PartnersServicesPackages
Industries
eCommerceStartup & Tech
Case studiesAboutContactsBook free consultation
Book free consultation
Craft Policy Black Logo

Privacy Policy

Section I - Introduction

This Privacy Policy explains how we collect, use, and protect your data when you visit our website and use our services. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This policy applies to information we collect when you:

  1. Visit our website
  2. Fill out our contact form
  3. Fill out our form for Audit 
  4. Subscribe to our newsletter
  5. Communicate with us by email, phone, or other means

We take your privacy seriously. Please read this Privacy Policy carefully to understand our data-management practices. By using our website and services, you acknowledge that you have read and understood this Policy.

This Privacy Policy was last updated on March 17, 2025. We may occasionally update this policy; any changes will be posted on this page with a revised effective date.

Section II - General information 

Art. 1 This website is managed and administered by:

Name: Ad Tech International Ltd 

Company Number: 205745480
VAT Number: 205745480

Headquarters: Bulgaria, Sofia, 11 Arsenalski Blvd, fl.7

Address for correspondence:  Bulgaria, Sofia, 11 Arsenalski Blvd, fl.7

Phone: +359 877 732 087

Email Address: office@craftpolicy.com

Section III - Glossary of Terms

Art. 2 All of the following terms shall be interpreted as follows:

  1. Personal Data - Any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  2. Processing - Any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  3. Data Controller - The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
  4. Data Processor - A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
  5. Consent - Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by an explicit affirmative action, signify agreement to the processing of personal data relating to them.
  6. Data Subject - An identified or identifiable natural person to whom personal data relates.
  7. Legitimate Interest - A lawful basis for processing personal data where the processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
  8. Supervisory Authority - An independent public authority established by a Member State according to Article 51 of the GDPR, responsible for monitoring the application of the GDPR.
  9. Data Breach - A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  10. Cookies - Small text files placed on your computer by websites you visit. They are widely used to make websites work more efficiently and to provide information to the website owners.

Section IV -  Information We Collect

Art. 3 (1) We collect and process personal data that you provide directly to us when you interact with our website, fill out our contact form, or subscribe to our newsletter.

(2) The categories of personal data we collect and process are limited to what is necessary for the purposes for which they are processed, following the principle of data minimization. When you use our contact form, we collect:

  1. First name
  2. Last name
  3. Email address
  4. Phone number
  5. The content of your message
  6. Date and time of submission

Art. 4 (1) We also automatically collect certain technical information when you visit our website through cookies and similar technologies.

(2) We collect this technical information on the legal basis of our legitimate interests in ensuring the proper functioning and security of our website and improving our services.

(3) Technical information we collect includes - IP address (in anonymized form), browser type and version, operating system, date and time of access, websites from which you access our site (referrer), pages you visit on our website, time spent on those pages

Art. 5 (1) When you subscribe to our newsletter, we collect your email address and, optionally, your name.

(2) We process this information based on your consent, which you provide by checking the relevant box on our newsletter subscription form.

Art. 6 (1) We do not collect or process special categories of personal data (such as information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic or biometric data) unless you voluntarily provide such information.

(2) If you inadvertently or intentionally submit such information to us, we will treat it as sensitive personal data and process it only according to applicable laws.

Art. 7 (1) We take appropriate measures to ensure that the personal data we collect is accurate, complete, and, where necessary, updated.

(2) You may update your personal information anytime by contacting us using the details provided in the "How to Contact Us" section of this policy.

Section V - How We Use Your Information

Art. 8 (1) We use your data only for specific, explicit, and legitimate purposes directly connected to our services, and we do not further process your data in a manner incompatible with those purposes.

(2) Each processing activity is tied to a specific purpose, ensuring transparency and accountability in our data processing practices.

