Privacy Policy

1. Introduction

This Privacy Policy explains how Artatol ("we", "us", or "our") collects, uses, and protects your personal information when you use the Artatol Account service, which serves as the central identity and access management platform for all Artatol services.

2. Information We Collect

We collect information that you provide directly to us:

• Account information: Email address, username, password (encrypted), name
• Organization information: Organization name, members, roles (owner, admin, member, viewer)
• Authentication data: Two-factor authentication settings, session tokens, API keys
• Service access data: Which Artatol services you have enabled (ArtaMail, ArtaConsent, etc.)
• Subscription information: Service tier (free, starter, growth, business), usage limits
• Usage tracking: Service usage statistics (emails sent, consent records, etc.)
• Technical data: IP addresses, browser type, device information, session data
• Payment and billing information (when using paid services):
  • Billing address and contact details
  • Company information and VAT/Tax ID for invoicing
  • Payment method information (processed by our payment provider)
  • Purchase history and invoices

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our account management and authentication services
• Enable access to Artatol services (ArtaMail, ArtaConsent, etc.)
• Manage organization memberships and access control
• Process API key authentication and service access requests
• Track service usage and enforce tier limits
• Process payments and generate invoices for paid services
• Send important service notifications and account updates
• Provide customer support and respond to inquiries
• Detect, prevent, and address security issues, fraud, and abuse
• Comply with legal obligations and enforce our terms of service

4. Data Storage and Security

We store your data on secure servers located in the European Union and implement appropriate technical and organizational measures to protect your personal information:

• Database storage: PostgreSQL hosted on OVH Frankfurt, Germany (Kubernetes)
• Encryption: All passwords use bcrypt hashing, TLS 1.3 for data in transit, AES-256 for data at rest
• Access control: Row-level security (RLS) on database level
• API keys: Stored encrypted and never exposed in plaintext
• Monitoring: Regular security audits and monitoring

5. Data Sharing

We do not sell your personal information. We may share your information with:

• Artatol services: Your account data is shared with other Artatol services you have enabled (ArtaMail, ArtaConsent, ArtaDNS) to provide integrated functionality
• Service providers: OVH (database hosting), Cloudflare (security and performance), payment processors
• Legal authorities: When required by law or to protect our rights
• Organization members: Account administrators can view member information within their organization

Note: All application traffic is routed through Cloudflare's reverse proxy for DDoS protection, WAF security, and performance optimization. Cloudflare processes request metadata (IP addresses, User-Agent, cookies) as part of this service.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services:

• Account data: Retained while account is active
• Usage logs: Retained for up to 90 days
• Payment records: Retained for 7 years for tax and legal compliance
• Deleted accounts: Data is anonymized or permanently deleted within 30 days after account deletion

You can request deletion of your data at any time by contacting us at [email protected].

7. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Object to or restrict processing of your data
• Portability: Receive your data in a structured, machine-readable format
• Withdrawal: Withdraw consent at any time
• Objection: Object to automated decision-making and profiling
• Complaint: Lodge a complaint with your local data protection authority

To exercise these rights, please contact us at [email protected].

8. Cookies and Tracking

We use the following cookies to operate our service:

• Essential cookies:
  • artatol_refresh_token - artatol_refresh_token - Authentication session (httpOnly, secure, 30 days)
  • account_id - account_id - Current organization ID
• Preference cookies:
  • locale - locale - Language preference
  • theme - theme - Dark/light mode preference

Essential cookies are required for the service to function and cannot be disabled. You can manage preference cookies through your browser settings.

9. International Data Transfers

Your data is primarily stored and processed in the European Union (AWS eu-west-1). If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

10. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will provide prominent notice or obtain consent where required by law.

12. Contact Us

If you have any questions about this Privacy Policy or want to exercise your data protection rights, please contact our Data Protection Officer: