Privacy Policy

Effective: 2026-05-30

VICTUM GROUP, s. r. o. (Stropkovská 3, 821 03 Bratislava, Slovakia) is the controller of personal data described in this Policy. We comply with the EU General Data Protection Regulation (GDPR) and apply equivalent protections worldwide, including for users covered by the UK GDPR, California Consumer Privacy Act (CCPA), and other regional privacy laws.

1. The short version

We collect only what we need to run the service.
We never sell personal data.
We use a small number of trusted processors (Stripe for billing, Resend for email, Google for analytics, etc.) — listed below.
You can request access, correction, deletion, or export of your data at any time.
Contact: [email protected].

2. Who we are

Controller: VICTUM GROUP, s. r. o., IČO 47077662, registered at Stropkovská 3, 821 03 Bratislava, Slovakia, registered in Obchodný register Mestského súdu Bratislava III, oddiel: Sro. We don't have a Data Protection Officer designated under Article 37 GDPR (our processing doesn't meet the threshold), but all privacy enquiries go to [email protected].

3. What we collect and why

3.1 Account data

When you sign up, we collect:

your email, name (optional), and agency name;
a hashed password (we never store the plaintext) — only when you use email/password sign-in;
your Google account's public profile (id, email, name, picture) when you choose "Continue with Google".

Legal basis: Article 6(1)(b) GDPR — necessary to perform the contract you enter when you create an Account.

3.2 Usage data

We collect data needed to operate the service: campaigns you create, leads, audits, scoring weights, outreach drafts, suppression lists, and lead-status changes.

Legal basis: Article 6(1)(b) — necessary to deliver the service.

3.3 Billing data

Card details are entered directly into Stripe and we never see them. We do receive and store: customer ID, subscription ID, plan, invoice metadata, and billing-cycle dates.

Legal basis: Article 6(1)(b) (contract) and 6(1)(c) (compliance with accounting law).

3.4 Server logs

Our servers log IP address, user-agent, request path, and timestamp for every request. Logs are retained for 30 days and used for security, debugging, and fraud prevention.

Legal basis: Article 6(1)(f) — legitimate interest in service security.

3.5 Cookies and analytics

Essential cookies (session, theme, CSRF/OAuth state) load automatically. Analytics and marketing cookies load only with your consent, captured via our cookie banner. Full details in our Cookie Policy.

Legal basis: Article 6(1)(f) for essential cookies, Article 6(1)(a) (consent) for analytics/marketing cookies.

3.6 Discovered businesses (your scan targets)

When you run a scan, we collect publicly available business data from third-party sources (Google Places, Meta Ad Library, public websites). This data describes third-party businesses, not you. We process it on your behalf as part of delivering the Service. We are the controller of this data only for our own internal operation (deduplication, scoring); you remain responsible for any outreach you choose to send.

4. How we share data — third-party processors

We use the following sub-processors. Each is GDPR-compliant and is bound by a data processing agreement.

Processor	Purpose	Location	Transfer mechanism
Stripe Payments Europe, Ltd.	Subscription billing, invoices	EU (Ireland), with EU-US data flows	EU SCCs
Resend, Inc.	Transactional email delivery	United States	EU SCCs + DPF (where applicable)
Google Ireland Ltd. (Analytics, Ads, Places API)	Analytics, ads, business discovery, performance audits	EU + United States	EU SCCs + DPF
Meta Platforms Ireland Ltd.	Public Meta Ad Library queries	EU + United States	EU SCCs + DPF
Vercel Inc. (hosting)	Application hosting + CDN	EU + United States	EU SCCs + DPF
Anthropic, PBC (optional)	AI-assisted outreach drafts (only when you click "Enhance with AI")	United States	EU SCCs

We notify you if we add or change a sub-processor that materially affects your data.

5. International transfers

Some processors are based outside the EU/EEA. Personal data transferred to such countries is protected via the EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF) where the recipient is certified.

6. How long we keep data

Data	Retention
Account data	Until the Account is deleted, plus 30 days for accidental-deletion recovery.
Campaign / lead / audit data	Same as Account.
Billing records (invoices)	10 years, as required by Slovak accounting law.
Server logs	30 days.
Email logs (EmailLog audit)	2 years.
Password-reset tokens	1 hour, or until used.
Backups	Rolling 30 days.

7. Your rights under GDPR

You have the right to:

access the personal data we hold about you;
correct data that is inaccurate or incomplete;
delete data ("right to be forgotten"), subject to legal retention obligations;
restrict or object to processing;
data portability — receive your data in a machine-readable format;
withdraw consent at any time for processing based on consent (does not affect prior lawful processing);
lodge a complaint with a supervisory authority — in Slovakia, the Úrad na ochranu osobných údajov SR (dataprotection.gov.sk).

To exercise any of these, email [email protected] from the address on your Account. We respond within 30 days.

8. Rights of users in California, the UK, and elsewhere

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect, the right to opt out of sale or sharing (we do not sell or share personal information as defined by CCPA), and the right not to be discriminated against for exercising any right.

UK residents have rights equivalent to those above under the UK GDPR.

Residents of other jurisdictions: we apply GDPR-grade protections worldwide. Where local law grants additional rights, we will respect them upon verified request.

9. Security

We protect data with encryption in transit (TLS 1.2+), encryption at rest, hashed passwords (bcrypt), and least-privilege access for our team. We follow incident-response procedures and will notify affected users within 72 hours of becoming aware of a personal-data breach that poses a risk to them.

10. Children

The Service is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you become aware that a child has provided us with personal data, contact [email protected] and we will delete it.

11. Changes to this Policy

We may update this Privacy Policy. Material changes will be announced by email or in-app notice at least 30 days in advance.

12. Contact

Privacy questions, rights requests, or complaints: [email protected]
Postal: VICTUM GROUP, s. r. o., Stropkovská 3, 821 03 Bratislava, Slovakia.