Privacy Policy
Privacy Policy
Last updated: 29 April 2026
This is a convenience translation. The legally binding version is available in Portuguese at elgarde.eu/pt/privacy.
1. Data controller
HOLY CHAOS, UNIPESSOAL LDA (trading as Elgarde)
NIPC: 519403908 ยท VAT: PT519403908
Email: hello@elgarde.eu
2. Data Protection Officer
For all data protection inquiries, data subject access requests, or to exercise any of your rights under the GDPR, contact our Data Protection Officer:
3. Categories of personal data
We process the following categories of personal data depending on how you interact with the platform:
Website visitors
IP address (for rate limiting and security, anonymised after 30 days), browser type and version, pages visited, language preference. Collected via server logs and strictly necessary cookies.
Free scan users
Email address (if provided for receiving results), scanned domain name, scan results and compliance grade. No account registration is required for free scans.
Paying customers
Name, email address, company name, billing address, purchase history, generated compliance reports. Payment card details are processed exclusively by Stripe and are never stored on our servers.
Business contacts (outreach)
Name, professional email address, job title, company name, domain name. Sourced exclusively from publicly available business registries, company websites, and professional directories. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). A balancing test is documented internally. These individuals may object to processing at any time.
4. Purpose and legal basis
| Purpose | Data processed | Legal basis |
|---|---|---|
| Delivering free compliance scans | Domain, email (optional), scan results | Consent (Art. 6(1)(a)) or contract performance (Art. 6(1)(b)) |
| Delivering paid reports | Name, email, company, billing data, reports | Contract performance (Art. 6(1)(b)) |
| Account management and authentication | Email, session tokens | Contract performance (Art. 6(1)(b)) |
| B2B outreach to companies with compliance issues | Professional contact details, domain, compliance findings | Legitimate interest (Art. 6(1)(f)) |
| Platform security, fraud prevention, abuse detection | IP address, request logs, rate-limiting data | Legitimate interest (Art. 6(1)(f)) |
5. Data retention
| Data category | Retention period |
|---|---|
| Scan results (raw) | 90 days |
| Scan results (aggregate metrics) | Indefinite (anonymised) |
| Business contact data (outreach) | Until opt-out, maximum 24 months without re-validation |
| Outreach correspondence | 24 months |
| Customer data (paying clients) | Duration of contract + 7 years (Portuguese invoicing obligation) |
6. Recipients and processors
We share personal data with the following processors, all of which operate under data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting (servers, database) | Germany, EU |
| Brevo (Sendinblue) | Transactional and marketing email delivery | France, EU |
| Stripe, Inc. | Payment processing | EU + US (EU-US Data Privacy Framework) |
7. International data transfers
Your data is primarily stored and processed within the European Union (Hetzner, Germany). Where data is transferred to processors outside the EU (Stripe), transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or by the EU-US Data Privacy Framework adequacy decision where applicable. No data is transferred to countries without adequate safeguards.
8. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access โ obtain a copy of the data we hold about you
- Right to rectification โ correct inaccurate or incomplete data
- Right to erasure โ request deletion of your data
- Right to restriction โ limit how we process your data
- Right to data portability โ receive your data in a machine-readable format
- Right to object โ object to processing based on legitimate interest, including direct marketing
To exercise any of these rights, email dpo@elgarde.eu. We respond within 30 days.
You also have the right to lodge a complaint with the Portuguese supervisory authority: CNPD โ Comissao Nacional de Protecao de Dados (www.cnpd.pt).
9. Automated decision-making
Our scan engine performs automated analysis of websites for compliance violations. This analysis is informational and does not produce legal effects concerning individuals. No automated decisions are made about data subjects based on profiling. Compliance reports are advisory tools for businesses, not binding legal determinations.
10. Cookies
We use cookies and similar technologies on our website. Below is an overview of the cookies we set:
Strictly necessary cookies
Session cookies for authentication, language preference (lang cookie, 1 year), cookie consent preference (cookie_consent, 1 year), CSRF protection. These cookies are essential for the website to function and cannot be disabled.
Analytics
We do not currently use third-party analytics cookies. If analytics are introduced in the future, they will require explicit consent before activation.
Third-party cookies
Stripe may set cookies during the checkout process for payment security and fraud prevention. These are strictly functional and are governed by Stripe's privacy policy.
You can manage cookie preferences through the cookie settings widget on our website, or by configuring your browser to reject cookies. Disabling strictly necessary cookies may impair website functionality.
11. Changes to this policy
We may update this privacy policy to reflect changes in our practices or applicable law. Material changes will be communicated to paying customers via email. The date of the last update is shown at the top of this page.