(3) We use the personal data collected through our contact form for the following purposes:

  1. To respond to your inquiries and communicate with you;
  2. To provide information about our products or services that you have requested;
  3. To maintain records of our communications;
  4. To improve our customer service;
  5. To fulfill our contractual obligations to you, if applicable;
  6. To comply with legal obligations

Art. 9 (1) Personal data collected when you subscribe to our newsletter is explicitly used to send you our newsletter, which contains information, updates, and promotional content about our products, services, and relevant industry news.

(2) Each newsletter we send contains an unsubscribe link, allowing you to withdraw your consent at any time with immediate effect.

Art. 10 (1) The technical information we collect automatically through cookies and similar technologies is used for the following specific purposes:

(2) These uses are limited to what is necessary to properly function our website and services.

(3) Technical data is used for:

  1. Ensuring the proper functioning and security of our website;
  2. Understanding how visitors use our website to improve user experience;
  3. Diagnosing server and website technical problems;
  4. Analyzing website traffic patterns;
  5. Protecting against fraudulent activity;
  6. Maintaining the stability of our systems

Art. 11 (1) We do not use automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you.

(2) All critical decisions that affect you involve human decision-making and consideration.

Art. 12 (1) We will not process your data for new purposes incompatible with the original purpose for which the data was collected without obtaining your consent unless such processing is required or permitted by law.

(2) Before using your data for a purpose other than that it was initially collected, we will provide you with information on that other purpose and all relevant further information as referred to in this Privacy Policy.

Section VI - Legal Basis for Processing

Art. 13 (1) We process your data only with a valid legal basis under applicable data protection laws, particularly the General Data Protection Regulation (GDPR).

(2) we have identified and documented the appropriate legal basis for each processing activity, ensuring lawful processing at all times. We rely on the following legal bases for processing your data:

  1. Consent (Article 6(1)(a) GDPR)
  2. Performance of a contract (Article 6(1)(b) GDPR)
  3. Compliance with a legal obligation (Article 6(1)(c) GDPR)
  4. Legitimate interests (Article 6(1)(f) GDPR)

Art. 14 (1) When we process your data based on your consent, we ensure that such consent is freely given, specific, informed, and unambiguous.

(2) You have the right to withdraw your consent at any time, and we make this process as easy as giving consent initially. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

1. We process the following data based on your consent: a. Your email address and name for sending newsletters b. Cookie data beyond what is strictly necessary for website functionality c. Any additional personal information you voluntarily provide beyond what is required

Art. 15 (1) We process your data for the performance of a contract when the processing is necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.

(2) This legal basis applies primarily to information provided through our contact form when it is related to a potential or existing contractual relationship.

Art. 16 (1) We process our data to comply with legal obligations when we are required to do so by EU law or the law of an EU Member State to which we are subject.

(2) This includes but is not limited to, obligations relating to tax, accounting, anti-fraud measures, and responses to legitimate requests from public authorities.

Art. 17 (1) We process your data based on our legitimate interests only after conducting a careful balancing test to ensure that your interests, fundamental rights, or freedoms do not override these interests.

(2) We have documented our legitimate interest assessments and implemented appropriate safeguards to protect your rights.

(3) Our legitimate interests include:

  1. Improving and optimizing our website's performance and user experience;
  2. Ensuring the security of our website and IT systems;
  3. Managing our business operations efficiently;
  4. Responding to non-contractual inquiries;
  5. Maintaining records of communications;
  6. Analyzing usage patterns to improve our services

Art. 18 (1) For each legitimate interest identified, we have conducted a balancing test weighing our interests against your rights and freedoms, taking into account:

(2) Tic measures implemented to safeguard your rights are proportionate to the risks and reflect our commitment to data protection by design and default.

(3) Our balancing test considers the following: 

  1. The nature and context of the processing;
  2. The type of data processed;
  3. The reasonable expectations of data subjects;
  4. The potential impact on individuals;
  5. The safeguards implemented to minimize any adverse effect;
  6. The options available for data subjects to control processing;

Section VII Data Retention

Art. 19  (1) We retain your data only for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable legal requirements.

