Effective Date: November 16, 2024

Evotom Media LLC (“we,” “our,” “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or engage with our services. It also outlines your rights under the General Data Protection Regulation (GDPR) and applicable US privacy laws such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

1. Company Information

  • Company Name: Evotom Media LLC
  • Registered Address (USA): 7901 4TH ST N STE 300, ST PETERSBURG, FL 33702
  • EU branch: Szépvölgyi út 87, 1037 Budapest, Hungary
  • Data Protection Officer (DPO) & EU Representative: Tamás Halasy
  • Contact Email: info@evotom.hu

2. Data We Collect

We collect and process the following types of personal data:

a) Personal Data You Provide

When you submit information through our website’s contact forms or interact with us directly, we collect:

  • Name
  • Email address
  • IP address
  • Website address (if provided)
  • The content of your message

b) Payment Information

For payments processed via Stripe or PayPal, we do not store payment details directly. However, these third-party payment processors may collect and process your payment information in accordance with their own privacy policies.

c) Anonymous Interaction Data

We use third-party services such as Google Analytics, Microsoft Clarity, and Cloudflare to collect anonymous interaction data. This includes:

  • Page views
  • Session duration
  • Bounce rate
  • User behavior on the website

d) Client Data

For clients who engage our services, we store project-related data in our backend systems (Google Sheets and Nifty.pm). This may include:

  • Project details
  • Contact information
  • Website information for portfolio purposes

3. How We Use Your Data

We process your personal data for the following purposes:

  1. To respond to inquiries submitted through our contact forms.
  2. To provide web design services and communicate with clients about ongoing projects.
  3. To process payments via Stripe or PayPal.
  4. For marketing purposes: We may use Meta (Facebook) Ads and Google Ads for remarketing purposes to show you relevant ads based on your previous interactions with our site.
  5. To improve our website through anonymous analytics data collected by Google Analytics and Microsoft Clarity.
  6. To showcase completed client projects in our portfolio (with prior consent).

Legal Bases for Processing Activities

Processing ActivityLegal BasisNecessityConsequences of Not Providing
Contact Form SubmissionsConsentOptionalUnable to respond to inquiries
Client ServicesContractual NecessityRequiredUnable to provide services
AnalyticsLegitimate InterestOptionalReduced service quality
MarketingConsentOptionalNo marketing communications
Portfolio DisplayLegitimate InterestOptionalN/A
Payment ProcessingContractual NecessityRequiredUnable to process payments

4. Legal Basis for Processing

Under the GDPR, we rely on the following legal bases for processing your personal data:

  1. Consent: By submitting a contact form or subscribing to marketing communications, you consent to us processing your personal data.
  2. Contractual Necessity: We process personal data to fulfill contracts with clients (e.g., providing web design services).
  3. Legitimate Interests: We may process data for legitimate business interests such as improving our services or marketing our portfolio.
  4. Compliance with Legal Obligations: In some cases, we may be required to process personal data to comply with legal obligations.

For California residents under CCPA/CPRA:

  • We do not sell personal information but provide users with the right to opt out of any potential sale of their personal data.

Impact of Refusing Consent:

  • Refusing marketing consent does not affect service availability
  • Refusing analytics consent does not impact website functionality
  • Refusing essential data processing (e.g., payment information) may limit our ability to provide services

Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Our use of analytics and marketing tools involves some automated processing but does not result in automated decision-making as defined under Article 22 of GDPR. These additions will ensure your privacy policy is fully GDPR compliant. Each section should be formatted consistently with your existing policy, and the tables should be properly formatted in markdown for clear presentation on your website.

5. How Long We Store Your Data

We store personal data according to the following retention schedule:

  • Contact form submissions: 2 years from last interaction
  • Client project data: 7 years after project completion (for legal and tax purposes)
  • Marketing data: 2 years from last interaction
  • Analytics data: 26 months (Google Analytics default)

Data Processing Records

We maintain detailed records of all data processing activities in accordance with Article 30 of GDPR, including:

  • Categories of data subjects and personal data
  • Processing purposes
  • Categories of recipients
  • International transfers
  • Security measures
  • Retention periods

These records are:

  • Maintained in a secure digital format
  • Updated monthly
  • Available to supervisory authorities upon request
  • Regularly audited for compliance

6. Your Rights Under GDPR & US Privacy Laws

a) Rights Under GDPR

As an individual located in the European Union, you have the following rights under GDPR:

  1. Right to Access: You can request access to the personal data we hold about you.
  2. Right to Rectification: You can request that we correct any inaccuracies in your personal data.
  3. Right to Erasure (Right to be Forgotten): You can request that we delete your personal data from our systems.
  4. Right to Restrict Processing: You can ask us to limit how we use your personal data.
  5. Right to Data Portability: You can request that we transfer your personal data to another service provider in a structured format.
  6. Right to Object: You can object to the processing of your personal data for certain purposes such as direct marketing.
  7. Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time.

To exercise any of these rights, please contact us at info@evotom.hu or through our contact form.

b) Rights Under CCPA/CPRA

If you are a resident of California, you have additional rights under CCPA/CPRA:

  1. The right to know what personal information is being collected about you.
  2. The right to request deletion of your personal information (with some exceptions).
  3. The right to correct inaccurate personal information.
  4. The right to opt out of the sale or sharing of your personal information (even though we do not sell data).
  5. The right not to be discriminated against for exercising any of these rights.

