1. Who's responsible
Plain English. We're the data controller for our own site and customer data. When a visitor fills out a form on your site and we host it for you, you're the controller and we're the processor on your behalf.
2. Personal data we collect
Identity and contact details (first name, last name, business name, email, phone), account data (password hashes, preferences), billing data (card last 4, address, transaction history), website brief content, support interactions, and automatic technical data (IP, browser, coarse location via IP, usage events).
We don't knowingly collect sensitive categories of personal data.
3. How we use it
Service delivery (contract), billing (contract + legal obligation for tax records), transactional email (contract), marketing email (consent — one-click unsubscribe in every message), security and fraud prevention (legitimate interests), service improvement (legitimate interests, aggregated).
4. Who we share data with
A small number of carefully chosen sub-processors help us deliver the Service. The full current list is at our Sub-processor page, updated with 30 days' notice before any change.
We do not sell your personal data. We do not "share" it for cross-context behavioural advertising as defined under CCPA.
5. International data transfers
Personal data at rest is stored in the European Union (Frankfurt) via our database and hosting providers. Some processing — notably payments and LLM-assisted features — occurs in the United States under Standard Contractual Clauses (SCCs) and the UK Addendum where applicable.
6. How long we keep data
- Active account data: duration of subscription + 30-day grace.
- Billing/invoice records: 7 years (tax obligations).
- Support tickets: 3 years.
- Website files: available to you for 90 days after cancellation, then deleted.
- Marketing consent/opt-out records: until unsubscribe + 3 years.
- Unsuccessful quiz / PDF leads: 24 months from last engagement.
7. How we protect data
TLS 1.2+ in transit. AES-256 at rest. Role-based access control. Mandatory MFA for staff with production access. 24/7 monitoring. Regular backups with point-in-time recovery. Breach notification to affected individuals within 72 hours where risk to rights/freedoms is likely; to our customers within 48 hours when we process on their behalf.
8. Your rights
Depending on where you live: access, rectification, erasure, restriction, portability, objection, withdrawing consent, opting out of sale/sharing (CCPA), and non-discrimination. Email privacy@digitalserpents.com — we respond within 30 days (GDPR-aligned) or 45 days (CCPA).
9. Cookies
See our Cookie Policy for what we set and how to manage preferences. We honour the Global Privacy Control (GPC) signal.
10. Children
The Service isn't for children. We don't knowingly collect data from under-18s; tell us if you believe we have and we'll delete it.
11. LLM use
We use large language models (currently Claude, from Anthropic) for clarifying questions in the intake brief, reviewer digests, and first-pass copy drafting. Personal data sent to LLM providers is covered by contract; they are contractually prohibited from training on customer data. No significant automated decisions are made about you without human involvement.
12. Market-specific disclosures
UK / EEA: UK GDPR / EU GDPR applies. Complain to the ICO (UK) or your local supervisory authority.
California: CCPA/CPRA rights apply. Submit a request to privacy@digitalserpents.com.
Canada: PIPEDA and Quebec Law 25.
South Africa: POPIA. Complain to the Information Regulator.
UAE: Federal Decree-Law No. 45 of 2021.
Mexico: LFPDPPP. ARCO rights.
Singapore: PDPA.
Georgia: Law of Georgia on Personal Data Protection; complain to the Personal Data Protection Service.
13. Changes
Material changes: at least 30 days' notice to your account email. Non-material changes take effect on posting.
14. Contact
Privacy: privacy@digitalserpents.com
Legal entity: Infinity Curve LLC, 76 Vazha-Pshavela Ave, Tbilisi 0186, Georgia
Georgian VAT ID: 435437975