(2) When determining appropriate retention periods, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and whether we can achieve those purposes through other means, as well as applicable legal requirements.

(3) We regularly review our retention periods to ensure they remain appropriate and proportionate based on legal requirements, industry best practices, collection purposes, data sensitivity, and potential risks to data subjects.

Art. 20 (1) Contact Form Information is retained for three (3) years from your last interaction with us, including:

  1. Identity Data (first name, last name);
  2. Contact Data (email address, phone number); and
  3. Records of our correspondence regarding your inquiries.

(2) Newsletter Subscription Data is retained as follows:

  1.  Subscription Information (email address, name) is kept for 1 month after unsubscription to allow for reinstatement upon request.
  2. Engagement Data (open rates, click statistics) is retained in personally identifiable form for six (6) months and in aggregate, anonymized form for two (2) years.

(3) Website Usage Data is retained according to the following schedule:

  1. Technical Data (IP address, browser type) is kept for ninety (90) days;
  2. Cookie Data is retained according to our Cookie Policy, with most cookies expiring after your session ends or within 3 months;
  3. Aggregate Analytics Data is retained for two (2) years in anonymized form;

(4) Legal and Compliance Data is retained as follows:

  1. Consent Records are maintained for your use of our services plus three (3) years thereafter;
  2. Data Processing Objections are maintained for five (5) years from the objection date;

Art. 21Unless otherwise specified, the retention period begins:

  1. For contact form data: From the date of your last interaction with us;
  2. For newsletter data: From the date of unsubscription (if applicable);
  3. For technical data: From the date of collection;
  4. For consent records: From the date consent is withdrawn or updated.

Art. 22 (1) When personal data reaches the end of its retention period, we will take one of the following actions: a) Securely delete the data from our systems; b) Anonymize the data so it can no longer be associated with you; or c) In cases where complete deletion is technically tricky, put the data beyond use and implement technical safeguards to prevent further processing.

(2) We may extend retention periods in specific circumstances, such as in the event of legal claims or compliance investigations, where we need to preserve data for evidentiary purposes.

Art. 23 (1) You have the right to request deletion of your personal data before the standard retention period expires, subject to any legal basis we may have for continued processing.

(2) Requests for early deletion should be directed to our Data Protection Officer using the contact details provided in this privacy policy's "Your Rights and Choices" section

Section VIII - Data Security

Art. 24 (1) We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

(2) Our security measures are designed to provide a level of security appropriate to the risk, taking into account state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

(3) We regularly test, assess, and evaluate the effectiveness of our security measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

Art. 25 (1) We implement the following technical security measures:

  1. Encryption of personal data in transit using TLS 1.2 or higher;
  2. Encryption of personal data at rest using AES-256 encryption standards;
  3. Access controls, including multi-factor authentication for system administrators;
  4. Firewalls, intrusion detection systems, and network monitoring;
  5. Regular security patching of all systems and applications and
  6. Regular backup procedures with encryption of backup media.

(2) Our IT infrastructure undergoes regular vulnerability scanning and penetration testing to identify and address potential security weaknesses.

(3) We utilize secure development practices for our websites and applications, including code reviews and security testing before deployment.

Art. 26 (1) We implement the following organizational security measures:

  1. Role-based access control with the principle of least privilege;
  2. Staff training on data protection and information security;
  3. Background checks for employees with access to personal data;
  4. Confidentiality obligations in employment contracts;
  5. Formal policies and procedures for information security; and
  6. Regular security awareness training for all staff.

(2) We maintain an incident response plan to promptly detect, report, and investigate personal data breaches.

(3) We periodically review our security policies, procedures, and measures to ensure they remain appropriate and effective.

Art. 27 (1) We ensure that third-party service providers who process personal data on our behalf implement appropriate security measures through: a) Contractual requirements, including data processing agreements with security provisions; b) Security assessment of third-party providers before engagement; and c) Periodic review of third-party security practices.

