Privacy
policy

The data controller for this website is Datatrek, registered at the Science & Technology Park of Crete, Heraklion, 70013, Greece. You can reach us at soc@datatrek.io.

This notice applies exclusively to the datatrek.io marketing website. The provision of SOC, SIEM, XEDR, and other managed-security services is governed by a separate written agreement between Datatrek and the client, which includes its own data-processing terms.

This site collects only the data you actively provide and the minimum technical metadata required to deliver and protect the service.

Contact form submissions — when you fill in the contact form we collect:

• Full name
• Work email address
• Company name (optional)
• Your message
• Preferred language (locale)

Technical metadata — stored automatically alongside every form submission:

• IP address (used for spam prevention and security logging)
• Browser user-agent string
• Timestamp of submission

Bot-mitigation challenge (Cloudflare Turnstile) — to protect the contact form against automated abuse, we use Cloudflare Turnstile. When the form loads, your browser fetches a small script from challenges.cloudflare.com and exchanges a short-lived verification token with Cloudflare. As part of this challenge, Cloudflare receives your IP address, user-agent string, and limited behavioural signals from the browser environment (e.g. timing, hardware concurrency). We send the resulting token, together with your IP address, to Cloudflare's siteverify endpoint to confirm the submission is human; we do not retain the token after verification. Turnstile is designed to operate without setting cookies on this site and without third-party advertising profiles. See the "Sharing with third parties" and "Where your data is processed" sections below.

We do not use third-party analytics services (no Google Analytics, no Plausible Cloud, no Fathom). We run our own privacy-preserving, first-party analytics — see the "Website analytics" section below for full details.

We process your data on the following legal bases under the GDPR (Regulation (EU) 2016/679):

• Art. 6(1)(b) — performance of a contract / pre-contractual steps: processing your contact request and responding to your enquiry.
• Art. 6(1)(f) — legitimate interests: spam prevention (honeypot, rate limiting, Cloudflare Turnstile bot detection), server-side security logging, and protection of our infrastructure and other users. Our legitimate interests do not override your rights given the minimal, proportionate nature of the processing.

Your contact-form data and analytics records are stored exclusively within the European Economic Area (EEA), on the following infrastructure providers, each acting as a data processor under a Data Processing Agreement (DPA):

• Hetzner Online GmbH — Germany
• Amazon Web Services EMEA SARL — Ireland
• Google Cloud EMEA Limited — Belgium

Cloudflare (bot mitigation only). When you submit the contact form, your IP address and Turnstile token are transmitted to Cloudflare, Inc. (USA) — and to its EU affiliate Cloudflare Germany GmbH — solely to verify that the submission is human. Cloudflare operates a global anycast network, so this verification request may be processed by a Cloudflare edge node outside the EEA, including in the United States. The transfer is covered by:

• Standard Contractual Clauses (Art. 46(2)(c) GDPR), as published in Cloudflare's Data Processing Addendum;
• Cloudflare's certification under the EU–US Data Privacy Framework;
• supplementary technical and contractual measures described in Cloudflare's GDPR documentation.

Cloudflare acts as our processor for this purpose and is not permitted to use the data for its own purposes. We do not transfer contact-form content, names, email addresses, messages, or analytics data outside the EEA — only the IP address and Turnstile token used for the challenge.

We share personal data only with the following processors, strictly in their capacity as data processors. None of them is permitted to use your data for their own purposes:

• The EU/EEA infrastructure providers listed above (Hetzner, AWS EMEA, Google Cloud EMEA) — for hosting, storage, and email delivery.
• Cloudflare, Inc. and Cloudflare Germany GmbH — for the Turnstile bot-mitigation challenge that protects the contact form (see "Where your data is processed" above for the lawful basis of the transfer).

We do not sell, rent, or trade personal data. We embed no third-party analytics, advertising, or social-media trackers on this site. We do not share data with any other third party unless required by law or to protect the rights, property, or safety of Datatrek or others.

Contact form submissions — retained for 24 months from the date of last contact, after which they are permanently deleted automatically.

Server-side request logs (IP address, user-agent) — retained for up to 90 days for security and audit purposes, then deleted.

Rails session cookie — expires at the end of your browser session (or sooner if you close the browser).

This site sets one cookie only: the Rails session cookie (_datatrek_session). This cookie is strictly necessary for the contact form to function (CSRF protection) and expires at the end of your browser session.

Because this is a strictly necessary cookie, no consent banner is required under Art. 5(3) of the e-Privacy Directive. We do not set analytics, advertising, preference, or any third-party cookies.

Cloudflare Turnstile. The Turnstile widget used on our contact form is, by design, a cookie-less alternative to legacy CAPTCHA systems: it does not set tracking cookies on your device, does not build a cross-site advertising profile, and does not require user interaction. The data exchanged with Cloudflare during the challenge is described in the "Data we collect" and "Where your data is processed" sections above.

As a data subject you have the following rights under the GDPR:

• Access (Art. 15) — obtain a copy of your personal data and information about how it is processed.
• Rectification (Art. 16) — have inaccurate data corrected.
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten").
• Restriction of processing (Art. 18) — limit how we use your data in certain circumstances.
• Data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Complaint (Art. 77) — lodge a complaint with the supervisory authority.

To exercise any of these rights, email soc@datatrek.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) — Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα — at www.dpa.gr.

We protect personal data using appropriate technical and organisational measures, including:

• TLS encryption for all data in transit
• Encryption at rest at the infrastructure layer
• Role-based access controls — only staff who need access to process your enquiry can see form submissions
• Multi-factor authentication (MFA) on all administrative access
• 24/7 SOC monitoring of our own infrastructure by the same NightWatch team that monitors clients

For any privacy-related question, to exercise your rights, or to contact our Data Protection Officer:

Datatrek
Science & Technology Park of Crete
Heraklion, 70013, Greece
Email: soc@datatrek.io

We count page views using our own first-party analytics — no data leaves this server. We do not use Google Analytics, Plausible Cloud, Fathom, or any other third-party analytics service.

No cookies, no persistent storage. We do not set any cookies for analytics purposes, do not use localStorage, and do not fingerprint your device or browser.

How visitor identity works. For each page view we generate a temporary visitor hash by applying SHA-256 to a combination of your IP address, your browser's user-agent string, and a daily-rotating salt. We keep only the first 32 hex characters of that hash — never the inputs. The salt changes every UTC midnight, so two visits on different calendar days produce completely different hashes. We cannot link your activity across days, and the hash cannot be reversed to recover your IP.

What we store per page view:

• The anonymised visitor hash (32 hex chars, rotates daily)
• Page path and referrer (external domains only — we drop same-site referrers)
• Browser user-agent string
• Country code (ISO 3166-1) derived from the CF-IPCountry request header supplied by Cloudflare — we never store the underlying IP address
• Device type (desktop / mobile / tablet) and browser name, parsed from the user-agent
• Visit timestamp and page duration

Retention. Analytics rows are kept for 24 months and then permanently deleted automatically.

Legal basis. We process this data under Art. 6(1)(f) GDPR — legitimate interests: operating, securing, and improving the website. Because the visitor hash is not personal data (it cannot be reversed and rotates daily, so no individual can be identified or tracked across days), the processing is proportionate and does not override your rights.

Opt-out. Enable Do Not Track (DNT) or Global Privacy Control (GPC) in your browser — we honour both signals, client-side and server-side, and will not record the page view. Brave and DuckDuckGo browser enable GPC by default; Firefox users can enable it under Privacy & Security settings.

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes that affect how we use your data, we will notify recent contacts by email where we hold a valid address.

Continued use of the website after an update constitutes acceptance of the revised policy.