Privacy Policy
Last updated: 10 February 2026
This Privacy Policy describes how [COMPANY_NAME] OÜ ("we", "us", "Panzerotti") collects, uses, and protects personal data in connection with the Panzerotti service. It is provided in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and Regulation (EU) 2023/2854 (EU Data Act).
1. Data Controller and Data Processor Roles
Panzerotti operates in two distinct capacities:
1.1 Data Processor
When our enterprise clients ("Data Controllers") use the Panzerotti service to analyse their end-user traffic, we act as a Data Processor under Article 28 GDPR. In this role:
- We process personal data solely on behalf of and under the instructions of the Data Controller.
- The Data Controller determines the purposes and means of processing.
- Our obligations are governed by a Data Processing Agreement (DPA) executed with each client.
1.2 Data Controller
We act as a Data Controller under Article 4(7) GDPR for the following categories of data:
- Account and billing data — names, email addresses, company details, and payment information of our business clients.
- Marketing and communications data — contact information of individuals who subscribe to our newsletters, request demos, or contact us.
- Website analytics — aggregated, anonymised usage data of visitors to panzerotti.be.
2. Data We Process
2.1 As Data Processor (Client Data)
On behalf of our clients, Panzerotti processes:
| Data Category | Examples | Retention |
|---|---|---|
| Session metadata | Session IDs, timestamps, duration, page sequences | As instructed by Data Controller |
| Network identifiers | IP addresses (hashed), TLS fingerprints | As instructed by Data Controller |
| Behavioural vectors | Request velocity, endpoint diversity, interaction patterns | As instructed by Data Controller |
| Challenge/response logs | Proof-of-work challenge results, difficulty levels | As instructed by Data Controller |
Legal basis: Article 6(1)(f) GDPR — legitimate interest of the Data Controller in protecting their infrastructure from automated abuse and fraud.
2.2 As Data Controller (Our Own Data)
| Data Category | Examples | Retention | Legal Basis |
|---|---|---|---|
| Account data | Name, email, company, VAT ID | Duration of contract + 7 years (tax) | Art. 6(1)(b) — contract performance |
| Billing data | Invoices, payment records | 7 years (Hungarian/Estonian tax law) | Art. 6(1)(c) — legal obligation |
| Marketing data | Email, name, company | Until consent withdrawn | Art. 6(1)(a) — consent |
| Website visitors | Pages visited, referrer (anonymised) | 26 months | Art. 6(1)(f) — legitimate interest |
3. How We Use Data
As Data Processor, we use client data exclusively to:
- Establish and validate cryptographic session identities
- Detect and mitigate automated threats (bots, credential stuffing, API abuse)
- Generate session-level analytics and behavioural intelligence
- Provide dashboards and reports to the Data Controller
As Data Controller, we use our own data to:
- Provide and maintain the Panzerotti service
- Process billing and comply with tax obligations
- Communicate service updates and security notices
- Improve our service through aggregated, anonymised analysis
4. Data Sharing and Sub-processors {#sub-processors}
We do not sell personal data. We share data only with the following categories of recipients:
4.1 Sub-processor List
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS EMEA SARL | Cloud infrastructure, compute, storage | EU-Central-1 (Frankfurt, Germany) |
All sub-processors are bound by Data Processing Agreements that impose obligations no less protective than those in our DPA with clients.
We will notify Data Controllers at least 30 days before engaging a new sub-processor or changing an existing one, providing the Data Controller an opportunity to object.
4.2 Other Disclosures
We may disclose data where required by:
- Applicable law, regulation, or court order
- Protection of our legal rights or safety
- A merger, acquisition, or sale of assets (with prior notice to affected parties)
5. International Transfers
All data is processed and stored within the European Union (AWS EU-Central-1, Frankfurt). We do not transfer personal data outside the EU/EEA.
Should a transfer outside the EU/EEA become necessary in the future, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Data Security
We implement appropriate technical and organisational measures in accordance with Article 32 GDPR, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Network isolation and firewall controls
- Access control with least-privilege principles
- Regular security assessments and penetration testing
- Incident response procedures with 72-hour breach notification
7. Data Subject Rights
Under GDPR, individuals have the following rights regarding their personal data:
| Right | Description | Article |
|---|---|---|
| Access | Obtain confirmation and a copy of your data | Art. 15 |
| Rectification | Correct inaccurate or incomplete data | Art. 16 |
| Erasure | Request deletion of your data | Art. 17 |
| Restriction | Restrict processing in certain circumstances | Art. 18 |
| Portability | Receive your data in a structured, machine-readable format | Art. 20 |
| Objection | Object to processing based on legitimate interest | Art. 21 |
| Withdraw consent | Withdraw consent at any time (where processing is based on consent) | Art. 7(3) |
For end-users of our clients' services: Please contact the relevant Data Controller (our client) directly, as they determine the purposes and means of processing. We will assist the Data Controller in fulfilling data subject requests in accordance with our DPA.
For our direct contacts (account holders, marketing subscribers): Contact us at privacy@panzerotti.be.
We will respond to all valid requests within 30 days. If a request is complex, we may extend this period by a further 60 days, with notice.
8. Data Portability and Switching (EU Data Act)
In accordance with Regulation (EU) 2023/2854 (EU Data Act), Chapter VI:
- Clients may export 100% of their readily available data at any time via our API or dashboard.
- Exported data is provided in structured, commonly used, and machine-readable formats (JSON, CSV).
- No exit fees or switching charges are applied for data export (Article 25).
- Clients may initiate a switching process with a maximum 2-month notice period.
- Upon contract termination, a 30-day retrieval period is provided before permanent data erasure.
9. Data Retention and Deletion
- Client data (as Data Processor): Retained as instructed by the Data Controller. Upon contract termination, data is available for retrieval for 30 days, then permanently erased.
- Account and billing data: Retained for the duration of the contract plus 7 years to comply with tax obligations.
- Marketing data: Retained until consent is withdrawn.
- Website analytics: Retained for 26 months in anonymised form.
10. Cookies and Tracking
The Panzerotti website (panzerotti.be) uses:
- Essential cookies — Required for site functionality (theme preference). No consent required.
- No third-party tracking — We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts.
- No advertising cookies — We do not serve or track advertising.
The Panzerotti service (deployed on client infrastructure) uses:
- Session cookies — Cryptographic session tokens for bot detection and session validation. These are strictly necessary for the service to function and are governed by the client's own cookie policy.
11. Children's Privacy
Panzerotti is a B2B service. We do not knowingly collect or process personal data from children under the age of 16. If we become aware that we have collected data from a child, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via:
- A notice on our website
- Email notification to account holders
The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact and Complaints
Data Protection Contact: [COMPANY_NAME] OÜ [DPO_EMAIL] [STREET_ADDRESS], [CITY], Estonia
Supervisory Authority: If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For Estonian entities:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) https://www.aki.ee
For Hungarian data subjects:
National Authority for Data Protection and Freedom of Information (NAIH) https://www.naih.hu
14. Legal References
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
- EU Data Act: Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023
- Hungarian E-Commerce Act: Act CVIII of 2001 on electronic commerce and information society services