(2) We restrict third-party access to personal data to what is necessary to provide the contracted services and require them to process the data only according to our instructions.

Art. 28 (1) In the event of a personal data breach that may pose a risk to your rights and freedoms, we will: a) Notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach; b) Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms; and c) Document all breaches, including facts, effects, and remedial actions taken.

(2) Our breach notification to affected data subjects will include: a) A description of the nature of the breach; b) The name and contact details of our Data Protection Officer or another contact point; c) A description of the likely consequences of the breach; and d) A description of the measures taken or proposed to address the breach and mitigate possible adverse effects.

(3) We maintain internal breach notification procedures to ensure all staff know how to identify and escalate a suspected data breach.

Art. 29 (1) We conduct regular security assessments, including a) Data protection impact assessments for high-risk processing activities, b) Regular internal audits of our security measures, and c) Periodic reviews of industry standards and best practices.

(2) We maintain a security improvement program that addresses identified vulnerabilities and implements enhanced security controls in response to evolving threats and risks.

I'll draft a comprehensive "Your Privacy Rights" section starting from Article 30, maintaining the same structured format while ensuring it addresses all the key rights under GDPR.

Section XI - Your Privacy Rights

Art. 30 - General Provisions on Data Subject Rights

(1) As a data subject, you have specific rights regarding processing your personal data, as outlined in Articles 31-37 of this Privacy Policy.

(2) We are committed to facilitating your rights exercise and will respond to all legitimate requests without undue delay, and in any event, within one month of receipt of your request.

(3) We may extend this period by up to two additional months where necessary, considering the complexity and number of requests. If we extend the response period, we will inform you within the first month and explain the reasons for the delay.

Art. 31 - Right of Access

(1) You have the right to confirm whether we process your data and, where that is the case, to request access to that personal data.

(2) Upon request, we will provide you with a copy of your data undergoing processing and the following information:

  1. The purposes of the processing;
  2. The categories of personal data concerned;
  3. The recipients or categories of recipients to whom the personal data has been or will be disclosed;
  4. Where possible, the envisaged period for which the personal data will be stored or the criteria used to determine that period;
  5. The existence of the right to request rectification or erasure of personal data or restriction of processing or to object to such processing;
  6. The right to complain with a supervisory authority;
  7. Where personal data is not collected from you, any available information as to its source and
  8. The existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

Art. 32 - Right to Rectification

(1) You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.

(2) Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by providing a supplementary statement.

Art. 33 - Right to Erasure ('Right to be Forgotten')

(1) You have the right to request the erasure of your personal data without undue delay where one of the following grounds applies: a) The personal data is no longer necessary concerning the purposes for which it was collected or otherwise processed; b) You withdraw consent on which the processing is based, and there is no other legal ground for the processing; c) You object to the processing and there are no overriding legitimate grounds for the processing; d) The personal data has been unlawfully processed; e) The personal data has to be erased for compliance with a legal obligation; or f) The personal data has been collected concerning the offer of information society services to a child.

(2) The right to erasure shall not apply to the extent that processing is necessary: a) For exercising the right of freedom of expression and information; b) For compliance with a legal obligation; c) For reasons of public interest in the area of public health; d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or e) For the establishment, exercise, or defense of legal claims.

Art. 34 (1) You have the right to obtain the restriction of processing of your data where one of the following applies: a) You contest the accuracy of the personal data for a period enabling us to verify the accuracy; b) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead; c) We no longer need the personal data for processing, but you require it for the establishment, exercise, or defense of legal claims; or d) You have objected to processing pending verification of whether our legitimate grounds override yours.

(2) Where processing has been restricted, such personal data shall, except storage, only be processed with your consent or for the establishment, exercise, or defense of legal claims or the protection of the rights of another natural or legal person or for reasons of substantial public interest.

Art. 35 (1) You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as CSV or XML).

(2) You have the right to transmit this data to another controller without hindrance from us, where: a) The processing is based on consent or a contract, and b) The processing is carried out by automated means.

