Claimenta Privacy Policy

Version 0.9 (DRAFT) — Effective: [PLACEHOLDER]

DRAFT v0.9 — pending lawyer review and owner approval.

1. Controller

[KFT LEGAL NAME], [SEAT ADDRESS], Hungary, reg. no. [PLACEHOLDER], privacy contact: [privacy@claimenta.com — PLACEHOLDER]. No data protection officer is appointed [confirm].

2. What we process, why, and on what legal basis

ProcessingDataLegal basis (GDPR)Retention
Account & dashboardName, business e-mail, org name, hashed credentials, settingsArt 6(1)(b) contractAccount life + 30 days, then delete/anonymise
Billing statusStripe customer/subscription IDs, plan, invoicing status (no card data — payment data is processed by Stripe as merchant of record and independent controller; see Stripe’s privacy notice at checkout)Art 6(1)(b); Art 6(1)(c) accounting (HU: 8 years for accounting records we hold)Statutory accounting periods
Customer scans & reportsScanned public-page extracts, screenshots, findings, reports for your verified domainsArt 6(1)(b)Contract life + 24 months (report reproducibility), then delete
Cold scanning of public pagesPage extracts/screenshot crops that may incidentally contain personal data published on business websitesArt 6(1)(f) — see our Legitimate Interest Assessment (available on request); safeguards: public pages only, snippets capped, redaction before external AI processing, scanner opt-out12 months, then delete
B2B outreach (prospects)Name, role, business e-mail, company, source URL (provenance), correspondenceArt 6(1)(f) — direct marketing to business contacts (Recital 47); per-country e-marketing rules honored; one follow-up maxNon-responders purged after 12 months; suppression list kept as hashed identifiers indefinitely to honor your objection
Suppression / opt-outHashed e-mail, timestampArt 6(1)(f) / (c) — honoring objectionsIndefinite (hashed)
Transactional e-mailRecipient, content, delivery metadataArt 6(1)(b)/(f)12 months (logs)
Web analyticsSelf-hosted, cookie-free aggregate statistics (Umami) — no cross-site identifiers, no ad networksArt 6(1)(f) (minimal-intrusion analytics)Aggregates only
Error monitoringTechnical event data, scrubbed of personal data where feasible (self-hosted GlitchTip)Art 6(1)(f)90 days

Retention periods above are the operating values our automated purge jobs enforce; where a statute requires longer (e.g. accounting), the statutory period prevails.

We do not sell personal data and do not use it for third-party advertising.

3. Recipients

Sub-processors and independent controllers are listed in our processor register (public subset): Hostinger (EU hosting); Stripe (merchant of record — independent controller for payments and tax); e-mail delivery provider [PLACEHOLDER]; AI analysis providers for claim classification and report text (personal data is minimised/redacted from analysis inputs; providers and transfer safeguards listed in the register). Authorities where legally required.

4. International transfers

Primary processing is in the EU. Where a provider processes data in the US, we rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses.

5. Your rights

Access, rectification, erasure, restriction, portability, and objection — in particular to direct marketing, which we honor immediately and permanently (Art 21(2)-(3)). We do not carry out automated decision-making that produces legal or similarly significant effects on individuals (Art 22) — our automated analysis classifies marketing text, not people. Where any processing is ever based on consent, you can withdraw it at any time with effect for the future. Write to [privacy@claimenta.com]. You may complain to a supervisory authority — your local one or the Hungarian NAIH (naih.hu), which is our lead authority. We answer requests within one month. DSAR-driven deletion is a built-in admin action.

6. Website operators, prospects & scanning

If personal data of yours appears in extracts we stored from a scanned public business page, you may object or request deletion via [privacy@claimenta.com] or the scanner opt-out (see the Scanner Policy page) — exclusion within 24 hours.

Where we hold business contact data about you as a prospect, its source (Art 14(2)(f)) is your organisation’s own public web pages; the exact source page is recorded with your record and named in the first e-mail we send you. We contact business roles only, at most twice, and purge non-responders after 12 months.

7. Security & breach handling

TLS in transit, encrypted backups, least-privilege access, contact data separated from scan data, logging. Breaches are assessed and notified per Art 33/34 GDPR.

8. Changes

Versioned; material changes notified in-product or by e-mail.

See also the Terms of Service, Cookie Policy, Refund & Cancellation Policy and Imprint.