Privacy Policy
Table of Contents
1. Data Controller
This Privacy Policy explains how DIGITAL SPECIALISTS s.r.o. ("Conseto," "we," "us," or "our") collects, uses, discloses, and protects your personal data when you visit our websites (conseto.io, app.conseto.io, docs.conseto.io), use our Services, or otherwise interact with us.
Data Controller:
DIGITAL SPECIALISTS s.r.o.
IČO: 21669261 | DIČ: 21669261
Čujkovova 1714/21, 700 30 Ostrava-Zábřeh, Czech Republic
DPO Contact: privacy@conseto.io
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Czech Data Protection Act (Zákon č. 110/2019 Sb.), and other applicable data protection laws.
Important distinction: This Privacy Policy covers how we handle your data as our customer. When you use Conseto to collect data from your website visitors, you are the data controller and we act as data processor under our Data Processing Agreement.
2. Data We Collect
2.1 Account Data (provided by you)
- Full name and email address
- Company name and website URL
- Password (stored as bcrypt hash, never in plaintext)
- Billing information (processed by Revolut; we do not store full card details)
- Communication preferences and settings
2.2 Usage Data (collected automatically)
- IP address and approximate geolocation (country/city level)
- Browser type, version, and operating system
- Pages visited within our dashboard and marketing site
- Feature usage, click patterns, and session duration
- Referral source and UTM parameters
- Device type and screen resolution
2.3 Analytics Data (processed on your behalf)
When you install the Conseto SDK on your website, we process the following data from your website visitors as your data processor:
- Pseudonymous visitor identifiers (session and visitor tokens)
- Page views, custom events, and e-commerce events
- Consent preferences and consent banner interactions
- IP addresses (can be configured for anonymization)
- User agent, device, browser, and screen information
- Referral source, UTM parameters, and landing pages
- Scroll depth, time on page, file downloads, outbound clicks
- Core Web Vitals (LCP, FID, CLS) performance metrics
We do not use this visitor data for our own purposes. It is processed solely to provide the analytics Services to you.
2.4 Cookie and Consent Data
Through our consent management features, we process consent records including timestamp, consent choices, consent banner configuration, and browser information at the time of consent. This data serves as your compliance record.
2.5 AI Processing Data
When you use our AI-powered features (insights, anomaly detection, audit recommendations), anonymized and aggregated analytics data may be sent to our AI sub-processor (Anthropic Claude API) for processing. We never send personally identifiable visitor data to AI services.
3. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
| Legal Basis | Processing Activity |
|---|---|
| Contract Performance Art. 6(1)(b) | Account creation, service delivery, billing, support, API access |
| Consent Art. 6(1)(a) | Marketing emails, non-essential cookies on conseto.io, newsletter |
| Legitimate Interest Art. 6(1)(f) | Product improvement, security monitoring, fraud prevention, aggregate analytics of our own platform |
| Legal Obligation Art. 6(1)(c) | Tax records, regulatory compliance, responding to legal requests |
Where consent is the legal basis, you can withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
4. How We Use Your Data
- Service Delivery: To provide, operate, maintain, and improve the Conseto platform, dashboard, APIs, and SDK
- Account Management: To create and manage your account, authenticate access, and process payments
- Communications: To send service updates, security alerts, billing notifications, and support responses
- Product Improvement: To understand how customers use our platform, identify bugs, and prioritize features (using aggregated, anonymized data)
- Security: To detect and prevent fraud, abuse, and unauthorized access to the Services
- Compliance: To comply with legal obligations, respond to legal requests, and enforce our Terms
- Marketing: With your consent, to send product announcements, newsletters, and promotional content. You can unsubscribe at any time
- AI Insights: To power AI-driven features using anonymized, aggregated data (never raw PII)
We do not sell your personal data to third parties. We do not use your analytics data (visitor data) for our own advertising or profiling purposes.
5. Data Sharing and Sub-processors
We share personal data only with the following categories of recipients, each bound by data processing agreements:
5.1 Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting, database, and Redis hosting | EU (Frankfurt) |
| Anthropic (Claude API) | AI-powered insights and audit recommendations (anonymized data only) | US (SCCs in place) |
| Amazon Web Services (SES) | Transactional email delivery (verification, password reset, notifications) | EU (Ireland) |
| Revolut Business | Payment processing | EU (Lithuania) |
| Cloudflare | CDN, DDoS protection, and DNS | Global (EU processing) |
5.2 Other Disclosures
We may disclose personal data when required by law, to respond to valid legal process (subpoena, court order), to protect the rights and safety of Conseto or others, or in connection with a merger, acquisition, or sale of assets (with advance notice where feasible).
6. International Data Transfers
Our primary infrastructure is located in the European Union (Frankfurt, Germany via Railway). Your account data and analytics data are stored within the EU.
Where data transfers outside the EEA are necessary (e.g., Anthropic Claude API in the US), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (2021/914)
- Transfer Impact Assessments where required
- Data minimization and anonymization before transfer (AI features use aggregated data only)
- Adequacy decisions where applicable
You may request a copy of the relevant safeguards by contacting privacy@conseto.io.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 90 days after deletion |
| Analytics data (Free plan) | 30 days rolling |
| Analytics data (Starter plan) | 90 days rolling |
| Analytics data (Business plan) | 365 days rolling |
| Analytics data (Enterprise plan) | Unlimited (as agreed in contract) |
| Consent records | Duration of account + 3 years (compliance requirement) |
| Billing records | 10 years (Czech tax law requirement) |
| Security scan results | Duration of account + 30 days |
| Server logs | 90 days |
Upon account deletion, we delete all personal data from active systems within 90 days and from backup systems according to our regular backup rotation schedule, except where retention is required by law (e.g., tax records).
8. Your Rights
Under GDPR and applicable law, you have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you, including the purposes of processing and categories of data
- Right to Rectification (Art. 16): Request correction of inaccurate personal data or completion of incomplete data. You can also update most information directly in your account settings
- Right to Erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing. You can delete your account from the dashboard settings
- Right to Restriction (Art. 18): Request that we limit the processing of your data while a complaint or dispute is resolved
- Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV). Data export is available in your dashboard
- Right to Object (Art. 21): Object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds
- Right to Withdraw Consent (Art. 7): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority. In the Czech Republic, this is the Úřad pro ochranu osobních údajů (UOOU) at uoou.cz
To exercise any of these rights, contact our Data Protection Officer at privacy@conseto.io. We will respond within 30 days. We may request identity verification before processing your request to protect your data from unauthorized access.
10. Children's Privacy
The Services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected data from a minor, please contact us at privacy@conseto.io.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:
- Notify you via email at least 30 days before the changes take effect
- Post a prominent notice in the dashboard
- Update the "Effective" date at the top of this page
We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of changes constitutes acceptance.
12. Contact Our Data Protection Officer
If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about our data practices, please contact us:
Data Protection Officer
You also have the right to lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů) or the supervisory authority in your country of residence.