(3) Where technically feasible, you have the right to transmit personal data directly from us to another controller.

Art. 36 (1) You have the right to object, on grounds relating to your particular situation, at any time to the processing of your data, which is based on your legitimate interests or the performance of a task carried out in the public interest.

(2) Where you object to processing, we shall no longer process your data unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for establishing, exercising, or defense of legal claims.

(3) You have the absolute right to object at any time to processing your personal data for direct marketing purposes, including profiling, to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, we will cease processing your data for these purposes immediately.

Art. 37 (1) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

(2) Paragraph 1 shall not apply if the decision: a) Is necessary for entering into, or performance of, a contract between you and us; b) Is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or c) Is based on your explicit consent.

(3) In the cases referred to in paragraphs 2(a) and (c), we shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express your point of view, and to contest the decision.

Art. 38 (1) To exercise any of the rights described in Articles 31-37, you may contact us through the following methods:

  1. Email: privacy@craftpolicy.com
  2. Webform: Available in the "Privacy" section of our website
  3. Postal mail: [Company Name], Attn: Data Protection, [Full Address]

(2) We will not charge a fee for responding to your request unless your request is unfounded, repetitive, or excessive. We may charge a reasonable fee or refuse to act on the request in such cases.

(3) We may request specific information from you to help us confirm your identity and ensure your right to access your pata (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone with no right to receive it.

Art. 39 (1) Without prejudice to any other administrative or judicial remedy, you have the right to complain with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your data infringes data protection law.

Section IX - International Data Transfers

Art. 40 (1) Generally, we process and store your personal data within the European Economic Area (EEA).

(2) We only transfer your data outside the EEA when necessary for specific purposes and subject to appropriate safeguards as described in this section.

(3) Any transfer of personal data to a third country or international organization is conducted following Chapter V of the General Data Protection Regulation (GDPR).

Art. 41 (1) We use certain third-party services that may involve the transfer of personal data outside the EEA, specifically:

  1. Google Analytics for website analytics and performance measurement; and
  2. Facebook Pixel for advertising conversion tracking and audience building.

(2) When using these services, limited personal data such as IP addresses, cookie identifiers, and browsing behavior may be transferred to servers outside the EEA, including in the United States.

(3) We have implemented measures to minimize the data transferred through these services, including: a) IP anonymization in Google Analytics before data leaves your browser; b) Setting shorter data retention periods than the default; and c) Using cookie consent management to ensure these tools are only activated with your consent.

Art. 42 (1) For the limited transfers described in Article 41, we rely on the following safeguards: a) European Commission's Standard Contractual Clauses (SCCs) as adopted in June 2021; b) Supplementary technical measures following the "Schrems II" decision of the Court of Justice of the European Union; and c) Vendor assessment and due diligence before engaging third-party service providers.

(2) The supplementary technical measures we implement include: a) Data minimization before transfer; b) Pseudonymization where possible; c) Encryption of data in transit and at rest; and d) Regular review of the necessity and scope of transfers.

Art. 43 (1) We have conducted and documented transfer impact assessments (TIAs) for all data transfers outside the EEA, evaluating: a) The specific data transferred; b) The recipient country's legal framework regarding government access to data; c) The specific circumstances of the transfer; and d) The additional safeguards implemented to address identified risks.

(2) We periodically review our TIAs to ensure they remain current with evolving legal requirements and changes in third-country laws and practices.

Art. 44 (1) Upon request, you have the right to obtain a copy of the safeguards for transferring your data outside the EEA.

(2) To request this documentation, please email our Data Protection Officer at privacy@craftpolicy,.com. We will respond within one month.

(3) We may redact portions of the documentation containing confidential commercial information or security measures but will ensure you receive meaningful information about the transfers and safeguards.

Art. 45  (1) Apart from the limited transfers described in Article 41, we do not transfer your data outside the EEA.

