Privacy
Policy

We only process personal data that is adequate, relevant and limited to what is necessary: • Identification and billing data: name, surname, job title, company IDs (where applicable), VAT details and bank details. • Contact data: email address, phone number, delivery address and links to professional social profiles (e.g. LinkedIn). • Digital footprint and network identifiers: IP address, device/browser data, language preferences and on-site behaviour (e.g. heatmaps, click tracking) collected via cookies. • Communication logs: meeting notes, enquiry forms, email threads and feedback recorded in project tools.

Processing is always based on a lawful ground under Art. 6(1) GDPR: • Contract (lit. b): delivering web projects, campaigns, infrastructure and invoicing. • Legal obligation (lit. c): retaining accounting and tax records as required by law. • Legitimate interests (lit. f): IT security (e.g. mitigating abuse), protecting legal claims and limited B2B marketing to existing clients. • Consent (lit. a): remarketing/analytics cookies (e.g. via Consent Mode) and commercial newsletters where opted in.

We apply data minimisation in retention. Data is deleted when the purpose ends: • Contracts and invoices: up to 10 years from the end of the fiscal year in which the contract ended (as required by law). • Enquiries and non-project leads: up to 2 years from the last active contact. • Consent-based marketing: until withdrawal of consent, up to a maximum of 3 years. • Server and security logs: 6 months.

We do not sell personal data. We use vetted processors under Data Processing Agreements (DPAs), including: • Hosting providers (e.g. Vercel, AWS, Google Cloud). • Marketing and analytics tools (e.g. Google, Meta, Hotjar). • Confidential advisers (e.g. accounting and legal firms). If data is transferred outside the EEA, we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission or the EU–US Data Privacy Framework, where applicable.

Under Articles 15–22 GDPR you may: • Access your data and request a copy. • Rectify inaccurate data. • Request erasure where processing is no longer necessary. • Restrict processing and, in certain cases, request portability to another provider. • Object to processing based on legitimate interests or profiling. You may exercise your rights by emailing legal@emtstudio.com. You may also lodge a complaint with your local supervisory authority (in Slovakia: ÚOOÚ — dataprotection.gov.sk).