Privacy Policy

1. Data controller

The data controller is HUBtech s. r. o., Werferova 3782/6, 040 11 Košice - mestská časť Juh, Slovakia, IČO 56 882 815. Privacy contact: [email protected]. We have not formally designated a Data Protection Officer; the privacy contact above handles all GDPR enquiries.

2. What we collect, why, and on what legal basis

We only collect what we need to provide the service. For each category below, "why" is the purpose and "basis" is the GDPR Article 6(1) lawful basis.

• The domain you submit + the cleanup description you write. Why: to generate per-vendor removal emails and send them. Basis: performance of a contract (Art. 6(1)(b)).
• Your email address. Why: to create your account, send the dashboard magic link, set the reply-to header on outgoing vendor emails, and notify you of status changes. Basis: performance of a contract (Art. 6(1)(b)).
• Payment details. Card numbers are handled by Stripe; we receive only a customer ID, the amount, and the transaction status. Why: to charge you and to fulfil invoicing/accounting obligations. Basis: performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax/accounting records.
• IP address and request metadata; basic usage analytics. Why: to protect the service from abuse (rate-limiting, fraud detection) and to understand which flows convert. Basis: legitimate interest (Art. 6(1)(f)) for security and integrity; your consent (Art. 6(1)(a)) for non-essential analytics.
• Error / crash logs. Why: to find and fix bugs. Basis: legitimate interest (Art. 6(1)(f)); collected only if you opt in to the error-tracking cookie category.
• "Notify me" email (clean-domain leads). Why: to email you if your domain later appears on a blocklist, if you opt in. Basis: consent (Art. 6(1)(a)); you can unsubscribe at any time.

We do not knowingly process special-category data (Art. 9). Please don't put sensitive personal information in the cleanup description.

3. Automated processing (AI-generated emails)

We use an AI model (OpenAI, L.L.C., model gpt-5.4-nano) to draft each removal email from your cleanup description. This is automated processing, but it is not automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR: a human-meaningful choice (whether to dispatch) has already been made by you when you paid, and the AI's output is a formatted email, not a decision about you. OpenAI, L.L.C. processes your description as our sub-processor and does not use it to train its models (see section 4).

4. Who we share data with (processors and recipients)

We share data only with the parties below, each acting as our processor under a written data processing agreement (GDPR Art. 28), except where noted as an independent controller / recipient.

5. International transfers

Some recipients are based outside the European Economic Area — mainly in the United States (Stripe, Resend, OpenAI, L.L.C., Cloudflare, PostHog). Transfers to these recipients rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or, where the recipient is certified, the EU–US Data Privacy Framework. Supplementary technical measures (encryption in transit and at rest) apply in all cases.

6. How long we keep your data

• Account & domain records (incl. cleanup description, dispatch logs): for the life of your account, then deleted within 90 days of account closure, unless we have a legal obligation to keep them longer (e.g. accounting). You can request deletion at any time.
• Payment records and tax invoices: 10 years (Slovak Accounting Act 431/2002 Z. z. § 35).
• Security and rate-limiting logs: up to 90 days.
• Error logs (Sentry): 90 days.
• Analytics (PostHog): aggregated for up to 12 months; per-event records pruned earlier.
• "Notify me" leads: until you unsubscribe or until 24 months of inactivity.

7. Cookies and similar technologies

We use three categories of cookies / local storage. You can change your choice any time via "Cookie settings" in the footer.

• Essential (always on): sign-in session, checkout session, CSRF protection. Without these the service cannot function. Legal basis: Art. 6(1)(b) (contract); the ePrivacy strict-necessity exemption applies.
• Analytics (off by default): PostHog aggregate usage. Loaded only with your consent.
• Error tracking (off by default): Sentry crash reports. Loaded only with your consent.

8. Security

We apply the technical and organisational measures required by GDPR Art. 32: TLS in transit, encryption of data at rest at the hosting provider, least-privilege access, audited service-role credentials, idempotent payment processing, and a separation between read paths (row-level security per signed-in user) and write paths (service role behind verified webhooks). No system is perfectly secure; if a breach affects you we will notify you and the supervisory authority in line with Articles 33–34.

9. Your rights

Under the GDPR you have the right to: access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), port (Art. 20), and object to (Art. 21) processing of your personal data; and to withdraw consent at any time (Art. 7(3)) without affecting the lawfulness of earlier processing.

Email [email protected] to exercise any of these. We will respond within one month (Art. 12(3)), extendable by two further months for complex requests (we will tell you if so).

You also have the right to lodge a complaint with a supervisory authority. In Slovakia that is the Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava 27, Slovakia — see https://dataprotection.gov.sk/.

10. Children

The service is not intended for individuals under 18 and we do not knowingly collect their data. If you believe we have, contact [email protected] and we will delete the data.

11. Changes to this policy

We may update this policy as the service evolves. The "last updated" date at the top reflects the current version. Material changes affecting how we process your data will be notified by email to active users.