Privacy & Security

Privacy Policy & Security

We take your privacy seriously. Here's how we protect your data and respect your rights under GDPR.

Last updated: September 4, 2025

Who We Are (Controller)

The data controller is Crafting Chaos, a Malta-based site operator. We will update this section with our registered company details once incorporation is complete. For all privacy enquiries, contact privacy@craftingchaos.co.

Data Collection & Use

We collect and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable laws. We collect:

Contact Information

Name and email address (and optionally company and role) when you request early access or contact us via our website form.

Usage Data

Interactions with our website (e.g., pages visited, buttons clicked) to improve functionality and user experience.

Technical Data

IP address, browser, and device information for security and performance monitoring.

We use Contact Information to respond to your enquiries, assess interest in our products, provide updates on new releases, and—if you ask us to—arrange calls. Usage and Technical Data help us maintain, secure, and optimize our services. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

Legal Basis for Processing

Consent

When you expressly agree (via a separate, unticked checkbox) to receive product updates and marketing emails.

Legitimate Interests

To operate, secure, and improve our services in ways that are expected and do not override your rights and freedoms.

Legal Obligation

To comply with applicable laws (e.g., record-keeping or responding to lawful requests).

Marketing Consent

We send product updates and marketing emails only with your explicit consent, collected via a separate unticked checkbox on our forms. We keep a record of consent (timestamp, IP, and form version/text). You can withdraw consent at any time via the unsubscribe link in any marketing email or by contacting us. If you unsubscribe, we will suppress your address from marketing within 48 hours.

Data Security

Encryption

Personal data is protected in transit (TLS) and at rest where supported by our providers.

Access Controls

Role-based access and multi-factor authentication so only authorized personnel can access data on a need-to-know basis.

Hosting Location

Our core processors are located in the EU: Xano (current region: Paris, France) and Brevo (EU-hosted).

Regular Assessments

Periodic security reviews and vulnerability remediation.

Encryption: Personal data is protected in transit (TLS) and at rest where supported by our providers.

Access Controls: Role-based access and multi-factor authentication so only authorized personnel can access data on a need-to-know basis.

Hosting Location: Our core processors are located in the EU: Xano (current region: Paris, France) and Brevo (EU-hosted). See “International Transfers”.

Regular Assessments: Periodic security reviews and vulnerability remediation.

Data Sharing

We do not sell, trade, or rent your personal data. We share data only as follows:

Service Providers: Trusted processors that help us operate our services:
- Backend/API: Xano, hosted in the European Union (current region: Paris, France). See their GDPR resources: Xano Security Center, Xano GDPR FAQ.
- Email delivery: Brevo, with data hosting in the European Union. See their GDPR resources: Brevo Terms (Annex: DPA), Brevo GDPR Overview.
Legal Requirements: To comply with a legal obligation or lawful request.
Business Transfers: If we undergo a reorganization, merger, or acquisition; we will provide notice and ensure your data remains protected.

Your Rights Under GDPR

You can exercise these rights at any time (see “Contact” below). We respond without undue delay and, in any case, within one month of receipt. Where requests are complex or numerous, we may extend by up to two further months, and we will notify you within the first month.

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Ask us to correct inaccurate or incomplete data.

Right to Erasure

Request deletion where there is no compelling reason for continued processing.

Right to Restrict Processing

Ask us to pause processing in certain circumstances.

Right to Object

Object when our basis is legitimate interests.

Right to Data Portability

Receive your data in a common, machine-readable format.

Withdraw Consent

Where we rely on consent (e.g., marketing emails), you may withdraw at any time via the unsubscribe link in any message or by contacting us. We will suppress your email from marketing within 48 hours.

Data Retention

We retain personal data only as long as necessary. Contact and enquiry data is retained for up to 2 years from your last interaction with us, unless you request deletion sooner. This retention period allows us to evaluate ongoing interest in our products and follow up appropriately, while ensuring we do not keep data longer than needed. If you become a customer, we may retain relevant data for the duration of the relationship and for periods required by law. Technical logs and analytics are kept for shorter periods and are anonymized or deleted when no longer needed.

Cookies & Tracking

Our website uses cookies and similar technologies. Non-essential cookies (e.g., analytics) are used only with your consent, which you can manage via our cookie banner. We set one essential cookie to remember your analytics preference so that we respect your choice on future visits.

Cookie	Purpose	Type	Duration
`lr_cookie_consent`	Stores whether you consented to analytics (true/false) and a timestamp. Does not track you across sites.	Essential (strictly necessary)	6 months

If you consent, we load analytics only after your choice and implement IP truncation/pseudonymisation where available. You can change your preference at any time via the cookie banner (reopen from the site footer) or by clearing cookies in your browser; some features may be affected if cookies are disabled.

International Transfers

We primarily store and process personal data within the European Union/European Economic Area (EU/EEA). If a transfer outside the EEA is necessary (for example, due to a provider’s sub-processor or specific technical routing), we implement GDPR-required safeguards, such as European Commission adequacy decisions or Standard Contractual Clauses (SCCs). You can request details of these safeguards by contacting us.

Contact & Privacy Lead

For questions, concerns, or requests regarding your personal data, please contact us.

Email

privacy@craftingchaos.co

Privacy Lead

Designated privacy contact (no formal DPO appointed). Reachable via the email above.

Response Time

We respond to data-subject requests without undue delay and within one month of receipt, per GDPR Art. 12.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Authority: Information and Data Protection Commissioner (IDPC), Malta
Website: https://idpc.org.mt/
Telephone: +356 2328 7100

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant updates, we will notify you by email or by posting a notice on our website.

Questions About Your Privacy?

We're committed to transparency and protecting your data. If you have any questions about this policy or how we handle your information, don't hesitate to reach out.

Contact Privacy Team