Privacy Policy
Your privacy is important to us. This policy explains how we collect, use, and protect your personal data in compliance with GDPR.
Data Controller Information
Company Details
Kakaduu e.U.
FN 477589m
ATU 72687201
Contact Information
1. Information We Collect
1.1 Personal Information
- Account Information: Email address, password (encrypted), full name when you create an account
- Payment Information: Billing address, payment method details (processed by Stripe, we do not store credit card information)
- Communication Data: Messages sent through our contact forms or support channels
1.2 Anonymized Analytics Data
Privacy-First Approach: We use SHA-256 domain hashing to anonymize all website data before storage.
- Domain Hash: SHA-256 hash of analyzed domains (cannot be reversed to identify the original domain)
- Analysis Metrics: AEO scores, analysis types, optimization recommendations
- Geographic Data: Country code for regional analysis (derived from IP address, not stored)
- Usage Patterns: Feature usage, analysis frequency, platform interactions
1.3 Technical Information
- Log Data: IP addresses (not stored permanently), browser type, operating system, access times
- Cookies: Essential cookies only (authentication, preferences). No tracking cookies.
- Device Information: Screen resolution, device type for responsive design optimization
2. How We Use Information
Service Provision
- • Provide AEO analysis and optimization services
- • Process and store analysis results
- • Generate reports and recommendations
- • Manage user accounts and subscriptions
- • Process payments through Stripe
Service Improvement
- • Improve our ML algorithms and analysis accuracy
- • Develop new features and capabilities
- • Optimize platform performance
- • Conduct research on AEO trends (anonymized data only)
- • Provide customer support
Communication
- • Send important service notifications
- • Respond to support requests
- • Send security alerts when necessary
- • Provide updates about new features (with consent)
Legal Compliance
- • Comply with legal obligations
- • Prevent fraud and abuse
- • Protect the security of our platform
- • Enforce our terms of service
3. Legal Basis for Processing (GDPR Article 6)
Contract Performance (Article 6(1)(b))
Processing necessary for the performance of our service contract with you, including account management, service delivery, and payment processing.
Legitimate Interest (Article 6(1)(f))
Processing for our legitimate interests in improving our services, preventing fraud, and ensuring platform security, balanced against your privacy rights.
Legal Obligation (Article 6(1)(c))
Processing required to comply with legal obligations, including tax requirements and regulatory compliance.
Consent (Article 6(1)(a))
Processing based on your explicit consent for marketing communications and optional features. You may withdraw consent at any time.
4. Data Sharing and Third Parties
Important: We never sell your personal data. We only share data with trusted service providers under strict contractual obligations.
Service Providers
Supabase (Database & Auth)
Secure database hosting and user authentication
Stripe (Payment Processing)
Secure payment processing (PCI DSS compliant)
Vercel (Hosting)
Website and application hosting infrastructure
Data Processing Agreements
- • All third parties are GDPR-compliant
- • Strict data processing agreements in place
- • Regular security audits and assessments
- • Data minimization principles applied
- • Encryption in transit and at rest
When We May Share Data
- Legal Requirements: When required by law, regulation, or valid legal process
- Business Transfers: In case of merger, acquisition, or asset sale (with notice to you)
- Protection of Rights: To protect our rights, property, or safety, or that of our users
- With Consent: When you explicitly consent to sharing with specific third parties
5. Your Rights Under GDPR
EU/UK Residents: You have enhanced rights under GDPR and UK GDPR. Contact us atclemens@focuspulleratwork.com to exercise these rights.
