Privacy Policy

Last updated: November 26, 2024

This Privacy Policy explains how Brixon Group Ltd ("we," "us," or "vavolta") collects, uses, and protects your personal data when you use our lead magnet tracking platform.

1. Who We Are

vavolta is a service provided by:

We are the data controller for the personal data we collect about our customers (users of our platform). When our customers use vavolta to collect and process data about their own contacts (recipients), they act as data controllers and we act as a data processor on their behalf.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address - for account identification and communication
• Password - stored securely using industry-standard hashing
• Company name - optional, for personalization and billing
• Team information - if you create or join a team

2.2 Payment Data

Payment information is processed securely by our payment provider, Stripe. We store:

• Stripe customer ID
• Subscription status and plan
• Billing history references

We do not store your complete credit card numbers or payment details on our servers. All payment processing is PCI-DSS compliant through Stripe.

2.3 Usage Data

We automatically collect data about how you use the Service:

• Lead magnets created and managed
• Access links generated and shared
• Feature usage and interactions
• Dashboard activities and settings changes

2.4 Technical Data

We collect technical information including:

• IP address - hashed (SHA-256, truncated) for privacy protection
• User agent - browser and device information
• Access timestamps

2.5 Content

Content you upload or create:

• PDF documents (lead magnets)
• Branding settings (logos, colors)
• API keys and webhook configurations

3. Data We Process on Your Behalf

When you use vavolta to share content with your contacts, we process data about those recipients on your behalf. This includes:

• Email addresses submitted through email-gated content
• Names provided through lead capture forms
• Viewing behavior and engagement metrics
• Hashed IP addresses and user agents of recipients

For this processing, you are the data controller and we are the data processor. Our relationship is governed by our Data Processing Agreement.

4. How We Use Your Data

We use your personal data for the following purposes:

4.1 Providing the Service

• Operating and maintaining your account
• Processing your subscriptions and payments
• Delivering analytics and tracking features
• Providing customer support

4.2 Improving the Service

• Analyzing usage patterns to improve features
• Fixing bugs and technical issues
• Developing new functionality

4.3 Communication

• Sending transactional emails (password resets, notifications)
• Providing important service updates
• Responding to your inquiries

4.4 Security and Compliance

• Preventing fraud and abuse
• Enforcing our Terms of Service
• Complying with legal obligations

5. Legal Basis for Processing

Under the GDPR, we process your data based on the following legal bases:

6. Data Sharing and Third Parties

We share your data with the following categories of recipients:

6.1 Service Providers

6.2 Other Disclosures

We may disclose your data:

• To comply with legal obligations or valid legal processes
• To protect our rights, privacy, safety, or property
• In connection with a merger, acquisition, or sale of assets

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework: Where the recipient is certified under this framework
• Standard Contractual Clauses: EU-approved contractual terms for data transfers
• Adequacy decisions: Where the destination country has adequate data protection laws

We have conducted Transfer Impact Assessments for our data transfers to the United States and other third countries. Based on these assessments, we have determined that the combination of EU-US Data Privacy Framework certification, Standard Contractual Clauses, and our supplementary technical measures (including encryption and pseudonymization) provide an adequate level of protection for personal data transferred to our sub-processors.

8. Data Retention

We retain your data for as long as:

• Account data: Until you delete your account, plus 30 days for backup purposes
• Analytics data: For the duration of your subscription, unless you request earlier deletion
• Payment records: As required by tax and accounting laws (typically 7 years)
• Legal records: As required to comply with legal obligations or resolve disputes

9. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

9.1 Right of Access

You can request a copy of the personal data we hold about you.

9.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your data in certain circumstances.

9.4 Right to Restrict Processing

You can request limitation of processing in certain circumstances.

9.5 Right to Data Portability

You can request your data in a machine-readable format.

9.6 Right to Object

You can object to processing based on legitimate interests.

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at info@brixongroup.com. We will respond within 30 days.

10. Automated Decision-Making and Profiling

vavolta does not use your personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you.

We may use automated processing for the following purposes, which do not constitute automated decision-making under Article 22 GDPR:

• Analytics aggregation: Automatically calculating engagement metrics for your lead magnets
• Email verification: Automatically verifying email addresses submitted through gated content
• Fraud prevention: Automated detection of suspicious access patterns

These automated processes assist in providing our Service but do not make decisions about individuals that have significant effects on them.

11. Cookies

We use cookies and similar technologies as described in our Cookie Policy. In summary:

• Essential cookies: Required for authentication and security
• Functional cookies: Remember your preferences and settings

We do not use third-party advertising cookies. If you configure Google Tag Manager integration, your settings govern that additional tracking.

12. Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest
• Secure password hashing
• IP address hashing for privacy
• Row-level security in our database
• Regular security assessments
• Access controls and authentication

While we take security seriously, no system is completely secure. If you become aware of any security issues, please contact us immediately.

13. Children's Privacy

vavolta is a B2B service not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when this policy was last revised.

15. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. In Malta, this is:

16. Contact Us

For questions or concerns about this Privacy Policy or our data practices, contact us at: