Privacy Policy

Effective Date: May 2026

Data Controller: Studio Cygnus SRL (CUI: 50611230)

Represented by: Murad Madi

Registered Office: Str. Ioan Rusu Sirianu 3, Et. 1, Ap. 9, Cod 310035, Arad, Romania

Operational Base: Madrid, Spain

Contact Email: [email protected]

1. The Scope of This Policy

This Privacy Policy outlines how your personal data is collected, processed, and protected when you visit this website or interact with our communication forms. As a specialized engineering practice, we prioritize "Privacy by Design," utilizing clean infrastructure and server-side data routing to minimize third-party data exposure.

2. What Data We Collect

We collect data strictly for the purposes of facilitating communication and auditing our technical architecture.

A. Data You Provide Directly

When you use the "Let's Talk" form or contact us via email, we collect:

  • Identity Data: Your name or company name.
  • Contact Data: Your email address.
  • Communication Data: The contents of your message, project details, or technical inquiries.

B. Data Collected Automatically (Analytics & Technical)

If you consent to our analytical cookies, we collect:

  • Technical Data: Browser type, device type, operating system, and anonymized IP addresses.
  • Behavioral Data: Interaction events, page views, and session depth.

3. How We Process Your Data & The Legal Basis

Under the GDPR, we must have a valid legal basis to process your information.

A. Managing Inquiries & Communications

The Process: Form submissions are securely routed through a self-hosted automation pipeline (n8n). This prevents third-party middleware from intercepting or reading your business inquiries.

Legal Basis: Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract (Article 6(1)(b) GDPR).

B. Architectural Auditing & Analytics

The Process: We deploy a PostHog Cloud (EU) instance to analyze behavioral data. Additionally, we use Google Analytics 4 (GA4). To ensure data integrity and privacy, GA4 requests are routed through a self-hosted Server-Side Google Tag Manager (sGTM) container. This server-side environment automatically strips Personally Identifiable Information (PII) and obfuscates your IP address before any data is dispatched to Google.

Legal Basis: Explicit Consent (Article 6(1)(a) GDPR) granted via our Cookie Consent banner.

C. System Security & Uptime

The Process: We monitor server logs and network requests to detect malicious activity, prevent DDoS attacks, and ensure the uptime of our infrastructure.

Legal Basis: Legitimate Interest (Article 6(1)(f) GDPR) to protect the integrity of our network and digital assets.

4. Data Sharing & Third Parties

Because we utilize a highly independent tech stack, data sharing is kept to an absolute minimum. We do not sell, rent, or trade your personal data to advertising networks.

Data is only shared with:

  • Infrastructure Providers: The European data centers that host our servers, virtual machines, and self-hosted applications (under strict data processing agreements).
  • Analytics Endpoints (Google & PostHog): As described above, only scrubbed, anonymized data is forwarded to Google Ireland Limited for aggregate traffic analysis, and behavioral data is processed via PostHog Cloud (EU) under strict confidentiality.
  • Legal Authorities: If strictly required by law or a valid court order.

5. International Data Transfers

While our primary infrastructure is hosted in Europe, some data processed by Google Analytics may be transferred to servers located in the United States. These transfers are safeguarded by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data retains GDPR-equivalent protection.

6. Data Retention Policies

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy.

  • Client Communications: Form submissions and emails are retained for the duration of our professional relationship, or until you request their deletion.
  • Analytics Data: Anonymized technical and behavioral data is retained in our analytics databases for a maximum of 12 months.

7. Your Digital Rights

Under the GDPR and LOPDGDD, you possess absolute control over your personal data. You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct any inaccurate or incomplete data.
  • Erasure (Right to be Forgotten): Request the deletion of your personal data from our active systems.
  • Restriction of Processing: Temporarily halt the processing of your data.
  • Data Portability: Receive your data in a structured, commonly used, and machine-readable format.
  • Objection: Object to our processing of your data based on legitimate interests.

To exercise any of these rights, contact us directly at [email protected]. We will respond to all legitimate requests within 30 days.

If you feel your data rights have been violated, you have the right to lodge a formal complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos - AEPD) via their website: www.aepd.es.