Privacy Policy

1. Owner and Data Controller

2. Types of Data Collected

Zitadescribe collects the following categories of Personal Data:

Data provided directly by the User

• First and last name
• Email address
• Account credentials (username, password – stored encrypted)
• Billing information (processed via Stripe; card details are never stored by Atoipa bv)
• Content and inputs submitted through the application

Data collected automatically during use

• IP address and approximate geolocation (country/city level)
• Browser type and version
• Operating system
• Pages visited, time spent per page, navigation path
• Date and time of access
• Device identifiers

Data collected via third-party services

• Web usage and analytics data via Google Analytics
• Web payment transaction data via Stripe

Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.

Users are responsible for any third-party Personal Data obtained, published or shared through this Application.

3. Purposes and Legal Basis of Processing

The Owner processes Personal Data for the following specific purposes, each tied to its legal basis under GDPR Article 6:

4. Mode and Place of Processing

Methods of Processing

The Owner takes appropriate technical and organizational security measures to prevent unauthorized access, disclosure, modification, or destruction of Data. Processing is carried out using computers and IT-enabled tools, following procedures strictly related to the stated purposes.

In addition to the Owner, Data may be accessible to authorized personnel involved in the operation of the Application (administration, technical support, legal) or to external parties appointed as Data Processors. A current list of these parties may be requested from the Owner at any time.

Place

The Data is primarily processed within the European Union via Amazon Web Services (AWS) infrastructure. Where data transfers outside the EU occur (e.g. Google Analytics, Stripe), appropriate safeguards are in place as described in section 5.

Retention Time

Personal Data shall be stored for as long as required for the purpose it was collected:

• Account data: retained for the duration of the active account, and deleted within 90 days of account termination unless a longer retention period is required by law.
• Payment and billing records: retained for 7 years in accordance with Belgian accounting and tax law (Wetboek van vennootschappen en verenigingen).
• Analytics data: retained for a maximum of 26 months (Google Analytics default).
• Support communications: retained for a maximum of 3 years.

Once the retention period expires, Personal Data shall be securely deleted or anonymized.

5. Third-Party Service Providers and International Data Transfers

The Owner uses the following third-party service providers who may process Personal Data:

Google Analytics

This Application uses Google Analytics, a web analytics service provided by Google LLC (USA). Google Analytics uses cookies and similar tracking technologies to collect Usage Data. Data is transmitted to and stored on Google servers, which may be located outside the European Union. Google LLC processes data under Standard Contractual Clauses (SCCs). Users may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

AWS

The Application's infrastructure is hosted on Amazon Web Services within the EU (Ireland region). No personal data is routinely transferred outside the European Economic Area via AWS.

Stripe

Payments on Zitadescribe are processed by Stripe Inc. (USA), a PCI-DSS certified payment processor. Atoipa bv does not store or have access to full payment card details. Stripe processes billing data (name, email, card details, billing address) on behalf of the Owner under Standard Contractual Clauses (SCCs). For more information, consult Stripe's Privacy Policy.

6. Data Processing Agreement (DPA)

Zitadescribe is both a Data Controller (for data of its own users and website visitors) and a Data Processor (when processing personal data on behalf of its business customers through the platform).

If you use Zitadescribe as a business and your use involves processing personal data of your own customers or employees through our platform, you are the Data Controller and Atoipa bv acts as your Data Processor. In this case, a Data Processing Agreement (DPA) is required under GDPR Article 28.

7. Cookie Policy

This Application uses Trackers including cookies and similar technologies. These are used to ensure the proper functioning of the Service and for analytics purposes (Google Analytics). Users will be presented with a cookie consent banner upon first visit and may manage their preferences at any time.

8. Data Breach Procedure

Atoipa bv takes the security of your Personal Data seriously. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the Owner will:

• Notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit – GBA) within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
• Notify affected Users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34. Such notification will include the nature of the breach, the likely consequences, and the measures taken or proposed.

Users may report suspected security incidents to contact@zitadescribe.com.

9. Further Information for Users in the EU

Legal Basis of Processing

See section 3 for a full breakdown of legal bases per processing purpose.

Rights of Users under GDPR

Users may exercise the following rights regarding their Personal Data:

• Withdraw consent at any time, where consent is the legal basis
• Object to processing based on legitimate interests
• Access their Personal Data and obtain a copy
• Rectify inaccurate or incomplete Data
• Restrict processing in certain circumstances
• Erasure (“right to be forgotten”) of their Personal Data
• Data portability – receive their Data in a structured, machine-readable format
• Lodge a complaint with the Belgian Data Protection Authority (GBA): gegevensbeschermingsautoriteit.be

All requests can be directed to contact@zitadescribe.com and will be answered within one month, free of charge.

No Minimum Age Requirement

This Application does not impose a minimum age restriction and does not knowingly target children. If the Owner becomes aware that Personal Data of a child under the age of 13 has been collected without appropriate consent, it will be deleted promptly.

10. Additional Information about Data Collection and Processing

Legal Action

The User's Personal Data may be used for legal purposes by the Owner in Court or in stages leading to possible legal action arising from improper use of this Application or its Services. The User declares to be aware that the Owner may be required to reveal Personal Data upon request of public authorities.

System Logs and Maintenance

For operation and maintenance purposes, this Application and third-party services may collect system logs that record interaction with the Application, including IP addresses.

Changes to This Privacy Policy

The Owner reserves the right to make changes to this privacy policy at any time. Users will be notified on this page and, where technically and legally feasible, via the contact information available. It is strongly recommended to check this page regularly. Where changes affect processing based on the User's consent, new consent will be collected where required.

11. Definitions and Legal References

This policy relates solely to Zitadescribe (zitadescribe.com), operated by Atoipa bv, Henleykaai 7, 9000 Gent, België — BE1029.620.752.