Draft. Spots marked [FILL IN: …] still require verification. Not yet reviewed by a Slovak data-protection lawyer.
Privacy Policy
Last updated: 2026-05-08
Status: Draft — generated 2026-05-08 during the Phase 1 website audit. Structured to match the closest Slovak peer privacy policies (Brain:IT, Cassovia Code, GoodRequest). NOT lawyer-reviewed — recommended 1-hour Slovak DP lawyer review (~€200–400) before publish to catch SK-specific gaps.
Spots marked
[FILL IN: …]need David's input or verification — find with Cmd+F.
1. Introduction
This Privacy Policy explains how GrownApps s.r.o. processes personal data when you visit our website, fill out our contact or booking forms, communicate with us by email or phone, or otherwise engage with our services.
We act as the data controller under Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Act No. 18/2018 Coll. on Personal Data Protection of the Slovak Republic ("Slovak DP Act").
2. Who we are
GrownApps s.r.o. Tajovského 2, 040 01 Košice, Slovak Republic
Company ID (IČO): 44028172 Tax ID (DIČ): 2022613384 VAT ID (IČ DPH): SK2022613384 Registered in the Commercial Register of the [FILL IN: District Court Košice I, Section Sro, Insert No. XXXX/V]
Privacy contact: privacy@grownapps.io
We have not appointed a Data Protection Officer because we are not legally required to under Article 37 GDPR. You can reach us about any privacy matter at the email above.
3. Personal data we collect
3.1 Data you provide directly
When you contact us, fill out a form, book a call, or engage our services:
- Name and surname
- Email address
- Phone number (if you provide it)
- Company name and role (if you provide it)
- Project details and message content
- Any other personal data you choose to share
When you become a client, we additionally collect billing details, contractual identifiers, and the data needed to deliver the engagement.
3.2 Data we collect automatically
When you visit grownapps.io:
- IP address (anonymized for analytics)
- Browser type and version
- Operating system
- Device type and screen resolution
- Pages visited, time on page, click paths
- Referring website
- Cookies and similar technologies (see our Cookie Policy)
3.3 Data we receive from third parties
For business development, we may collect publicly available professional information about people at companies that match our ideal client profile. This includes:
- Public LinkedIn profiles (name, role, company, public posts)
- Public company directories (Crunchbase, Clutch, conference attendee lists)
- Referrals from existing clients or partners
We process this data on the basis of legitimate interest (Art. 6(1)(f) GDPR) for B2B outreach. You can object to this processing at any time by emailing privacy@grownapps.io.
4. Purposes of processing and legal basis
We process personal data for the following purposes:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Responding to your inquiries and booking requests | Pre-contractual measures, Art. 6(1)(b) |
| Delivering services under a client contract | Contract performance, Art. 6(1)(b) |
| Sending marketing communications to existing clients about related services | Legitimate interest, Art. 6(1)(f). You can opt out at any time. |
| Sending marketing communications to people who are not yet clients | Consent, Art. 6(1)(a) |
| B2B outreach to identifiable decision-makers at target companies | Legitimate interest, Art. 6(1)(f) |
| Operating and securing our website (analytics, fraud prevention) | Legitimate interest, Art. 6(1)(f); Consent for non-essential cookies |
| Complying with accounting, tax, and other legal obligations | Legal obligation, Art. 6(1)(c) |
| Defending or enforcing legal claims | Legitimate interest, Art. 6(1)(f) |
5. How long we keep your data
| Type of data | Retention period |
|---|---|
| Inquiry or booking form data with no contract following | 12 months from last contact |
| Client records (after the contract ends) | 10 years (Act No. 431/2002 Coll. on Accounting) |
| Tax and invoicing records | 10 years (Act No. 595/2003 Coll.) |
| Marketing consent records | Until consent is withdrawn, then 3 years for evidence |
| Website analytics (pseudonymous) | 14 months (Google Analytics 4 default) |
| Server logs | 90 days |
| Email correspondence | Up to 5 years from last contact |
After these periods, data is deleted or anonymized.