To exercise these rights, please contact us at info@evotom.hu.

c) Response Timeframes

We will acknowledge receipt of any request within 72 hours and aim to provide a full response within 30 days (with possible extensions for complex requests). Requests are free of charge unless they are manifestly unfounded or excessive.

d) Verification Process

To protect your privacy, we will verify your identity before responding to any data rights requests.

This verification process may include:

  • Matching provided information with stored data
  • Requesting additional documentation
  • Using multi-factor authentication for online accounts

7. Data Sharing

We do not share your personal data with third parties except as necessary for the following purposes:

  1. Payment processing via Stripe or PayPal.
  2. Analytics services provided by Google Analytics and Microsoft Clarity (anonymous interaction data only).
  3. Portfolio display: With client consent, we may showcase completed projects on our website.

We do not transfer personal data outside of the European Economic Area (EEA) unless it is necessary for providing services or required by law.

Third-Party Processors

ProcessorPurposeLocationData Protection Measure
Google AnalyticsAnalyticsUSStandard Contractual Clauses
Microsoft ClarityUX AnalysisUSStandard Contractual Clauses
StripePaymentsUSStandard Contractual Clauses
PayPalPaymentsUSStandard Contractual Clauses
Nifty.pmProject ManagementUSStandard Contractual Clauses

All third-party processors are bound by:

  • Data Processing Agreements (DPAs)
  • Standard Contractual Clauses for international transfers
  • Regular compliance audits
  • Confidentiality obligations

International Transfers:

Some third-party providers (e.g., Google Analytics, Microsoft Clarity) may transfer anonymized interaction data outside of the EU in accordance with their own privacy policies and Standard Contractual Clauses that ensure GDPR compliance.

8. Security Measures

We take appropriate technical and organizational measures to protect your personal data from unauthorized access or disclosure:

  1. Our website uses SSL encryption (SHA-256 from Let’s Encrypt) to protect any information transmitted between users and our website.
  2. We perform daily scans of our website for malware or vulnerabilities.
  3. Weekly backups are taken to ensure data integrity.
  4. WordPress updates are applied daily as new versions become available.
  5. Data encryption at rest using AES-256
  6. Access controls with multi-factor authentication
  7. Regular security audits and penetration testing
  8. Employee training on data protection
  9. Secure backup storage with encryption

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when:

  • Implementing new technologies
  • Processing special categories of data
  • Conducting large-scale systematic monitoring
  • Processing data that could result in high risk to individuals’ rights

9. Data Breach Notification

In the event of a security breach involving personal data:

  1. We will notify relevant authorities within 72 hours of becoming aware of the breach if it poses a risk to individuals’ rights and freedoms.
  2. If there is a high risk associated with the breach, we will inform affected individuals without undue delay via email or other appropriate communication channels.
  3. We will document all breaches regardless of severity as part of our internal record-keeping obligations under GDPR.

The person responsible for handling breaches is:
Tamás Halasy, Szépvölgyi út 87, 1037 Budapest
Contact: info@evotom.hu

10. Children’s Privacy

Our services are not intended for individuals under the age of 16, and we do not knowingly collect personal information from children under this age threshold without parental consent.

If we become aware that we have inadvertently collected such information without verification of parental consent, we will take steps to delete it.

11. Cookies

Our use of cookies is governed by a separate [Cookie Policy], which details what cookies we use, how they function, and how users can manage their preferences regarding cookies.

12. Marketing Communications

You may opt out of receiving marketing communications from us at any time by emailing us at info@evotom.hu or by using the “unsubscribe” link included in all marketing emails.

We handle unsubscribe requests automatically upon receipt.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time in response to changing legal requirements or operational needs.

Any changes will be posted on this page with an updated “Effective Date.” We encourage you to review this policy periodically for updates.

14. Supervisory Authority and Complaints

As a Florida-registered company operating in both the US and EU, we are subject to oversight by multiple regulatory authorities:

Primary Authority (USA):

Florida Department of Legal Affairs

  • The primary regulatory authority for privacy matters
  • Can enforce violations as unfair and deceptive trade practices
  • Provides a 45-day cure period for violations after notification

Additional US Authorities:

  • Federal Trade Commission (FTC) for general consumer protection matters
  • State Attorneys General in states where we conduct business

EU Authority:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

  • Secondary authority for EU operations
  • Relevant for EU-based data subjects

Filing Complaints:

  1. US-based consumers should direct complaints to:
    • Florida Department of Legal Affairs
    • Office of the Attorney General
    • State of Florida
    • PL-01 The Capitol
    • Tallahassee, FL 32399-1050
  2. EU-based data subjects retain the right to lodge complaints with their local data protection authority, though NAIH serves as our lead EU supervisory authority.

The company will cooperate fully with all relevant authorities and respond to complaints within the required timeframes (45 days in Florida, 30 days under GDPR).

15. Contact Information

If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact us at:

Evotom Media LLC
7901 4TH ST N STE 300, ST PETERSBURG
FL 33702
Email: info@evotom.hu

Alternatively, you can reach us via our contact form. This Privacy Policy ensures compliance with both GDPR regulations and applicable US privacy laws such as CCPA/CPRA where relevant.