Privacy Policy | WebsiteAudit

1. Personal data controller

The controller of personal data within the meaning of Art. 4(7) GDPR is:

Company name: Cacciatore SR s.r.o.

Registered office: Hrabová 2731/3, 040 22 Košice — mestská časť Vyšné Opátske

Company ID (IČO): 47608412

Tax ID / VAT ID: DIČ 2023997547 · IČ DPH SK2023997547

Registration: Obchodný register Mestského súdu Košice, oddiel: Sro, vložka č. 58416/V

Service operation: WebsiteAudit

Email:websiteaudit@cacciatore.sk

Phone:+421 915 170 050

A Data Protection Officer (DPO) within the meaning of Art. 37 GDPR has not been appointed, as the nature and scope of the processing does not fall under the obligation to appoint one pursuant to Art. 37(1) GDPR. The contact person for personal data matters is the company's managing director, available at the email above.

2. Legal basis for processing

We process personal data on the following legal bases under Art. 6 GDPR:

Performance of a contract — Art. 6(1)(b) GDPR

Processing is necessary to provide the Service you accessed by registering or starting an audit. It includes account management, delivery of reports, and communication related to the Service.

Legitimate interest — Art. 6(1)(f) GDPR

We process IP addresses and technical logs for security purposes (protection against abuse, rate limiting), operational stability, and error monitoring (Sentry). The controller's legitimate interest outweighs the data subject's interests, as the processing is necessary to protect the Service and its users.

Legal obligation — Art. 6(1)(c) GDPR

We retain billing and payment records in compliance with Act No. 431/2002 Coll. on accounting (mandatory archiving for 10 years) and Act No. 222/2004 Coll. on value added tax.

The Service currently does not send marketing emails unrelated to your order or audit. Should we introduce such communication in the future, we will request your explicit consent (Art. 6(1)(a) GDPR).

3. Categories of personal data processed

Depending on how you use the Service, we process the following categories of personal data:

3.1 Data provided directly

Email address — upon registration, login, or contacting support
First and last name — optional, when registering via Google or GitHub OAuth
Password — stored only in hashed form (bcrypt); the controller has no access to the original password
Agency profile — company name, website, email, phone, logo URL; only for the Agency plan, voluntarily

3.2 Operational and audit data

URLs submitted for auditing — including audit results, scores, and findings
Tracked URLs — URLs added to the tracking list (Pro and Agency plans)
Audit history — date, time, URL, results; scope depends on the plan (15 days / 45 days / 1 year)
API key — a generated identifier for programmatic access (Agency plan)
Subscription status — current plan, trial expiry date, last payment date

3.3 Technical and operational records

IP address — recorded with each request for rate limiting and security purposes
Session token — stored in an HttpOnly cookie for authentication; valid for 30 days
Error records — technical exception records (stack traces) sent to Sentry; they contain no passwords or payment data
Request timestamps — a timestamp of each audit for rate limiting and history purposes

3.4 Payment data

Payment transactions are processed exclusively by Stripe, Inc. (see section 5). The controller does not store payment card numbers, CVV codes, or bank details. From Stripe we retain only the customer identifier (Stripe Customer ID) and subscription status.

3.5 Special categories of personal data

The Service does not collect or process special categories of personal data within the meaning of Art. 9 GDPR (health data, biometric data, racial origin, religious beliefs, etc.).

4. Purposes of processing

Purpose	Data	Legal basis
Providing the Service (audits, reports)	Email, URL, audit results	Contract (Art. 6b)
Account management and authentication	Email, hashed password, session token	Contract (Art. 6b)
Payments and billing	Email, Stripe Customer ID, plan status	Contract + law (Art. 6b, 6c)
Email communication (audits, password reset, verification)	Email, name	Contract (Art. 6b)
Rate limiting and abuse protection	IP address, timestamps	Legitimate interest (Art. 6f)
Error monitoring and Service stability	IP address, stack traces (no PII)	Legitimate interest (Art. 6f)
Accounting archiving	Billing records	Law (Art. 6c)

5. Recipients and processors of personal data

We do not sell personal data to third parties for marketing or other commercial purposes. To operate the Service we use the following processors (Art. 28 GDPR), with whom we have concluded data processing agreements (DPA):

Stripe, Inc.

