Privacy Policy

Privacy Policy

Last updated: July 14, 2025

Data Controller:
Blue Lime s.r.o. (trading as ContentPillow.agency), a private limited company incorporated under the laws of Slovakia (company number …), with its registered office at Vysoká 4277/12, 811 06 Bratislava, Slovakia. Our Data Protection Officer (DPO) can be reached at [email protected].

Overview of Processing Activities

This Privacy Policy (“Policy”) provides an exhaustive description of the personal data practices of ContentPillow.agency across all operations, products, and services offered worldwide. This Policy has been drafted by external legal counsel specializing in data protection to ensure full compliance with the EU General Data Protection Regulation (GDPR), the Slovak Data Protection Act, and relevant guidance issued by the European Data Protection Board (EDPB). It explains the categories of personal data collected; the legal bases and specific purposes for data processing; the third-party service providers with whom personal data is shared under binding Data Processing Agreements (DPAs); the precise retention periods and secure deletion methods applied; the technical and organizational security measures implemented; the procedure for conducting Data Protection Impact Assessments (DPIAs) and embedding Privacy by Design/Default; detailed data subject rights and the procedures to exercise them; supervisory authority contacts; breach notification protocols including timelines and content; and measures to address international data transfers and cross-border data flows.

1. Definitions

For the purposes of this Policy, the following terms shall have the meanings set forth below:

• “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”).
• “Processing” means any operation performed on personal data, whether or not by automated means, including collection, storage, retrieval, dissemination, or erasure.
• “Controller” means the entity that determines the purposes and means of processing personal data: Blue Lime s.r.o.
• “Processor” means any third party that processes personal data on behalf of the Controller under a DPA.
• “GDPR” refers to Regulation (EU) 2016/679 of the European Parliament and Council.

2. Personal Data Categories and Processing Purposes

2.1 Account Registration and Profile Management

When you choose to create an account on ContentPillow.agency, we collect the following categories of data:

• Identity Data: first and last name, title, date of birth (optional), and any other identifiers you voluntarily provide.
• Contact Data: email address, telephone number, billing and shipping addresses.
• Credential Data: username and password hashed using bcrypt.
• Preference Data: language preferences, marketing communications opt-ins, and other custom settings.

The above data are processed to enable:

• Secure authentication and account access (Article 6(1)(b) GDPR — contract performance).
• Account management and profile configuration, including password recovery and two-factor authentication.
• Delivery of personalized content and user interface customization.

We retain profile data for the duration of your active account plus two years of inactivity following account deletion, after which data is irrevocably erased.

2.2 E-commerce Transactions and Payment Data

Our WooCommerce-powered platform processes orders for copywriting services. We collect the following:

• Order Data: product/service details, quantities, pricing, transactional timestamps, order statuses (pending, processing, completed, refunded).
• Financial Data: invoicing records, tax identification numbers (where applicable), and transaction metadata.
• Payment Instruments: payment tokens and transaction references provided by Stripe, Inc.

Stripe acts as our payment gateway processor. All payment data is tokenized by Stripe’s PCI DSS-compliant systems, ensuring no raw credit card numbers are stored on our infrastructure. We retain order and payment transaction data to:

• Fulfill purchase contracts (Article 6(1)(b) GDPR).
• Process refunds, chargebacks, and financial reconciliations.
• Comply with Slovak and EU accounting and tax laws (Article 6(1)(c) GDPR), which require a seven‑year retention period.

2.3 Technical, Usage, and Tracking Data

To ensure optimal performance, detect security threats, and perform ongoing improvements, we collect:

• Server Logs: IP addresses, request timestamps, HTTP headers, referral URLs, and error logs maintained by Contabo’s VPS.
• Device and Browser Metadata: user-agent strings, screen resolution, operating system type, and browser version.
• Session Information: session identifiers, session duration, and logged events such as login/logout times.
• Cookie Data: as per our Complianz-managed categories.

The processing of these data is justified by our legitimate interests (Article 6(1)(f) GDPR): to maintain service availability, safeguard against unauthorized access, identify performance bottlenecks, and enable forensic investigation in the event of incidents. We undertake periodic reviews to ensure that such processing remains proportionate to the intended security and performance goals.

2.4 Cookie Deployment and Consent

In alignment with Recital 32 GDPR and the ePrivacy Directive, we use a granular cookie consent mechanism implemented via the Complianz plugin. Cookie categories include:

• Essential Cookies: strictly necessary for session management, shopping cart functionality, and secure login.
• Functional Cookies: retain user-selected preferences such as language, display settings, and form inputs.
• Performance Cookies: Google Analytics cookies capturing anonymized metrics to inform UX improvements and traffic analysis.
• Marketing Cookies: Meta Pixel and third‑party tracking for ad conversion measurement, remarketing, and audience building.

Marketing and performance cookies are only activated following explicit opt-in consent (Article 6(1)(a) GDPR). Consent records include timestamps and consent scope, stored securely for two years.

2.5 Profiling and Automated Decision-Making

We apply non-invasive profiling to generate personalized service suggestions based on purchase history and site interactions. These processes do not result in fully automated decisions with legal or similarly significant effects under Article 22 GDPR. You may opt out of profiling at any time via our cookie settings or by contacting [email protected].

2.6 Marketing Communications

With your consent, we send newsletters, promotional offers, and service updates via email. Each email includes an unsubscribe link, enabling you to withdraw consent effortlessly. We use Mailchimp under a DPA for bulk email delivery and tracking, ensuring compliance with GDPR and the CAN-SPAM Act for worldwide recipients.