6. Who we share your data with
We do not sell personal data.
6.1 Sub-processors (technical service providers)
We share personal data with the following categories of sub-processors. Each has a Data Processing Agreement in place under Article 28 GDPR:
- Website hosting: [FILL IN: e.g., Vercel Inc., Cloudflare, AWS — confirm actual provider]
- Email and document services: Google LLC (Google Workspace)
- Website analytics: Google LLC (Google Analytics 4, with IP anonymization)
- Booking and scheduling: [FILL IN: e.g., Calendly LLC, Cal.com — if used]
- Email marketing: [FILL IN: e.g., MailerLite, Mailchimp, ConvertKit — if used]
- CRM: [FILL IN: e.g., HubSpot, Pipedrive, Attio — confirm actual]
- Form processing: [FILL IN: e.g., Tally, Typeform — if separate from the website]
- Professional networks: LinkedIn Ireland Unlimited Company (when you interact with our LinkedIn page or our LinkedIn Insight Tag)
We update this list when sub-processors change. Material changes are reflected in the "Last updated" date.
6.2 Legal recipients
We may disclose personal data when legally required:
- Slovak tax authority (Finančná správa SR)
- Courts and law enforcement (only when legally compelled)
- Insurance companies (in connection with liability claims)
- Lawyers, auditors, accountants (bound by professional confidentiality)
6.3 International transfers
Most of our sub-processors are located in the European Economic Area (EEA). Some (notably Google and LinkedIn) may transfer data to the United States. These transfers are protected by:
- The EU–US Data Privacy Framework, where the recipient is certified
- Standard Contractual Clauses approved by the European Commission, where applicable
- Supplementary technical and organizational measures (encryption in transit and at rest)
You can request a copy of the safeguards by emailing privacy@grownapps.io.
7. Your rights
Under GDPR and the Slovak DP Act, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate or incomplete data (Art. 16)
- Erase your data, also known as the right to be forgotten (Art. 17)
- Restrict processing while we resolve a dispute (Art. 18)
- Receive your data in a portable format (Art. 20)
- Object to processing based on legitimate interest, including direct marketing (Art. 21). We will stop processing in all marketing cases on request.
- Withdraw consent at any time, where processing is based on consent (Art. 7(3)). Withdrawal does not affect processing that already happened.
- Not be subject to automated decision-making that produces legal effects (Art. 22). We do not engage in automated decision-making or profiling that produces legal effects.
To exercise any of these rights, email privacy@grownapps.io. We respond within 30 days. We may ask you to verify your identity before acting on the request.
8. Right to file a complaint
If you believe we have processed your personal data unlawfully, you can file a complaint with:
Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov Slovenskej republiky) Hraničná 12, 820 07 Bratislava 27, Slovak Republic Phone: +421 2 3231 3214 Email: statny.dozor@pdp.gov.sk Web: dataprotection.gov.sk
You can also file a complaint with the data protection authority in your country of residence.
9. Cookies
Our website uses cookies and similar technologies. See our Cookie Policy for full details on what cookies we use, how to manage them, and how to opt out.
10. Children
Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact privacy@grownapps.io and we will delete it.
11. Security
We protect personal data using technical and organizational measures appropriate to the risk:
- TLS/SSL encryption for data in transit
- Encrypted storage where supported by sub-processors
- Role-based access controls and multi-factor authentication
- Sub-processor due diligence and Data Processing Agreements
- Regular review of our security practices
No system is fully secure. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Slovak DPA within 72 hours of becoming aware (Art. 33 GDPR) and notify affected individuals where Article 34 GDPR requires it.
12. Changes to this Privacy Policy
We may update this Privacy Policy as our services or applicable law changes. The "Last updated" date at the top reflects the most recent version. We will notify you of material changes through the website or, for clients, by email.
13. Contact
For privacy questions, subject access requests, or to exercise your rights:
For general company contact:
GrownApps s.r.o. Tajovského 2, 040 01 Košice, Slovak Republic IČO: 44028172