Privacy Policy

The purpose of this Privacy Policy (the “Policy”) is to describe how SafeHabits s.r.o. (“SafeHabits”, “us”, “we”, “our” or the “Company”) processes personal information (“Personal Data”) that we collect, process, and store when you visit our website, interact with our marketing, or otherwise communicate with us.

This Policy outlines how SafeHabits respects individual privacy rights and maintains the trust of customers and other data subjects when you use our website. Personal Data of residents of the European Economic Area and the U.K. is protected by Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (“GDPR”).

For more information, please contact us at:

This Policy applies only to the processing of Personal Data by us in connection with the our public website, marketing communications, and direct enquiries.

It does not apply to Personal Data we process to provide our security awareness platform pursuant to an agreement with a business customer. Where SafeHabits acts as a data processor on behalf of a business customer, the processing of end-user data is governed by the applicable customer agreement and the customer's own privacy notice. End users of the platform should contact their employer or the organisation that provided them access for information about how their data is handled.

Information you provide to us may include:

• Contact details, such as your company's name, your first and last name, email address, and phone number, if you choose to provide this information.
• Communications that we exchange with you, including when you contact us with questions, feedback, or otherwise.
• Marketing information, such as your preferences for receiving communications about our services, and details about how you engage with our communications.

Where a form or field is required to respond to your enquiry or fulfil your request, this will be indicated at the point of collection. You are not legally obliged to provide Personal Data to us, but if you choose not to provide required fields we may be unable to respond to your enquiry or fulfil the requested action.

Automatic data collection. We and our service providers may automatically log information about you, your device, and your interaction with our website, such as:

• Device data, such as your operating system, browser type, IP address, unique identifiers, language settings, and general location information (city, region or country inferred from IP address).
• Usage data, such as pages or screens you viewed, how long you spent on a page, and access times.

We may collect this information using cookies and similar technologies. See the Cookies section below for further details.

Information we collect from third parties.We may obtain information about you from publicly accessible sources, such as your organisation's website, professional directories, and industry publications, as well as from advertising and marketing partners. Where we do so, we will rely on a lawful basis as described in the Processing Purposes section below, and we will provide you with this Policy at the point of first contact or within a reasonable period.

We use cookies and similar tracking technologies on our website. Tracking technologies fall into the following categories:

• Strictly necessary cookies: required for the website to function. These do not require consent.
• Analytics technologies: help us understand how visitors use our website, such as page views and session-level metrics. We currently use Vercel Web Analytics, which is designed to provide privacy-friendly analytics without third-party cookies, using anonymised, request-based measurement. Where we use any cookie-based analytics or similar non-essential tracking technologies, we will do so only where we have a lawful basis.
• Marketing and tracking cookies: used by third-party platforms (such as LinkedIn) to support advertising and retargeting. These are only set with your consent.

Where your consent is required before non-essential cookies or similar technologies are used, we will ask for it before doing so. You can withdraw your consent at any time through our cookie controls, where available, or through your browser settings for technologies stored on your device. For further assistance, contact us at info@safehabits.eu.

Operating and responding to enquiries (website and communications). We process your contact details and communications to respond to your questions and enquiries, operate our website, and notify you of relevant updates to our terms or this Policy. The legal basis is our legitimate interest in communicating effectively with prospective and existing customers, in accordance with Article 6(1)(f) GDPR. That legitimate interest is to maintain professional, responsive communications and to operate our website efficiently.

Performance of a contract. Where you enter into an agreement with us (for example, as an early access partner), we process your Personal Data as necessary to perform that contract or to take steps at your request before entering into it, in accordance with Article 6(1)(b) GDPR.

Improving and monitoring our website and communications. We analyse website usage to evaluate and improve our website and to create aggregated, de-identified statistics for planning purposes. The legal basis is our legitimate interest in understanding how our website is used and improving it for visitors, in accordance with Article 6(1)(f) GDPR.

Marketing.We may send you emails about our services if you have given us your consent to do so. The legal basis is consent in accordance with Article 6(1)(a) GDPR. We may also contact you about services where you are a previous customer or have a demonstrable professional interest in our offering; in those cases the legal basis is legitimate interests in accordance with Article 6(1)(f) GDPR, specifically our interest in marketing relevant services to organisations likely to benefit from them. You can unsubscribe from marketing communications at any time by clicking “Unsubscribe” in any email we send you, or by contacting us at info@safehabits.eu.