2.7 Customer Support Interactions

When you submit inquiries via contact forms, live chat, or email, we log:

• Your name and email.
• Subject and content of your inquiry.
• Support ticket status and resolution details.

This data is retained to fulfill our service obligations, track case history, and ensure high-quality support, processed under contract performance (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR), with retention for as long as your support case remains active plus one year.

3. Legal Basis, DPIAs, and Privacy by Design

In accordance with Articles 5 and 25 GDPR, we employ Privacy by Design and Default principles in all new projects, ensuring that only the minimal personal data necessary for each specified purpose is collected. Before launching any new high‑risk processing activity—such as extensive behavioral analytics or cross-system data sharing—we conduct Data Protection Impact Assessments (DPIAs) per Article 35 GDPR to identify and mitigate potential privacy risks. Our legal bases for processing include:

• Contractual necessity (Article 6(1)(b) GDPR) for account and transaction processing.
• Legal obligations (Article 6(1)(c) GDPR) for compliance with tax, accounting, and statutory recordkeeping.
• Consent (Article 6(1)(a) GDPR) for cookies, marketing, and profiling activities.
• Legitimate interests (Article 6(1)(f) GDPR) for security monitoring, fraud prevention, and service improvement, balanced against user rights.

4. Third-Party Processors and International Transfers

We partner exclusively with processors who have executed GDPR‑compliant DPAs:

• Stripe, Inc. for payment processing (https://stripe.com/privacy).
• Contabo GmbH for EU-based VPS hosting and encrypted backups.
• Mailchimp for email marketing (https://mailchimp.com/legal/privacy/).
• Google Analytics for traffic analysis (https://policies.google.com/privacy).
• Meta Platforms, Inc. for marketing pixels (https://www.facebook.com/privacy/explanation).

Transfers of personal data outside the EEA, if any, are safeguarded by Standard Contractual Clauses approved by the European Commission, ensuring GDPR‑equivalent protections in partner jurisdictions.

5. Data Retention, Secure Deletion, and RoPA

Adhering to Article 5(1)(e) GDPR on storage limitation, we apply the following retention schedule:

• Account/profile data: until account deletion + 2 years.
• Transactional and payment data: 7 years (tax law).
• Support case logs: active case + 1 year.
• Security logs (WP Activity Log): 90 days, then anonymized.
• Performance analytics: 1 year, then overwritten.
• Consent records: 2 years or until withdrawal.

Data exceeding these periods is securely deleted using industry-standard erasure techniques (e.g., NIST 800‑88) or irreversibly anonymized. We maintain a Record of Processing Activities (RoPA) per Article 30 GDPR, documenting all processing operations, categories of data, purposes, recipients, and retention periods.

6. Security Measures and Breach Response

We implement a defense‑in‑depth strategy with measures including:

• End-to-end encryption: TLS 1.2+ for data in transit.
• Data-at-rest encryption: AES-256 for databases and backups.
• Network and application firewalls, intrusion detection systems.
• Role-based access control and mandatory two-factor authentication for administrative users.
• Regular vulnerability assessments and penetration testing.

In the event of a data breach, we will:

1. Activate incident response procedures to contain and investigate the breach.
2. Notify the Slovak Data Protection Authority (Úrad na ochranu osobných údajov) within 72 hours, as required by Article 33 GDPR.
3. Inform affected data subjects without undue delay where there is a high risk to their rights and freedoms (Article 34 GDPR).
4. Document the nature, scope, and remedial actions taken, retaining this record for accountability.

7. Rights of Data Subjects and Complaint Procedures

Under Chapters 3 and 4 of the GDPR, data subjects have the rights to:

• Access their personal data and obtain a copy (Article 15).
• Rectify inaccurate or incomplete data (Article 16).
• Erase data (“right to be forgotten”) where no overriding legal grounds exist (Article 17).
• Restrict processing (Article 18).
• Object to processing based on legitimate interests or direct marketing (Articles 21).
• Data portability—to receive data in a structured, commonly used, machine-readable format (Article 20).
• Withdraw consent at any time (Article 7(3)).

To exercise any of these rights or lodge a complaint, please contact our Data Protection Officer at [email protected]. We will acknowledge receipt within seven days and provide a substantive response within one month, extendable by up to two further months for complex requests. If unsatisfied, you may lodge a complaint with the supervisory authority: Úrad na ochranu osobných údajov (dataprotection.gov.sk).

8. Special Provisions for Minors

Our services are expressly limited to individuals aged 18 or older. We do not knowingly collect personal data from minors under 18. Should we become aware that we have inadvertently collected data from a minor, we will take immediate steps to verify parental consent or remove the data entirely.

9. International Data Protection Frameworks

For recipients outside the EEA, we adhere to appropriate safeguards:

• Standard Contractual Clauses (SCCs) adopted by the European Commission.
• Binding Corporate Rules (where applicable within our corporate group).
• Additional encryption and pseudonymization where required.

10. Do-Not-Track Signals and Cookie Preferences

Browser-based Do-Not-Track signals are not programmatically recognized due to lack of industry standard. Instead, users may manage cookie preferences via our Complianz interface at Cookie Policy to selectively enable or disable performance and marketing cookies.

11. Policy Amendments

This Privacy Policy may be updated to reflect changes in law, technology, or business practices. Significant amendments will be communicated via email to all registered users and highlighted on our website. The revised \”Last updated\” date will signal the newest version. Continued use of our services after such notifications constitutes acceptance of the changes.