USA (San Francisco, CA)

Purpose: Payment processing and subscription management

Data processed: Email, billing records, Stripe Customer ID

Safeguard (Art. 46 GDPR): EC Standard Contractual Clauses (SCC) + EU–US Data Privacy Framework certification (DPF, EC Decision C(2023) 4745)

Google LLC

USA (Mountain View, CA)

Purpose: OAuth login, Google PageSpeed Insights API, Google Safe Browsing API, Chrome UX Report (CrUX) API — these APIs receive the URLs of audited sites, not the User's personal data

Data processed: OAuth: email, name (only when logging in via Google). Other APIs: audited URL (a public website address)

Safeguard (Art. 46 GDPR): SCC + EU–US Data Privacy Framework (DPF) certification

GitHub, Inc. (Microsoft)

USA

Purpose: OAuth login via a GitHub account

Data processed: Email, GitHub username (only when logging in via GitHub)

Safeguard (Art. 46 GDPR): SCC + EU–US Data Privacy Framework (DPF) certification

Functional Software, Inc. dba Sentry

USA (San Francisco, CA)

Purpose: Automated logging of application errors and exceptions for debugging and stability

Data processed: IP address, stack traces. Passwords, payment data, and audit content are excluded from reporting.

Safeguard (Art. 46 GDPR): EC Standard Contractual Clauses (SCC)

Hosting provider

EU / per contract

Purpose: Operation of servers, database (PostgreSQL), Redis, and the container environment

Data processed: All data stored in the database and Redis (session tokens, audit results)

Safeguard (Art. 46 GDPR): Processing within the EU/EEA; data processing agreement (DPA)

6. International transfers of personal data

Some processors are located outside the European Economic Area (EEA), primarily in the USA. Transfers to third countries are secured by one or a combination of the following instruments under Chapter V GDPR:

EU–US Data Privacy Framework (DPF) — European Commission adequacy decision No. C(2023) 4745 of 10 July 2023, applicable to Google, GitHub (Microsoft) and Stripe.
Standard Contractual Clauses (SCC) — model clauses adopted by the Commission in Decision (EU) 2021/914 of 4 June 2021, used primarily for Sentry.

The controller is established in the territory of the Slovak Republic (EU) and processing primarily takes place within the EU. Transfers to the USA are minimized and necessary for the operation of the Service.

7. Retention period of personal data

Data category	Period	Reason
Account data (email, name)	For the duration of the account + 30 days after deletion	Contract; recovery in case of error
Audit history — Free plan	15 days from creating the audit	Plan limitation
Audit history — Pro plan	45 days from creating the audit	Plan limitation
Audit history — Agency plan	1 year from creating the audit	Plan limitation
Session tokens (cookies)	30 days from last login	Authentication
Billing records	10 years	Act No. 431/2002 Coll.
IP addresses (rate limiting)	24 hours in Redis; no long-term storage	Security
Error records (Sentry)	90 days (Sentry default setting)	Debugging and stability
API keys	For the duration of the account or until revoked	API access

After the retention period expires, personal data is automatically deleted or anonymized, unless further retention is required by law.

8. Cookies and local storage

The Service uses only functional cookies necessary for operation:

Name / type	Purpose	Validity	Type
better-auth.session_token	Maintaining the logged-in session (HttpOnly, Secure, SameSite=Lax)	30 days	Necessary
better-auth.session_data	Caching session data to reduce DB load (HttpOnly)	5 minutes	Necessary

The Service does not use analytics, advertising, or tracking cookies (e.g. Google Analytics, Facebook Pixel). No third-party tracking has been deployed except those necessary for the operation of the Service (the Stripe payment gateway shown during payment).

