Privacy Policy
Version 0.9-DRAFT · Effective: [DATE] · Controller: [COMPANY LEGAL NAME] Kft., [ADDRESS], Hungary · privacy@[DOMAIN]
1. Scope
Covers: (a) website visitors; (b) customer accounts; (c) B2B professionals we contact about the Service; (d) incidental data in website scans.
2. What we process, why, and on what legal basis
| Context | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Account | email, name, password hash, org | provide the Service | Art. 6(1)(b) contract | account life + [5] yrs (defence of legal claims — HU general limitation period, Ptk. 6:22) |
| Billing | subscription state, plan, billing country (via Stripe) | entitlements, receipts | Art. 6(1)(b); Stripe processes payment data as merchant of record and independent controller — see Stripe’s privacy terms | [8] yrs for accounting records we hold (HU Accounting Act §169); Stripe retains its own records as merchant of record |
| B2B outreach | name, role, business email, company, source URL, collection date | contacting relevant professionals about the Service | Art. 6(1)(f) legitimate interest — a documented balancing assessment is on file; summary available on request | non-responders purged at 12 months; opt-outs kept on the suppression list |
| Scans | content of publicly accessible pages; screenshots cropped to chat-widget area; incidental names possible | producing Reports | Art. 6(1)(f) | scan artifacts [24] months |
| Support | correspondence | help you | Art. 6(1)(b)/(f) | [24] months |
| Analytics | self-hosted, cookie-free aggregate statistics (Umami) | improve the site | Art. 6(1)(f) | aggregate only |
| Server logs | IP address, user agent, request path | security, abuse prevention, incident response | Art. 6(1)(f) | [30] days rolling |
3. Your rights
Access, rectification, erasure, restriction, portability, and — for direct marketing — an absolute right to object (Art. 21(2)): use the unsubscribe link (instant, permanent) or email privacy@[DOMAIN]. We answer within one month. Where any processing is based on consent (e.g. an optional marketing pixel), you may withdraw consent at any time with effect for the future. We do not make automated decisions producing legal or similarly significant effects concerning individuals (Art. 22 is not engaged — scan findings concern companies, not natural persons). Complaints: Hungarian NAIH (naih.hu) or your local supervisory authority.
4. Recipients and transfers
We use a small set of service providers under data-processing terms: hosting in the EU (Hostinger VPS); Stripe for payments (merchant of record — independent controller for the transaction); email infrastructure [PROVIDER]; language-model APIs used to draft report summaries and classify widget text (engineered to receive no personal data; incidental names may occur — a person-name redaction step is applied to captured widget text before any external model call). Current list: https://[DOMAIN]/processors. Transfers outside the EU only with appropriate safeguards (adequacy, EU-US DPF, or SCCs). We do not sell personal data and do not share it for third-party marketing.
5. Where outreach data comes from
If we contacted you cold: your business contact details were collected from your company’s own public pages (the exact source URL is in the email you received). This notice is provided with the first message (GDPR Art. 14).
6. Security
TLS, encrypted backups, access controls, EU hosting, separation of contact data from scan data, no card data on our systems.
7. Changes
We will post changes here with a new version and date; material changes to active customers by email.
Cookie Policy
Version 0.9-DRAFT · Effective: [DATE]
- Essential cookies only by default. The app uses strictly necessary session cookies (login, security). These need no consent (ePrivacy Art. 5(3) exemption).
- Analytics without cookies. We use self-hosted, cookie-free aggregate analytics (Umami); no cross-site tracking, no advertising identifiers.
- Optional marketing pixel. If a retargeting pixel (e.g. Meta Pixel) is ever enabled, it loads ONLY after your prior opt-in via the consent banner, and can be declined with equal ease. [Currently: enabled/disabled — sync with META_PIXEL_ID config.]
- Cookie table: [session cookie name, purpose, lifetime] · [csrf cookie, ...] · [consent cookie, 6 months].
- Manage: consent banner “Settings” link or browser controls. Contact: privacy@[DOMAIN].