Claimenta Privacy Policy
Version 0.9 (DRAFT) — Effective: [PLACEHOLDER]
1. Controller
[KFT LEGAL NAME], [SEAT ADDRESS], Hungary, reg. no. [PLACEHOLDER], privacy contact: [privacy@claimenta.com — PLACEHOLDER]. No data protection officer is appointed [confirm].
2. What we process, why, and on what legal basis
| Processing | Data | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Account & dashboard | Name, business e-mail, org name, hashed credentials, settings | Art 6(1)(b) contract | Account life + 30 days, then delete/anonymise |
| Billing status | Stripe customer/subscription IDs, plan, invoicing status (no card data — payment data is processed by Stripe as merchant of record and independent controller; see Stripe’s privacy notice at checkout) | Art 6(1)(b); Art 6(1)(c) accounting (HU: 8 years for accounting records we hold) | Statutory accounting periods |
| Customer scans & reports | Scanned public-page extracts, screenshots, findings, reports for your verified domains | Art 6(1)(b) | Contract life + 24 months (report reproducibility), then delete |
| Cold scanning of public pages | Page extracts/screenshot crops that may incidentally contain personal data published on business websites | Art 6(1)(f) — see our Legitimate Interest Assessment (available on request); safeguards: public pages only, snippets capped, redaction before external AI processing, scanner opt-out | 12 months, then delete |
| B2B outreach (prospects) | Name, role, business e-mail, company, source URL (provenance), correspondence | Art 6(1)(f) — direct marketing to business contacts (Recital 47); per-country e-marketing rules honored; one follow-up max | Non-responders purged after 12 months; suppression list kept as hashed identifiers indefinitely to honor your objection |
| Suppression / opt-out | Hashed e-mail, timestamp | Art 6(1)(f) / (c) — honoring objections | Indefinite (hashed) |
| Transactional e-mail | Recipient, content, delivery metadata | Art 6(1)(b)/(f) | 12 months (logs) |
| Web analytics | Self-hosted, cookie-free aggregate statistics (Umami) — no cross-site identifiers, no ad networks | Art 6(1)(f) (minimal-intrusion analytics) | Aggregates only |
| Error monitoring | Technical event data, scrubbed of personal data where feasible (self-hosted GlitchTip) | Art 6(1)(f) | 90 days |
Retention periods above are the operating values our automated purge jobs enforce; where a statute requires longer (e.g. accounting), the statutory period prevails.
We do not sell personal data and do not use it for third-party advertising.
3. Recipients
Sub-processors and independent controllers are listed in our processor register (public subset): Hostinger (EU hosting); Stripe (merchant of record — independent controller for payments and tax); e-mail delivery provider [PLACEHOLDER]; AI analysis providers for claim classification and report text (personal data is minimised/redacted from analysis inputs; providers and transfer safeguards listed in the register). Authorities where legally required.
4. International transfers
Primary processing is in the EU. Where a provider processes data in the US, we rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
5. Your rights
Access, rectification, erasure, restriction, portability, and objection — in particular to direct marketing, which we honor immediately and permanently (Art 21(2)-(3)). We do not carry out automated decision-making that produces legal or similarly significant effects on individuals (Art 22) — our automated analysis classifies marketing text, not people. Where any processing is ever based on consent, you can withdraw it at any time with effect for the future. Write to [privacy@claimenta.com]. You may complain to a supervisory authority — your local one or the Hungarian NAIH (naih.hu), which is our lead authority. We answer requests within one month. DSAR-driven deletion is a built-in admin action.
6. Website operators, prospects & scanning
If personal data of yours appears in extracts we stored from a scanned public business page, you may object or request deletion via [privacy@claimenta.com] or the scanner opt-out (see the Scanner Policy page) — exclusion within 24 hours.
Where we hold business contact data about you as a prospect, its source (Art 14(2)(f)) is your organisation’s own public web pages; the exact source page is recorded with your record and named in the first e-mail we send you. We contact business roles only, at most twice, and purge non-responders after 12 months.
7. Security & breach handling
TLS in transit, encrypted backups, least-privilege access, contact data separated from scan data, logging. Breaches are assessed and notified per Art 33/34 GDPR.
8. Changes
Versioned; material changes notified in-product or by e-mail.
See also the Terms of Service, Cookie Policy, Refund & Cancellation Policy and Imprint.