essentrasv0.0.11
Sign in

Privacy Policy

Last updated: 3 June 2026 Operated by: Klinios Enterprises LTD (481857), Efesou 9, Paralimni, 5280, Cyprus

This policy explains what personal data we collect when you use essentras.com and our services, why we collect it, how long we keep it, and the rights you have under GDPR and Cyprus data protection law.

TL;DR

  • We collect what you give us (account, billing, briefs) plus what we observe (basic analytics).
  • We use it to run the platform, fulfill orders, bill you, prevent fraud, and improve matching.
  • We share with payment processors, hosting, email, and AI providers. Full list below.
  • We don't sell your data. We don't use it for third-party advertising.
  • You have full GDPR rights (access, deletion, portability, objection, etc.). See section 7.

1. Who we are (Controller)

The controller of your data is Klinios Enterprises LTD, HE481857, registered at Efesou 9, Paralimni, 5280, Cyprus.

Contact for privacy questions: privacy@essentras.com

We are not currently required to appoint a Data Protection Officer (DPO) under GDPR Article 37, but you can reach our internal privacy lead at the email above.

2. What we collect

Data you give us

  • Account: name, email, password (hashed), company name, billing address, country, VAT ID.
  • Order: publisher selection, brief, content drafts, target URLs, link targets, niche.
  • Payment: card details are processed by Stripe and we do not store them. Crypto wallet addresses appear in our records when you pay via Cryptomus. Bank details for transfer orders are stored.
  • Communications: support emails and tickets, sales conversations, any uploads.

Data we observe

  • Usage: pages visited, features used, browser type, IP address (truncated for analytics), session timestamps.
  • Cookies: essential cookies for login and security. Analytics cookies only if you consent.
  • Device: approximate location (country level) inferred from IP, screen resolution, OS.

Data we infer

  • AI Match scores for your campaign briefs against our publisher inventory.
  • Account risk signals (used only for fraud prevention).

We don't collect special-category data (health, biometrics, religion, etc.) and ask you not to upload it. If you do, we'll delete it.

3. Why we use it (legal basis under GDPR)

| Purpose | Data used | GDPR basis | | --- | --- | --- | | Provide the service (account, orders, matching, delivery) | Account, order, communications | Contract (Art. 6(1)(b)) | | Process payments + refunds | Billing, payment | Contract (Art. 6(1)(b)) | | Fraud prevention, account security | Usage, device, risk signals | Legitimate interest (Art. 6(1)(f)) | | Tax + accounting records | Billing, order | Legal obligation (Art. 6(1)(c)) | | Customer support | Communications, account, order | Contract + legitimate interest | | Product analytics + improvement | Usage (aggregated, pseudonymized) | Legitimate interest (Art. 6(1)(f)) | | Marketing emails to existing customers about similar services | Email, account | Legitimate interest, with opt-out in every email (PECR/ePrivacy) | | Marketing emails to prospects | Email | Consent (Art. 6(1)(a)) | | AI-assisted matching (sending briefs to LLM provider) | Brief content | Contract + legitimate interest |

Where the basis is legitimate interest, we've balanced our interest against your rights; you can object. See section 7.

4. Who we share with

We use the following subprocessors to run the service. Each one only sees the data needed for their function.

| Subprocessor | What they do | Data they touch | Location | | --- | --- | --- | --- | | Stripe, Inc. | Card payment processing | Billing details, card data | US, EU | | Cryptomus | Crypto payment processing | Wallet address, order amount | EU | | Neon (Databricks) | Database hosting | All operational data | EU (Frankfurt) | | Hetzner / DigitalOcean | Application hosting | All operational data in transit | EU | | Anthropic, PBC | AI Match scoring, content suggestions | Anonymized briefs and publisher metadata | US (DPF certified) | | OpenAI, L.L.C. | Embeddings for publisher matching | Anonymized briefs and publisher metadata | US (DPF certified) | | Google LLC | OAuth login, optional analytics | Email, basic profile (login); aggregated usage (analytics) | US (DPF certified) | | Resend / Postmark | Transactional email | Email address, message content | EU/US | | Sentry | Error tracking | Stack traces, IP, user ID | EU |

We do not share your data with third parties for their own marketing, and we don't sell personal data.

Law-enforcement requests: we respond to lawful requests from competent authorities. Where allowed, we'll notify you first.

5. International transfers

Some of our subprocessors (Anthropic, OpenAI, Google, Stripe) are based in the US. Transfers outside the EEA are protected by:

  • EU-US Data Privacy Framework (DPF) certification, where the recipient is certified, OR
  • Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary measures where required.

You can request a copy of the relevant SCC by emailing privacy@essentras.com.

6. How long we keep it

| Data | Retention | | --- | --- | | Account (active) | While your account is open | | Account (closed) | 30 days, then deleted, except records we must keep (see below) | | Order + invoice records | 7 years (Cyprus tax law, Companies Law) | | Fraud risk signals | 24 months from last activity | | Support tickets | 24 months | | Marketing email log | Until you unsubscribe | | Anonymized usage analytics | Indefinitely (no longer linked to you) | | Backups | 30 days rolling, then overwritten |

7. Your rights (GDPR)

You have the right to:

  1. Access the data we hold about you (Art. 15)
  2. Rectify inaccurate data (Art. 16)
  3. Erasure ("right to be forgotten") subject to our legal retention obligations (Art. 17)
  4. Restrict processing in some circumstances (Art. 18)
  5. Data portability: get your data in machine-readable format (Art. 20)
  6. Object to processing based on legitimate interest, including direct marketing (Art. 21)
  7. Withdraw consent at any time for processing based on consent (Art. 7(3))
  8. Not be subject to fully automated decisions with legal or significant effects (Art. 22). We don't make such decisions; AI Match is suggestion-only and a human always finalizes

To exercise any right, email privacy@essentras.com with proof of identity (so we don't hand your data to someone else). We respond within 30 days as required by GDPR.

You can also complain to the Cyprus supervisory authority: Office of the Commissioner for Personal Data Protection 1, Iasonos street, 1082 Nicosia, Cyprus Email: commissioner@dataprotection.gov.cy Web: http://www.dataprotection.gov.cy

8. Cookies

We use:

  • Essential cookies (login, session, CSRF protection): no consent required
  • Analytics cookies (anonymized usage stats): set only if you accept on the cookie banner
  • No advertising cookies

You can clear cookies in your browser settings; clearing essential cookies will log you out.

9. Children

The service is not directed at anyone under 18 and we don't knowingly collect data from children. If you believe we have, email privacy@essentras.com and we'll delete it.

10. Security

We use industry-standard measures: TLS 1.2+ in transit, encryption at rest for backups, hashed passwords (argon2), role-based access, least-privilege subprocessor access, and audit logging.

No system is perfectly secure. If we suffer a breach affecting your data, we'll notify you and the Cyprus supervisory authority within 72 hours as required by GDPR Art. 33-34.

11. Changes

We may update this policy. Material changes are emailed to active customers and posted with a new "Last updated" date at the top, at least 14 days before they take effect.

12. Contact

Klinios Enterprises LTD Efesou 9, Paralimni, 5280, Cyprus HE481857 Privacy: privacy@essentras.com General: support@essentras.com