Privacy Policy & Security
Last updated: September 4, 2025
Who We Are (Controller)
The data controller is Crafting Chaos, a Malta-based site operator. We will update this section with our registered company details once incorporation is complete. For all privacy enquiries, contact [email protected] .
Data Collection & Use
We collect and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable laws. We collect:
- Contact Information: Name and email address (and optionally company and role) when you request early access or contact us via our website form.
- Usage Data: Interactions with our website (e.g., pages visited, buttons clicked) to improve functionality and user experience.
- Technical Data: IP address, browser, and device information for security and performance monitoring.
We use Contact Information to respond to your enquiries, assess interest in our products, provide updates on new releases, and—if you ask us to—arrange calls. Usage and Technical Data help us maintain, secure, and optimize our services. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.
Legal Basis for Processing
- Consent: When you expressly agree (via a separate, unticked checkbox) to receive product updates and marketing emails.
- Legitimate Interests: To operate, secure, and improve our services in ways that are expected and do not override your rights and freedoms.
- Legal Obligation: To comply with applicable laws (e.g., record-keeping or responding to lawful requests).
Marketing Consent
We send product updates and marketing emails only with your explicit consent, collected via a separate unticked checkbox on our forms. We keep a record of consent (timestamp, IP, and form version/text). You can withdraw consent at any time via the unsubscribe link in any marketing email or by contacting us. If you unsubscribe, we will suppress your address from marketing within 48 hours.
Data Security
Security Measures
- Encryption: Personal data is protected in transit (TLS) and at rest where supported by our providers.
- Access Controls: Role-based access and multi-factor authentication so only authorized personnel can access data on a need-to-know basis.
- Hosting Location: Our core processors are located in the EU: Xano (current region: Paris, France) and Brevo (EU-hosted). See “International Transfers”.
- Regular Assessments: Periodic security reviews and vulnerability remediation.
Data Sharing
We do not sell, trade, or rent your personal data. We share data only as follows:
- Service Providers: Trusted processors that help us operate our services:
- Backend/API: Xano, hosted in the European Union (current region: Paris, France). See their GDPR resources: Xano Security Center, Xano GDPR FAQ.
- Email delivery: Brevo, with data hosting in the European Union. See their GDPR resources: Brevo Terms (Annex: DPA), Brevo GDPR Overview.
- Legal Requirements: To comply with a legal obligation or lawful request.
- Business Transfers: If we undergo a reorganization, merger, or acquisition; we will provide notice and ensure your data remains protected.
Your Rights Under GDPR
You can exercise these rights at any time (see “Contact” below). We respond without undue delay and, in any case, within one month of receipt. Where requests are complex or numerous, we may extend by up to two further months, and we will notify you within the first month.
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion where there is no compelling reason for continued processing.
Right to Restrict Processing
Ask us to pause processing in certain circumstances.
Right to Object
Object when our basis is legitimate interests.
Right to Data Portability
Receive your data in a common, machine-readable format.
Withdraw Consent: Where we rely on consent (e.g., marketing emails), you may withdraw at any time via the unsubscribe link in any message or by contacting us. We will suppress your email from marketing within 48 hours.
Data Retention
We retain personal data only as long as necessary. Contact and enquiry data is retained for up to 2 years from your last interaction with us, unless you request deletion sooner. This retention period allows us to evaluate ongoing interest in our products and follow up appropriately, while ensuring we do not keep data longer than needed. If you become a customer, we may retain relevant data for the duration of the relationship and for periods required by law. Technical logs and analytics are kept for shorter periods and are anonymized or deleted when no longer needed.
Cookies & Tracking
Our website uses cookies and similar technologies. Non-essential cookies (e.g., analytics) are used only with your consent, which you can manage via our cookie banner. We set one essential cookie to remember your analytics preference so that we respect your choice on future visits.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
lr_cookie_consent | Stores whether you consented to analytics (true/false) and a timestamp. Does not track you across sites. | Essential (strictly necessary) | 6 months |
If you consent, we load analytics only after your choice and implement IP truncation/pseudonymisation where available. You can change your preference at any time via the cookie banner (reopen from the site footer) or by clearing cookies in your browser; some features may be affected if cookies are disabled.
International Transfers
We primarily store and process personal data within the European Union/European Economic Area (EU/EEA). If a transfer outside the EEA is necessary (for example, due to a provider’s sub-processor or specific technical routing), we implement GDPR-required safeguards, such as European Commission adequacy decisions or Standard Contractual Clauses (SCCs). You can request details of these safeguards by contacting us.
Contact & Privacy Lead
For questions, concerns, or requests regarding your personal data, please contact us.
- Email: [email protected]
- Privacy Lead: Designated privacy contact (no formal DPO appointed). Reachable via the email above.
- Response Time: We respond to data-subject requests without undue delay and within one month of receipt, per GDPR Art. 12. If needed due to complexity or volume, we may extend by up to two months and will notify you within the first month.
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
- Authority: Information and Data Protection Commissioner (IDPC), Malta
- Website: https://idpc.org.mt/
- Telephone: +356 2328 7100
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant updates, we will notify you by email or by posting a notice on our website.