Compliance and legal obligations. We may process Personal Data to comply with legal obligations, enforce applicable terms, defend against legal claims, and protect the security and integrity of our website and communications. The legal basis is compliance with a legal obligation in accordance with Article 6(1)(c) GDPR, or our legitimate interests in accordance with Article 6(1)(f) GDPR where no legal obligation applies.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. If this changes, we will update this Policy and provide the additional information required by GDPR.

We retain Personal Data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. The following retention periods are indicative:

• Contact form enquiries and direct correspondence: up to 2 years from the date of last contact, unless a longer period is required for a contractual or legal purpose.
• Marketing consent and suppression records: for as long as relevant to demonstrate consent or opt-out, and up to 3 years after last interaction.
• Website analytics data: up to 14 months in aggregated or pseudonymised form.
• Business correspondence and contract-related records: up to 7 years where required for tax, accounting, or legal purposes.

Actual retention may be longer where necessary to establish, exercise, or defend legal claims. When Personal Data is no longer needed, we will securely delete or anonymise it.

We may share your Personal Data with:

• Service providers: companies and individuals that provide services on our behalf or help us operate our business, including hosting, IT support, email delivery, marketing, and website analytics. These providers are contractually bound to process data only on our instructions.
• Professional advisors: lawyers, auditors, and insurers, where necessary in the course of professional services they render to us.
• Advertising partners: third-party advertising companies and social media platforms used to promote our services, where you have consented to relevant cookies or where we have another lawful basis.
• Authorities and others: law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate to comply with applicable laws or protect our rights and interests.
• Business transferees: acquirers and other relevant participants in business transactions involving a merger, acquisition, reorganisation, or sale of all or part of our business or assets.

In the context of operating our website and communications, we may transfer your Personal Data to service providers located in the United States or other countries outside the European Economic Area and the U.K. Please note that such jurisdictions may not provide the same level of data protection as your home country.

When we engage in cross-border data transfers, we ensure that appropriate safeguards are in place. We rely primarily on:

• EU Commission adequacy decisions: where the destination country has been found to provide an adequate level of protection; or
• Standard Contractual Clauses (SCCs): the standard contractual clauses approved by the European Commission for transfers to third countries.

You may request further information about the specific safeguards we rely on, including a copy or summary, by contacting us at info@safehabits.eu.

If we participate in a merger, acquisition, or other reorganisation, your data may be transferred as part of that transaction. We will inform you about any such transaction and explain your options.

We employ technical, organisational, and physical safeguards designed to protect the Personal Data we collect. However, no security measures are entirely failsafe and we cannot guarantee absolute security of your Personal Data.

Residents of the European Economic Area and the U.K. have the following rights under applicable data protection law, subject to conditions and exceptions:

• Right of access: you may ask us to confirm whether your Personal Data is being processed and, if so, to provide a copy along with information about how and why it is processed.
• Right to rectification: you may request that we correct inaccurate or incomplete Personal Data.
• Right to erasure: you may request deletion of your Personal Data. We will comply unless we have a legitimate legal reason to retain it.
• Right to restrict processing: you may ask us to limit how we use your Personal Data in certain circumstances.
• Right to data portability: you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format where processing is based on consent or contract.
• Right to object: you have the right to object at any time to processing of your Personal Data where we rely on legitimate interests as the legal basis. You also have an unconditional right to object to processing for direct marketing purposes.
• Right to withdraw consent: where we rely on your consent as the legal basis for processing (for example, for marketing emails or non-essential cookies), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.

You can exercise any of the above rights free of charge by emailing info@safehabits.eu. We may require verification of your identity before processing your request.

If you believe that our processing of your Personal Data is not in accordance with applicable data protection law, you have the right to lodge a complaint with a supervisory authority. You may do so with the supervisory authority in the country of your habitual residence, your place of work, or the place of the alleged infringement, including in an EU Member State or the United Kingdom, as applicable.

In the Czech Republic, the competent supervisory authority is the Úřad pro ochranu osobních údajů (ÚOOÚ), reachable at www.uoou.cz.

We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will notify you by updating the date at the top of this Policy and posting it on our website.

If you have any questions, please contact us at: