Privacy Policy

Data Controller: Algroton (operated by Mohamed Safnas, Founder). Contact for all data protection matters: privacy@algroton.com.

Data Protection Officer enquiries: dpo@algroton.com. Postal correspondence: available on written request.

Contact and enquiry data: full name, business email address, company name, job title, telephone number (if provided), and the content of your message submitted via our contact form.

Newsletter subscription data: email address submitted voluntarily via the newsletter form.

Technical and usage data: IP address, browser type and version, operating system, pages visited, time spent on pages, and referring URL — collected automatically through analytics tooling.

Communication data: records of correspondence when you contact us by email or through the website.

We do not process special categories of personal data (Article 9 GDPR), financial data, or payment information through this website.

Contact form submissions — Article 6(1)(b): processing is necessary to take steps prior to entering into a contract, and Article 6(1)(f): our legitimate interest in responding to business enquiries.

Newsletter subscriptions — Article 6(1)(a): your explicit consent at the point of subscription. You may withdraw consent at any time by contacting privacy@algroton.com or using the unsubscribe link in any email.

Website analytics — Article 6(1)(f): our legitimate interest in understanding how our website is used and improving our services. We have conducted a legitimate interests assessment and determined that your interests and rights do not override this interest, given that data is processed in aggregate and anonymised form.

Legal obligations — Article 6(1)(c): processing required to comply with applicable law.

Vercel Inc. (USA) — website hosting and serverless compute. Data transferred under EU Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. Privacy details: vercel.com/legal/privacy-policy.

Resend Inc. (USA) — transactional email delivery for contact form notifications. Data transferred under SCCs. Privacy details: resend.com/privacy.

Google LLC (USA) — website analytics via Google Analytics 4. Data transferred under SCCs with additional safeguards including IP anonymisation. Privacy details: policies.google.com/privacy.

Upstash Inc. (USA) — Redis-based rate limiting for API endpoints (IP address only, not retained beyond the rate-limit window). Data transferred under SCCs.

We do not sell, rent, or share your personal data with any other third parties for marketing, advertising, or commercial purposes.

All sub-processors listed above are located in the United States. Each transfer is made under EU Standard Contractual Clauses (Commission Decision 2021/914) as the transfer mechanism under Article 46 GDPR.

In addition to SCCs, we review sub-processors for supplementary measures in accordance with the EDPB Recommendations 01/2020 on measures that supplement transfer tools.

A copy of the applicable SCCs or transfer impact assessments is available on written request to privacy@algroton.com.

Contact form data: retained for 24 months from the date of submission, or until the enquiry is resolved and no further business relationship exists, whichever is later.

Newsletter subscription data: retained until you unsubscribe or withdraw consent, and for 30 days thereafter for suppression-list purposes.

Website analytics data: retained in accordance with Google Analytics default retention settings (14 months for user-level data; aggregate data is retained indefinitely).

Rate-limiting data (IP address): retained only within the active rate-limit window (60 seconds). Not stored beyond that window.

Email correspondence: retained for 36 months from the date of last communication.

At the end of each retention period, data is securely deleted or irreversibly anonymised.

Right of access (Art. 15): request a copy of the personal data we hold about you.

Right to rectification (Art. 16): request correction of inaccurate or incomplete data.

Right to erasure (Art. 17): request deletion of your data where there is no lawful basis to continue processing.

Right to restriction (Art. 18): request that we limit processing in certain circumstances.

Right to data portability (Art. 20): receive your data in a structured, machine-readable format.

Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing.

Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any right, email privacy@algroton.com. We will respond within 30 days. You also have the right to lodge a complaint with your supervisory authority (for EU residents: your national DPA; for UK residents: the ICO at ico.org.uk).

We implement appropriate technical and organisational measures under Article 32 GDPR, including: TLS 1.2+ encryption in transit, AES-256 encryption at rest, access controls with multi-factor authentication, and regular security reviews.

All data transmitted through our website is encrypted. Internal access to personal data is restricted to personnel who require it to perform their duties.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required under Article 33 GDPR.

Where a breach is likely to result in high risk to individuals, we will notify affected data subjects without undue delay under Article 34 GDPR.

We may update this policy from time to time. Material changes will be notified via a prominent notice on this page with an updated 'Last Updated' date. Continued use of our website after changes constitutes acceptance of the revised policy.

Last Updated: May 2026.