(2) Should our data transfer practices change in the future, we will update this Privacy Policy and, where required by law, seek your consent before transferring your personal data to additional third countries.

Art. 46 (1) Where possible, we offer data localization options for EEA-based users, including: a) Selection of EU-based service providers where equivalent services are available and b) Retention of personal data on servers physically located within the EEA.

(2) We continuously evaluate available technical and organizational measures to limit international transfers of personal data while maintaining necessary service functionality.

Section X - Third-Party Recipients

Art. 47 (1) We share your personal data with a limited number of carefully selected third parties who process data on our behalf and only according to our instructions.

(2) We ensure all third-party recipients provide sufficient guarantees to implement appropriate technical and organizational measures to meet GDPR requirements and protect your rights.

(3) We do not sell your personal data to any third parties or share it with third parties for their own marketing purposes without your explicit consent.

Art. 48  (1) We share your personal data with the following specific third-party recipients:

  1. Google Ireland Limited (Google Analytics)
    • Purpose: Website analytics and performance measurement
    • Data shared: IP address (anonymized), cookie identifiers, browsing behavior, device information
    • Location: Data may be processed on servers worldwide, including in the United States
    • Privacy Policy: https://policies.google.com/privacy
  2. Meta Platforms Ireland Limited (Facebook Pixel)
    • Purpose: Advertising conversion tracking and audience building
    • Data shared: Cookie identifiers, browsing behavior, device information
    • Location: Data may be processed on servers worldwide, including in the United States
    • Privacy Policy: https://www.facebook.com/policy.php

(2) If your personal data is shared with any additional third parties in the future, we will update this Privacy Policy accordingly.

Art. 49 (1) We engage service providers to perform certain functions on our behalf, who may have limited access to your personal data: a) Hosting and cloud service providers for website operation; b) Email service providers for newsletter delivery; and c) IT service providers for maintenance and security of our systems.

(2) All service providers are bound by data processing agreements that: a) Limit their use of your data to the specific purposes for which it was shared; b) Require implementation of appropriate security measures; and c) Obligate them to delete or return all personal data after the end of the service provision.

Art. 50 (1) We may disclose your personal data where required by law, regulation, or legal process, such as in response to a court order or a lawfully issued subpoena.

(2) We may also disclose your personal data where we believe it is necessary to: a) Protect our rights, privacy, safety, or property; b) Protect the rights, privacy, safety, or property of our users or others; and c) Enforce the terms of our agreements.

(3) In all such cases, we will only disclose the data that we reasonably believe is necessary to satisfy the request.

Section XI - Cookies and Similar Technologies

Art. 51 (1) Our website uses cookies and similar technologies (such as pixel tags and local storage) to enhance functionality, analyze usage, and support our marketing activities.

(2) A cookie is a small text file that is stored on your device when you visit our website. Cookies allow our website to recognize your device and remember certain information about your visit.

(3) We only use non-essential cookies (such as analytics and marketing cookies) with your prior consent, which you provide through our cookie consent banner.

Art. 55 (1) We have configured Google Analytics to respect user privacy by: a) Anonymizing IP addresses before they are stored; b) Limiting the data retention period to 14 months rather than the default 26 months; c) Disabling data sharing with Google for advertising purposes; and d) Requiring user consent before analytics cookies are set.

(2) You can opt out of Google Analytics tracking specifically by installing the Google Analytics Opt-out Browser Add-on, available at: https://tools.google.com/dlpage/gaoptout

Art. 56 (1) We have configured Facebook Pixel to respect user privacy by: a) Only activating the pixel after receiving your explicit consent; b) Limiting the data collection to basic website interaction data; and c) Using the data only for conversion measurement and targeted advertising.

(2) If you wish to opt out of Facebook tracking across all websites, you can adjust your Facebook ad preferences at https://www.facebook.com/ads/preferences

(3) You can also use the Digital Advertising Alliance's WebChoices tool to opt out of interest-based advertising from Facebook and other participating companies: https://optout.aboutads.info/

Section XII - Changes to This Privacy Policy

Art. 57 (1) We review this Privacy Policy regularly and may update it from time to time to reflect changes in our practices, technology, legal requirements, and other factors.

