Disclara
DRAFT — not legal counsel. Counsel review + owner approval (G2) required before launch. Version: 0.9-DRAFT · Effective date: [PLACEHOLDER — set per page at launch].

Privacy Policy

Version 0.9-DRAFT · Effective: [DATE] · Controller: [COMPANY LEGAL NAME] Kft., [ADDRESS], Hungary · privacy@[DOMAIN]

1. Scope

Covers: (a) website visitors; (b) customer accounts; (c) B2B professionals we contact about the Service; (d) incidental data in website scans.

2. What we process, why, and on what legal basis

ContextDataPurposeLegal basisRetention
Accountemail, name, password hash, orgprovide the ServiceArt. 6(1)(b) contractaccount life + [5] yrs (defence of legal claims — HU general limitation period, Ptk. 6:22)
Billingsubscription state, plan, billing country (via Stripe)entitlements, receiptsArt. 6(1)(b); Stripe processes payment data as merchant of record and independent controller — see Stripe’s privacy terms[8] yrs for accounting records we hold (HU Accounting Act §169); Stripe retains its own records as merchant of record
B2B outreachname, role, business email, company, source URL, collection datecontacting relevant professionals about the ServiceArt. 6(1)(f) legitimate interest — a documented balancing assessment is on file; summary available on requestnon-responders purged at 12 months; opt-outs kept on the suppression list
Scanscontent of publicly accessible pages; screenshots cropped to chat-widget area; incidental names possibleproducing ReportsArt. 6(1)(f)scan artifacts [24] months
Supportcorrespondencehelp youArt. 6(1)(b)/(f)[24] months
Analyticsself-hosted, cookie-free aggregate statistics (Umami)improve the siteArt. 6(1)(f)aggregate only
Server logsIP address, user agent, request pathsecurity, abuse prevention, incident responseArt. 6(1)(f)[30] days rolling

3. Your rights

Access, rectification, erasure, restriction, portability, and — for direct marketing — an absolute right to object (Art. 21(2)): use the unsubscribe link (instant, permanent) or email privacy@[DOMAIN]. We answer within one month. Where any processing is based on consent (e.g. an optional marketing pixel), you may withdraw consent at any time with effect for the future. We do not make automated decisions producing legal or similarly significant effects concerning individuals (Art. 22 is not engaged — scan findings concern companies, not natural persons). Complaints: Hungarian NAIH (naih.hu) or your local supervisory authority.

4. Recipients and transfers

We use a small set of service providers under data-processing terms: hosting in the EU (Hostinger VPS); Stripe for payments (merchant of record — independent controller for the transaction); email infrastructure [PROVIDER]; language-model APIs used to draft report summaries and classify widget text (engineered to receive no personal data; incidental names may occur — a person-name redaction step is applied to captured widget text before any external model call). Current list: https://[DOMAIN]/processors. Transfers outside the EU only with appropriate safeguards (adequacy, EU-US DPF, or SCCs). We do not sell personal data and do not share it for third-party marketing.

5. Where outreach data comes from

If we contacted you cold: your business contact details were collected from your company’s own public pages (the exact source URL is in the email you received). This notice is provided with the first message (GDPR Art. 14).

6. Security

TLS, encrypted backups, access controls, EU hosting, separation of contact data from scan data, no card data on our systems.

7. Changes

We will post changes here with a new version and date; material changes to active customers by email.


Cookie Policy

Version 0.9-DRAFT · Effective: [DATE]

  1. Essential cookies only by default. The app uses strictly necessary session cookies (login, security). These need no consent (ePrivacy Art. 5(3) exemption).
  2. Analytics without cookies. We use self-hosted, cookie-free aggregate analytics (Umami); no cross-site tracking, no advertising identifiers.
  3. Optional marketing pixel. If a retargeting pixel (e.g. Meta Pixel) is ever enabled, it loads ONLY after your prior opt-in via the consent banner, and can be declined with equal ease. [Currently: enabled/disabled — sync with META_PIXEL_ID config.]
  4. Cookie table: [session cookie name, purpose, lifetime] · [csrf cookie, ...] · [consent cookie, 6 months].
  5. Manage: consent banner “Settings” link or browser controls. Contact: privacy@[DOMAIN].