Access & Information
- Right of Access: Request a copy of your personal data
- Right to Information: Understand how we process your data
- Data Portability: Receive your data in a machine-readable format
Control & Correction
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restriction: Limit how we process your data
Consent & Objection
- Withdraw Consent: Withdraw consent for marketing and optional features
- Right to Object: Object to processing based on legitimate interests
- Object to Direct Marketing: Opt out of marketing communications
Legal Recourse
- Complaint to DPA: File a complaint with your data protection authority
- Judicial Remedy: Seek legal remedy for GDPR violations
- Response Time: We respond to requests within 30 days
How to Exercise Your Rights
To exercise any of these rights, please contact us with:
- • Your full name and email address associated with your account
- • Specific right you wish to exercise
- • Any relevant details or documentation
- • Proof of identity (to prevent unauthorized access)
6. Data Retention
Personal Data
- Account Data: Retained while your account is active plus 3 years after deletion
- Payment Data: Retained for 7 years for accounting and legal requirements
- Support Communications: Retained for 3 years for quality assurance
- Marketing Consent: Until consent is withdrawn
Anonymized Data
- Analytics Data: Stored indefinitely as it cannot be linked to individuals
- Research Data: Used for service improvement and industry research
- Aggregated Metrics: Used for platform optimization
- Domain Hashes: Cannot be reverse-engineered to identify domains
Note: Anonymized data cannot be deleted upon request as it's not considered personal data under GDPR. However, we ensure this data cannot be used to identify you or your websites.
7. Security Measures
Technical Safeguards
- • End-to-end encryption for data in transit (TLS 1.3)
- • Encryption at rest for all stored data
- • SHA-256 hashing for domain anonymization
- • Multi-factor authentication support
- • Regular security updates and patches
- • Secure coding practices and code reviews
Organizational Measures
- • Access controls and role-based permissions
- • Regular employee security training
- • Data processing agreements with all vendors
- • Incident response and breach notification procedures
- • Regular security audits and penetration testing
- • Backup and disaster recovery procedures
Infrastructure Security
Supabase Security
- • SOC 2 Type II certified
- • Row-level security policies
- • Automatic backups
Stripe Security
- • PCI DSS Level 1 compliant
- • Tokenized payment data
- • Fraud prevention
Vercel Security
- • SOC 2 certified infrastructure
- • DDoS protection
- • Automatic SSL certificates
Data Breach Notification
In the unlikely event of a data breach affecting personal data, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay when required by GDPR.
8. International Data Transfers
Data Locations
Primary Data Storage
- • Supabase (EU region - Frankfurt, Germany)
- • All user data stored within the EU
- • GDPR-compliant data center operations
Service Providers
- • Stripe (US) - Standard Contractual Clauses
- • Vercel (Global CDN) - Adequacy decisions
- • Support tools (EU-based when possible)
Transfer Safeguards
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards for transfers to third countries
- Adequacy Decisions: Transfers to countries with adequate data protection (UK, Switzerland, etc.)
- Additional Safeguards: Encryption, access controls, and data minimization for all transfers
- Regular Review: Ongoing assessment of transfer mechanisms and third-country privacy laws
Commitment: We prioritize EU-based service providers and only transfer data outside the EU when necessary for service provision, always with appropriate safeguards in place.
9. Children's Privacy
Age Restrictions
- • Our service is not intended for children under 16 years of age
- • We do not knowingly collect personal data from children under 16
- • Children aged 13-15 require parental consent in the EU
- • Business-focused platform with professional content
Protective Measures
- • Age verification during account registration
- • Immediate deletion if we discover underage users
- • No targeted advertising to minors
- • Enhanced privacy protections for young users
Parents/Guardians: If you believe your child has provided personal information to us, please contact us immediately at clemens@focuspulleratwork.comand we will promptly delete such information.
11. Contact Information & Data Protection Officer
Data Controller
Data Protection Officer
Privacy Contact
For all privacy-related inquiries, GDPR requests, and data protection matters.
Supervisory Authority
You have the right to lodge a complaint with the competent data protection authority:
Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42, 1030 Wien, Austria
Email: dsb@dsb.gv.at
Phone: +43 1 52 152-0
12. Changes to This Privacy Policy
Policy Updates
- • We may update this policy to reflect changes in our practices
- • Updates to comply with new legal requirements
- • Changes to improve clarity and transparency
- • Addition of new features or services
Notification Process
- • Email notification for material changes
- • Website banner notification
- • 30-day notice period for significant changes
- • Option to opt-out if you disagree with changes
Version Control: This privacy policy version is effective as of January 28, 2025. Previous versions are available upon request for transparency and compliance purposes.