client user data for internal testing or portfolio work.
Instead, you’re investing directly in senior-level talent that is activated specifically for your project’s milestones. It’s a leaner, more intentional way to build, ensuring that every dollar of your budget goes toward the craft and every pixel is vetted by the same person who led the initial strategy.
3: SYNTHETIC DATA USE
All UX/UI work, prototyping, and user testing is conducted using:
• Synthetic Data: Fictional, GDPR-neutral data sets that mimic the structure of your business (e.g., fake names, account balances, transaction histories).
• Dummy Text: Standard placeholder content to focus testing solely on layout and interaction.
This method allows us to rigorously test the interface without creating a massive legal liability for international data transfer.
• Synthetic Data: Fictional, GDPR-neutral data sets that mimic the structure of your business (e.g., fake names, account balances, transaction histories).
• Dummy Text: Standard placeholder content to focus testing solely on layout and interaction.
This method allows us to rigorously test the interface without creating a massive legal liability for international data transfer.