(2) We classify changes to this Privacy Policy as either a) Material changes that substantially affect your rights or how we process your personal data or b) Non-material changes such as clarifications, formatting improvements, or corrections of typographical errors.

(3) The date of the most recent update is indicated at the top of this Privacy Policy.

Art. 58 (1) For material changes to this Privacy Policy, we will: a) Provide notice on our website through a visible banner or pop-up notification for at least 30 days before the changes take effect; b) Send an email notification to users for whom we have contact information; and c) Obtain your consent where required by applicable law.

(2) For non-material changes, we will: a) Update the "Last Modified" date at the top of this Privacy Policy and b) Provide a summary of the changes in the revision history section of the policy.

Art. 59 (1) We maintain an archive of previous versions of this Privacy Policy to ensure transparency about changes over time.

(2) You may request access to previous versions of our Privacy Policy by contacting our Data Protection Officer using the contact details provided in Article 60.

(3) The change history and archived versions are also available in the "Privacy Policy Archive" section of our website.

Art. 60 (1) If you have questions about changes to this Privacy Policy, you may contact our Data Protection Officer using the contact details provided in Article 61.

(2) Your continued use of our website after the effective date of changes constitutes your acceptance of the revised Privacy Policy, where permitted by applicable law and subject to your explicit consent where required.

Section XIII - How to Contact Us

Art. 61 (1) We welcome your questions, comments, and concerns about privacy. You can contact us through the following methods:

  1. General Inquiries: - Email: info@craftpolicy - Phone: +359877732087- Online Contact Form: Available on our website at craftpolicy.com 

(2) For matters related to your personal data or this Privacy Policy, we recommend contacting our Data Protection Officer directly.

Art. 62 (1) We strive to respond to all privacy-related inquiries within five business days.

(2) For formal data subject rights requests as described in Articles 31-37, we will respond within the timeframes specified in Article 30(2) and (3).

Art. 63 (1) If our contact information changes, we will update this Privacy Policy and post a notice on our website.

(2) We will ensure that our current contact information is always readily accessible on our website.

Section XIV - Complaints and Supervisory Authority

Art. 64 (1) If you have concerns about our processing of your personal data, we encourage you to first contact us directly so that we may address your concerns.

(2) Our internal complaint handling procedure includes: a) Initial review of your complaint by our Data Protection Officer; b) Investigation of the issues raised; c) Response to you within 15 business days; and d) Implementation of any necessary remedial measures.

(3) We are committed to resolving complaints in a fair, timely, and transparent manner.

Art. 65 (1) You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes applicable data protection laws.

(2) You may lodge a complaint in particular in the Member State of a) Your habitual residence, b) Your place of work, or c) The place of the alleged infringement.

Art. 66 (1) The competent supervisory authority in [Member State] is: [Name of the Supervisory Authority] Address: [Authority's Address] Email: [Authority's Email] Phone: [Authority's Phone] Website: [Authority's Website]

(2) The European Data Protection Board provides a list of all national data protection authorities within the EEA, which can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Art. 67 (1) In addition to the formal complaint procedures described above, we may offer alternative dispute resolution mechanisms for privacy-related disputes.

(2) Participation in such alternative dispute resolution processes is voluntary and does not restrict your right to lodge a complaint with a supervisory authority or pursue other legal remedies.

(3) Information about available alternative dispute resolution options, if any, will be provided upon request.

Craft Policy Logo
Navigaton
Partners
Services
Case studies
About
Contacts
Packages
eCommerce
Startup & Tech
Additional
Legal Pages
Terms & Conditions
Privacy Policy
Cookie Policy
Contacts
martin@craftpolicy.com
+359 877 732 087
© 2025 CraftPolicy. All Rights Reserved.
Design and Development: Creative Corner Studio