Privacy Policy
Effective: 29 April 2025 Last Revised: 11 June 2025
This Privacy Policy explains how Verinosc CLG (“we”, “us”, “our”) processes personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and Cyprus Law 125(I)/2018. Our public site is still ramping up and remains largely static, but the technologies already in place—and the safeguards applied—are described below.
1 Who we are
Verinosc CLG – Company Limited by Guarantee (non‑profit)
Reg. No. HE 471839 | Kennedy 70, 2nd Fl., Office 201‑202, 1076 Nicosia, Cyprus
We are the data controller (Art 4 § 7 GDPR).
Privacy enquiries: privacy@ledg.it.com +357 9919 0997
A formal Data Protection Officer is not required; our privacy team will respond to all requests.
Processing on our behalf
Development and hosting resources are provided by Promet.ai Ltd. (Cyprus), which acts as a data-processor under a GDPR-compliant Data-Processing Agreement (Art 28 GDPR). Promet.ai Ltd. in turn contracts physical hosting from Hetzner Online GmbH (see § 4).
2 What personal data we collect & why
| Audience | Data categories (examples) | Purpose & legal basis | Retention |
|---|---|---|---|
| Browsing visitors (essential) | Edge/origin logs: IP address, date/time, request URL, user-agent | Legitimate interests Art 6 (1)(f) – ensure security & integrity | Logs deleted after 14 days unless a security investigation requires longer retention |
| Browsing visitors (analytics — only if you give consent) | Analytics ID cookie (_ga, _gid, _ga_<container-id>); truncated IP address; device/OS; referrer; page-view & event data | Consent Art 6 (1)(a) & Art 5(3) of the ePrivacy Directive – measure and improve site performance | Google Analytics data retained 14 months*, then deleted or aggregated |
| Registered users (Keycloak — coming soon) | Display name (optional); e-mail; password hash / IdP token; internal user-ID; access/refresh tokens | • Consent Art 6 (1)(a) – account creation • Legitimate interests Art 6 (1)(f) – secure & administer service | Until account deletion + 12 months of inactivity, then erased or anonymised (unless legal retention applies) |
| Newsletter subscribers (planned) | Name (optional); e-mail | Consent Art 6 (1)(a) | Until you unsubscribe or withdraw consent |
| Contact-form queries / research calls (planned) | Name; e-mail; message content | Legitimate interests Art 6 (1)(f) – respond to enquiries | Deleted after issue resolved or 12 months, whichever occurs first |
*If we ever enable Google Signals or Ads Personalisation, we will update this policy in advance as the minimum retention period increases to 26 months.
Tag Manager loads only after you opt-in to analytics cookies; it sets no cookies for regular visitors and collects no personal data itself.
We do not carry out automated decision-making or profiling (Art 22 GDPR).
3 Hosting & security
- Static site – Built with Next.js, delivered as static assets
- TLS – All traffic forced over HTTPS (TLS 1.2+)
- Authentication – Keycloak in the same infrastructure; session cookie KEYCLOAK_SESSION (Secure, HttpOnly, SameSite=Lax) set after login, expires at logout or after 8 h inactive
- Infrastructure – EU-based servers rented by Promet.ai Ltd. (Cyprus) from Hetzner Online GmbH (Germany) under GDPR-compliant agreements. Admin access via MFA; IaC with peer review
- Server logs – see § 2; no additional long-term app-level logs
- Data-breach response – We will notify the supervisory authority and affected users within 72 h (Arts 33-34 GDPR)
- International transfers – Analytics data may be processed by Google servers outside the EEA (incl. USA). Google LLC is certified under the EU–US Data Privacy Framework (DPF). We also rely on the EU 2021 Standard Contractual Clauses as supplementary safeguards. No other personal data is transferred outside the EEA.
4 Sub-processors
| Provider | Purpose | Location of processing | Safeguards |
|---|---|---|---|
| Promet.ai Ltd. | Infrastructure management & DevOps | Cyprus (EEA) | Art 28 DPA with Verinosc; ISO 27001-aligned controls |
| Hetzner Online GmbH | Physical hosting (servers, backups) – contracted by Promet.ai Ltd. | Germany (EEA) | GDPR DPA with Promet.ai Ltd.; ISO 27001 data centres |
| Google Ireland Ltd. / Google LLC | Google Analytics 4 (web analytics) & Google Tag Manager (tag container) | EU data-centre region; possible processing in USA | EU–US DPF certification; Standard Contractual Clauses; IP-anonymisation; 14-month retention; only activated after consent |
Any additional third-party service (e.g. e-mail delivery) will be listed here before activation.
5 Cookies & similar technologies
Our cookie banner lets you choose between essential and analytics cookies.
| Cookie | Purpose | Lifespan | Type |
|---|---|---|---|
| KEYCLOAK_SESSION | Maintains authenticated session (strictly necessary) | Session or 8 h inactive | First-party, Secure, HttpOnly, SameSite=Lax |
| _ga, _gid, _ga_<container-id> | Google Analytics identifiers (aggregate usage statistics) | 1 day (_gid) to 14 months (_ga*) | First-party, requires prior consent |
| gtm_preview, gtm_auth, gtm_debug (temporary) | Used by Google Tag Manager during debug mode | Until browser closed | First-party, set only for site admins |
Google Tag Manager itself stores no cookies and collects no personal data; it only deploys other tags.
You can withdraw or granularly adjust your consent at any time via the “Cookie Settings” link in the page footer or by clearing your browser cookies. Google also offers an opt-out browser add-on.
6 Children’s data
The site is not directed to children under 16. If we learn a child under 16 registered without parental consent, the account will be deleted immediately.
7 Your rights
You may at any time exercise your GDPR rights: access, rectification, erasure, restriction, objection, data portability, and withdrawal of consent.
E-mail privacy@ledg.it.com to submit a request. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection, Cyprus (https://www.dataprotection.gov.cy).
8 Future updates
Planned launches:
- Newsletter subscriptions
- Community accounts (Keycloak)
- Contact forms & research participation calls
Each feature will go live only after this policy is updated with the relevant processing details.
9 Changes to this policy
When we amend this document, the “Last Revised” date will change. Significant changes will also be highlighted on our homepage.
© 2025 Verinosc CLG. All rights reserved.