Privacy Policy
Version 0.9-DRAFT · Effective date: [OWNER_REVIEW: effective date]
This page also contains the Cookie Policy. This is a draft awaiting legal review and owner approval; it is not legal advice.
Controller: [KFT LEGAL NAME], [ADDRESS], Hungary — privacy@[DOMAIN]. Supervisory authority: NAIH (Hungary); you may also complain to your local EU authority.
1. Who this policy covers
(a) Customers & users of the dashboard; (b) prospects we contact by B2B email; (c) people appearing in public data we scan (advertisers who are sole traders; individuals incidentally named in public ads/pages); (d) website visitors.
2. What we process, why, and on what legal basis
| Group | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Customers | account data (name, business email, org), usage logs, settings | provide the Service (contract), security | Art. 6(1)(b); logs 6(1)(f) | account life + [1 year]; logs [90 days] |
| Customers | billing status (plan, entitlement, invoice references) | entitlements, accounting | 6(1)(b); statutory records 6(1)(c) | statutory (HU: 8 years for accounting records held by us, if any) |
| Payment data | card/payment details, billing address, invoices | processed by Stripe as merchant of record — independent controller; we receive only status/references, never card data | Stripe's own bases | see Stripe's policy |
| Prospects | business email, role, name (if public), source URL, country, collected date; delivery events (bounce/complaint); suppression list | first-contact B2B communication about their own live ads; deliverability protection | 6(1)(f) — documented Legitimate Interest Assessment (summary on request) | 12 months if no engagement; suppression: indefinitely (minimized hash). Unsubscribing suppresses you across all products operated by us (single controller), so we never contact you again from any of them |
| Scanned public data | advertiser names/IDs, ad creative text, public landing text extracts (contact details stripped), check results | the core reporting service | 6(1)(f) — LIA; source data published under EU transparency rules (DSA Art. 39) | scan artifacts [12 months]; cold previews [90 days]. A technical page-fetch cache is shared across our own products (same controller, same purge rules) solely to avoid fetching the same public page twice |
| Visitors | see Cookie Policy; analytics are cookie-free (self-hosted Umami, aggregated) | site operation, measurement | 6(1)(f) | aggregated |
We do not sell personal data, run no third-party advertising trackers, and make no automated decisions with legal effect on individuals.
3. Recipients
Hosting: Hostinger (EU). Payments: Stripe (merchant of record — independent controller). Email delivery: [PROVIDER]. AI processing for report text: Anthropic (US — EU–US Data Privacy Framework / SCCs; content is redacted of contact details before processing). Bulk classification: [OWNER_REVIEW: bulk-classification provider — transfer safeguards per our processor register]. Self-hosted ops tooling (analytics, error tracking) — no external recipient. Authorities where legally required. Full sub-processor list: available on request / [URL of processors page].
4. International transfers
Primary storage in the EU. Where a processor is outside the EU/EEA we rely on adequacy decisions (incl. EU–US Data Privacy Framework) or Standard Contractual Clauses with supplementary measures; details on request.
5. Your rights
Access, rectification, erasure, restriction, portability (where applicable), and objection — including an absolute right to object to direct marketing: one click on the unsubscribe link (permanent suppression) or email privacy@[DOMAIN]. Advertisers/site owners may also opt out of scanning entirely (Scanning Policy [URL], honored ≤24 h). We answer within one month (Art. 12(3)). Complaints: NAIH — naih.hu — or your local authority.
6. Sources of data we did not collect from you (Art. 14)
Prospect contact data comes from your organization's own public website (the exact page is cited in our first email). Advertiser/ad data comes from the public Meta Ad Library and Google Ads Transparency Center. Categories: business contact + public advertising data only; no special categories.
7. Security & breach handling
EU VPS, encryption in transit, least-privilege access, separated contact vs scan storage, backups, breach-notification process per Art. 33/34.
Cookie Policy
Version 0.9-DRAFT · Effective date: [OWNER_REVIEW: effective date]
- Marketing site: no advertising or third-party analytics cookies. Traffic measurement uses self-hosted, cookie-free Umami (aggregated, no cross-site tracking) → no consent banner is required for it (ePrivacy consent attaches to terminal-equipment storage/access, which does not occur).
- Dashboard (logged-in): strictly necessary cookies only — session authentication [session], CSRF [csrf] — exempt from consent (ePrivacy Art. 5(3) strictly-necessary exemption). Lifetime: session / [30 days].
- Checkout/portal: hosted by Stripe on Stripe domains; Stripe sets its own cookies under its own policy shown there.
- Retargeting: none at launch. If a marketing pixel (e.g. Meta Pixel) is ever added, it will load only after prior opt-in consent via a consent banner, and this policy + the consent tool will be updated first.
- Questions: privacy@[DOMAIN].