Functional cookies have the legal basis of Art. 6(1)(b) GDPR (necessary for the performance of a contract) and do not require separate consent under § 55(5) of Act No. 452/2021 Coll. on electronic communications. You can restrict the storage of cookies in your browser settings, however logging in to the Service is not possible without the session cookie.

9. Automated decision-making and profiling

The Service does not carry out automated decision-making within the meaning of Art. 22 GDPR that would have legal effects or similarly significantly affect you. Audit results are a deterministic technical output — not an evaluation of the User or profiling.

The User's tier (plan) is determined automatically based on the subscription status in the database (Free / Pro / Agency / Trial). This automatic plan assignment is necessary for the performance of the contract and is not profiling within the meaning of GDPR.

10. Your rights as a data subject

In accordance with Chapter III GDPR (Art. 15–22) and Act No. 18/2018 Coll., you have the following rights vis-à-vis the controller:

Art. 15

Right of access

You have the right to obtain confirmation as to whether we process your personal data and, if so, access to it and information about the processing.

Art. 16

Right to rectification

You have the right to rectification of incorrect or completion of incomplete personal data. You can change your email and name directly in your account settings.

Art. 17

Right to erasure ("to be forgotten")

You have the right to request the erasure of your personal data if the purpose for which it was collected has ceased, or you have withdrawn consent. The right does not apply to data we are required to retain by law (e.g. billing records).

Art. 18

Right to restriction of processing

You have the right to request a restriction of processing, for example while we verify the accuracy of your data or the legitimacy of your objection.

Art. 20

Right to data portability

You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format (e.g. the JSON export available for the Agency plan), and to transfer it to another controller.

Art. 21

Right to object

You have the right to object to the processing of your personal data carried out on the basis of legitimate interest (Art. 6f). The controller will cease processing unless it demonstrates compelling legitimate grounds.

Art. 7(3)

Right to withdraw consent

If processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing before the withdrawal.

How to exercise your rights

Send your request by email to websiteaudit@cacciatore.sk. We will respond to the request without undue delay, no later than within 30 days of receipt (Art. 12(3) GDPR). We may exceptionally extend the deadline by a further 2 months, of which we will inform you.

To verify your identity, we will request confirmation from the email address of your account. We provide the service free of charge; we may charge a fee only for manifestly unfounded or repetitive requests (Art. 12(5) GDPR).

11. Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data is in breach of the GDPR or Act No. 18/2018 Coll., you have the right to lodge a complaint with a supervisory authority. The competent authority for Slovakia is:

Office for Personal Data Protection of the Slovak Republic

Hraničná 12, 820 07 Bratislava 27

Tel.: +421 2 3231 3214

https://dataprotection.gov.sk

Before lodging a complaint, we recommend contacting us directly — we resolve most matters faster and without formal proceedings.

12. Security of personal data

The controller implements appropriate technical and organizational measures to protect personal data in accordance with Art. 32 GDPR:

Encryption of transfers via the TLS 1.2+ protocol (HTTPS)
Hashing of passwords with the bcrypt algorithm (one-way function; the password cannot be recovered)
Session cookies with the HttpOnly, Secure, and SameSite=Lax attributes
Rate limiting (limiting the number of requests) to protect against brute-force attacks
Email verification of the account upon registration
Automated monitoring of errors and security incidents
Database access exclusively via an internal network interface (not publicly accessible)

In the event of a security incident that threatens the rights and freedoms of natural persons, the controller will notify the supervisory authority within 72 hours of becoming aware of it, and the data subjects without undue delay if the incident could affect them (Art. 33–34 GDPR).

13. Changes to this Policy

The controller reserves the right to update this Policy, in particular in the event of changes in data processing, legislative changes, or the introduction of new Service features.

You will be informed of material changes (e.g. a new processing purpose, new processors, a new legal basis) by email at least 14 days in advance. Less significant changes (text corrections, contact data updates) take effect upon publication on this page with an update of the "Effective from" date.

An archive of previous versions of the Policy is available on request by email.

14. Contact for personal data matters

Send all requests, questions, and complaints regarding personal data protection to: