Legal
Privacy policy
Elgarde is a privacy product. Our own data practices reflect that commitment.
Last updated: 10 April 2026
1. Who we are
Elgarde is a regulatory intelligence and trust platform operated from Portugal, European Union. We continuously audit websites for cookie consent, accessibility, and privacy compliance across jurisdictions.
For full legal entity details, see our imprint.
Data Protection Officer: dpo@elgarde.com
2. Data we collect
Free scan
- The domain name you submit
- Your IP address (hashed with a per-deployment salt — we do not store the raw IP in logs)
- The country inferred from the Cloudflare
CF-IPCountryheader (used for jurisdiction detection) - Scan results: compliance findings, screenshots, and network captures of the scanned website
Full reports and monitoring
- Email address (required for delivery and account access)
- Payment information (processed by Stripe — we do not store card details)
- Domains registered for monitoring
Contact and support
- Your email address and message content when you contact us
What we do NOT collect
- We do not use analytics or tracking scripts on our website
- We do not set third-party cookies
- We do not build advertising profiles
3. How we use your data
- To perform the compliance scan you requested and deliver your results
- To detect and prevent abuse (rate limiting, duplicate submission detection)
- To process payments and manage your subscription
- To send monitoring alerts when your website's compliance status changes
- To respond to support and legal inquiries
- To comply with our own legal obligations
4. Lawful basis (GDPR Art. 6)
| Processing activity | Lawful basis |
|---|---|
| Performing a free scan | Art. 6(1)(b) — necessary for the service you requested |
| Rate limiting and abuse prevention | Art. 6(1)(f) — legitimate interest in protecting service availability |
| Processing payments | Art. 6(1)(b) — necessary for contract performance |
| Sending monitoring alerts | Art. 6(1)(b) — part of the monitoring service you subscribed to |
| Responding to inquiries | Art. 6(1)(b) — pre-contractual measures at your request |
| Legal compliance (e.g. invoicing) | Art. 6(1)(c) — legal obligation |
5. Data retention
- Free scan results: 90 days, then automatically deleted
- Paid report data: retained for the duration of your account, plus 90 days after deletion
- Monitoring data: retained for the duration of your subscription, plus 90 days
- Aggregate metrics (e.g. total scans per day, average compliance scores): retained indefinitely, with no personal data attached
- Invoicing records: 7 years (Portuguese tax law)
- Support correspondence: 24 months after last contact
Retention is enforced automatically by scheduled processes, not manual cleanup.
6. Who we share data with
We share your data only with the following categories of recipients, and only to the extent necessary:
- Stripe — payment processing (your card details go directly to Stripe and never touch our servers)
- Hetzner — infrastructure hosting (EU data centers, Germany and Finland)
- Cloudflare — CDN and DNS (data processing agreement in place)
- Brevo — transactional email delivery (EU-based)
We do not sell, rent, or trade personal data. We do not share data with advertisers.
7. International data transfers
Our servers are hosted in the European Union (Hetzner, Germany/Finland). All primary data processing occurs within the EU/EEA.
Where a sub-processor transfers data outside the EU/EEA (e.g. Cloudflare's global CDN network, Stripe's US-based processing), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and data processing agreements.
8. Your rights under GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
To exercise any of these rights, email dpo@elgarde.com. We respond within 30 days.
9. Cookies and local storage
The Elgarde website uses only strictly necessary cookies required for the site to function (e.g. session management for logged-in users). We do not use analytics cookies, advertising cookies, or any third-party tracking.
We practice what we preach: our own website passes the same compliance scan we offer to customers.
10. Security
We protect your data with:
- Encryption in transit (TLS) and at rest (encrypted volumes)
- Infrastructure hosted in EU data centers with physical access controls
- Principle of least privilege for all system access
- Automated daily backups with encrypted off-site storage
- Regular security updates via unattended-upgrades
IP addresses used for rate limiting are hashed before storage — we do not keep raw IP addresses in application logs.
11. Children
Elgarde is a B2B service for website operators. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact dpo@elgarde.com and we will delete it promptly.
12. Supervisory authority
If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 — 1.º
1200-651 Lisboa, Portugal
www.cnpd.pt
13. Changes to this policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be announced on our website. The "last updated" date at the top of this page indicates when the policy was last revised.
14. Contact
For privacy-related questions or to exercise your rights:
Data Protection Officer: dpo@elgarde.com
General inquiries: hello@elgarde.com
Legal matters: legal@elgarde.com