PRIVACY AND DATA PROCESSING POLICY

REGULATION 1.0

1. DATA SUBJECT AND CONTROLLERThis Protocol establishes the procedure and principles for the processing of Personal Data (PD) by the Operator and serves to ensure data transparency and integrity within the provided Performance Services.DATA CONTROLLER:Name: Iryna Shcheholska (Performance Marketer), Individual Entrepreneur.Registration Authority: LEPL National Agency of Public Registry (Georgia).Registration Number: B25173175, 10 Dec 2025.Core Activities: Performance Marketing, SEO, Web Analytics.Jurisdiction: This Regulation applies to Data Subjects in Georgia, Ukraine, EU/EEA, and the USA.Sanctions Compliance: Services are not provided, and data processing is not conducted for residents of sanctioned countries, state sponsors of terrorism, or high-risk jurisdictions for money laundering (as defined by FATF, OFAC, and EU sanction directives). Any data inadvertently received from these jurisdictions (e.g., via automated forms) will be deleted immediately without processing or storage.
2. LEGAL BASIS AND PRINCIPLES (GDPR & CCPA)Processing Philosophy: Marketing is Math. Data processing is an engineering requirement for building effective acquisition systems.Key Principles:Integrity and Minimization: I collect only the data vital for lead qualification and end-to-end analytics, excluding any redundant or non-target information.Performance of Contract: The legal basis for processing is the "Execution of a Contract" (or pre-contractual measures) for service provision.Consent Mode v2: For AI-driven data processing (e.g., GA4 attribution and ROMI calculations), I rely on Explicit Consent transmitted via Consent Mode v2 signals.No Data Selling Guarantee: I am not a data broker. I guarantee that your Personal Data will never be sold, rented, or shared with third parties for commercial gain. Data exchange occurs exclusively with technical Sub-processors (Google, Meta, CRM) solely to fulfill your marketing objectives.
3. DATA CATEGORIES AND RETENTIONI process two primary data sets critical for performance systems:A. Contact DataComposition: Name, Email, Phone Number, and Project/Website URL.Purpose: Communication, project qualification, and proposal preparation.Retention: Until account deletion or for 3 years following contract termination (for tax reporting and legal defense).B. Technical and Analytical DataComposition: IP address, GCLID (Google Click ID), Client ID (GA4), Cookies, and Device Information (User-Agent).Purpose: Building end-to-end analytics (GA4, sGTM), precise ROAS calculation, and ensuring Consent Mode v2 functionality.Retention: No more than 18 months for analytical data, aligned with standard Google/Meta policies and GDPR/CCPA norms.
4. PROCESSING OF MINORS' DATAThe Operator does not provide services to minors and does not knowingly collect, process, or store data from children under 16 (GDPR Art. 8) or under 13 (COPPA). Services are intended exclusively for adults (business owners, marketing professionals). Any inadvertently collected data from minors will be immediately deleted upon discovery.
5. COOKIE POLICYI use cookies and similar technologies (e.g., Pixels, CAPI) for high-precision web analytics, adhering to the ePrivacy Directive and CCPA/CPRA.Cookie Categories:Essential: For basic website functionality. These do not require consent.Analytics: For tracking behavior (Client ID) and measuring ROAS.Marketing: For retargeting (CAPI). Used only with explicit Consent.Management: Consent is managed via a Consent Management Platform (CMP). You may opt out of non-essential cookies at any time via the website banner or email request. We respect "Do Not Track" (DNT) signals. For CCPA compliance, we provide a "Do Not Sell My Personal Information" link in the footer.
6. DATA SUBJECT RIGHTSIn accordance with GDPR and CCPA/CPRA, the Data Subject has full control over their digital asset:Right of Access: Request confirmation of processing and a copy of your data.Right to Rectification: Demand corrections to inaccurate data.Right to Erasure: Demand deletion of PD when it is no longer required.Right to Object: Object to processing for marketing purposes.Right to Portability: Receive your PD in a machine-readable format.Right to Opt-out (CCPA): Prohibit the "sale" or transfer of personal information.To exercise these rights, please submit a written request to the Operator's email. Requests are processed within 15 business days.
7. SECURITY AND CROSS-BORDER TRANSFERTechnological Protection: I apply an engineering approach to security. Server-Side GTM is used to minimize direct exposure of client data. All data is transmitted via SSL/TLS encrypted protocols.Cross-Border Transfer: Data processing may involve providers (Google, Meta) with data centers outside your jurisdiction. I ensure legality through Standard Contractual Clauses (SCCs) approved by the European Commission.
8. SUB-PROCESSORSIn accordance with GDPR (Art. 28), I use sub-processors only under a valid Data Processing Agreement (DPA):Google LLC: Analytics, Ads, GTM (Data infrastructure).Meta Platforms, Inc.: Advertising attribution (CAPI).HubSpot, Inc.: Lead synchronization (CRM).
9. DATA BREACH NOTIFICATIONPer GDPR (Art. 33–34), in the event of a security breach:DPA Notification: Within 72 hours if a risk is identified.Subject Notification: Without undue delay if the breach poses a high risk to individual rights.
10. CONTACT INFORMATIONOperator: Iryna Shcheholska Email: moc.liamg%40ecnamrofrep.anyri Location: 6000, Georgia, Batumi City, Zhiuli Shartava Avenue, N 7