1. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Name, email address | Registration, authentication |
| Usage | Pages visited, features used, timestamps | Service improvement, analytics |
| Technical | IP address, browser type, cookies, session IDs | Security, session management |
| Communications | Support messages | Customer support |
| Billing | Subscription plan, payment status | Billing management (card data goes directly to payment provider — we never store it) |
We do not collect special categories of data (health, race, political views, biometrics).
2. Legal Basis for Processing
EU / EEA (GDPR — Regulation 2016/679)
| Processing activity | Legal basis (Art. 6 GDPR) |
|---|---|
| Account creation and service delivery | Performance of a contract (Art. 6(1)(b)) |
| Service-related notifications | Legitimate interests (Art. 6(1)(f)) |
| Analytics and improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
United States — California (CCPA / CPRA)
We do not sell or share your personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes beyond those listed above. See Section 7 for your California rights.
3. How We Use Your Data
- Provide, maintain, and improve the Ownlate service.
- Authenticate users and manage sessions.
- Send transactional notifications (invitations, billing alerts, security alerts).
- Respond to support requests.
- Comply with legal obligations (tax, accounting, law enforcement requests with valid legal basis).
- Detect and prevent fraud or abuse.
We do not use your data for automated decision-making or profiling that produces legal effects.
4. Data Sharing
We share data only in the following circumstances:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Cloud infrastructure provider | Hosting, storage | Data Processing Agreement (DPA) |
| Transactional email provider | Sending notifications | DPA |
| Payment processor | Subscription billing | PCI DSS compliant; we share only plan/status metadata |
| Analytics provider | Aggregate usage analytics | Anonymised or pseudonymised data only |
| Law enforcement / courts | Legal obligation | Only upon valid legal request |
We do not sell personal data to data brokers or advertising networks.
5. International Data Transfers
Transfers of your data outside the EEA are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- Transfer to a country with an adequacy decision.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data | Until account deletion + 30 days |
| Billing / transaction records | 5 years (tax law requirement) |
| Support correspondence | 3 years |
| Server / security logs | 90 days |
| Backups | 30 days rolling |
After the retention period, data is securely deleted or irreversibly anonymised.
7. Your Rights — EU / EEA (GDPR)
If you are in the EU/EEA you have the right to:
- Access — obtain a copy of your personal data (Art. 15).
- Rectification — correct inaccurate data (Art. 16).
- Erasure ("right to be forgotten") — request deletion of your data (Art. 17).
- Restriction — restrict processing in certain circumstances (Art. 18).
- Data portability — receive your data in a machine-readable format (Art. 20).
- Object — object to processing based on legitimate interests (Art. 21).
- Withdraw consent — withdraw consent at any time without affecting prior processing.
- Lodge a complaint with your local supervisory authority (e.g. your national DPA).
To exercise any right, email [privacy@globalart.dev]. We will respond within 30 days.
8. California Residents — CCPA / CPRA
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell.
- Delete your personal information, subject to certain exceptions.
- Correct inaccurate personal information.
- Opt-out of the sale or sharing of your personal information (we do not sell data).
- Limit use of sensitive personal information.
- Non-discrimination — we will not discriminate against you for exercising these rights.
Shine the Light (Cal. Civ. Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes.
To submit a request, email [privacy@ownlate.com] with subject line "California Privacy Request". We will respond within 45 days (extendable by another 45 days with notice).
CCPA categories of personal information we collect: Identifiers (A), Commercial information (B), Internet / network activity (F), Geolocation (G — city level only).
9. Cookies
| Type | Purpose | Can be disabled |
|---|---|---|
| Strictly necessary | Authentication, session management | No — service won't work without them |
| Functional | User preferences (language, theme) | Yes |
| Analytics | Aggregate usage statistics | Yes (via cookie banner) |
You can manage cookie preferences via Settings → Privacy in your account or through your browser settings.
10. Children's Privacy
Ownlate is not directed to children under 16 (or under 13 in the US). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [privacy@ownlate.com] and we will delete it promptly.
11. Security
We implement appropriate technical and organisational measures including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls.
- Regular security assessments.
- Incident response procedures.
In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours where required by law.
12. Changes to This Policy
We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. The current version is always available at https://ownlate.com/page/privacy-policy.
13. Contact
Privacy enquiries: [privacy@globalart.dev]
Mailing address: Serbia, Višnjička 30, Beograd
EU Representative (Art. 27 GDPR): [EU Representative name and address, if applicable]