Privacy Policy
Version 1.0 · Effective [LAUNCH DATE]
This Privacy Policy explains how Smartilabs razvoj in svetovanje d.o.o. ("Closetforge", "we", "us"), registered in Slovenia at Prvomajska ulica 11, 4226 Žiri, Slovenia, registration number 9396454000, VAT ID SI98239759, processes Personal Data when we act as the data controller under the EU General Data Protection Regulation (GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2).
This Privacy Policy applies to:
- Visitors to our marketing website at closetforge.com
- Carpenters and other business users who sign up for an account ("Customers")
- Personnel of Customers who administer accounts ("Authorised Users")
This Privacy Policy does not apply to data processed about end consumers (homeowners) who use the embedded Configurator on a Customer's website. For that data, the Customer is the controller and Closetforge acts as a processor under the Data Processing Addendum at closetforge.com/legal/dpa. End consumers should consult the privacy policy of the carpenter whose website they are using.
1. Personal Data we collect
1.1 When you visit closetforge.com
- Device and connection data: IP address (truncated for analytics), browser type, operating system, language, referring page, pages visited, time on page
- Cookies and similar technologies: as described in our Cookie Policy at closetforge.com/cookies
1.2 When you create a free trial or paid account
- Identity: name, work email, phone number (optional), company name, role
- Billing: billing address, VAT ID, payment-method identifier (we do not store full card numbers — payment data is held by our payment processor; see Section 5)
- Authentication: hashed password, magic-link tokens, TOTP secrets if you enable 2FA
1.3 When you use the Service
- Account activity: logins, feature usage, pages visited within the admin, time stamps
- Catalog and brand data: the materials, hardware, prices, and brand assets you upload (this is Customer Data and is not used for analytics; see MSA Section 7)
- Support and communication: emails, chat messages, recorded demo calls (with consent)
1.4 When you contact us
- Form submissions: name, email, message content, the page you submitted from
- Demo bookings: name, email, company, calendar information
We do not knowingly collect Personal Data of children under 16.
2. How we use Personal Data
We process Personal Data on the legal bases below.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service for paying customers | Performance of a contract |
| Provide a free trial and demos | Performance of pre-contractual measures at your request |
| Bill you and collect payment | Performance of a contract; legal obligation (tax) |
| Send service notifications, security alerts, and changes to terms | Legitimate interest (operating the Service) |
| Send marketing emails to existing customers about features and tips | Legitimate interest (direct marketing to existing customers under PECR-style soft-opt-in) |
| Send marketing to non-customers (newsletters, product launches) | Consent — opt-in only, withdrawable at any time |
| Analyse aggregate site usage to improve the site | Legitimate interest |
| Detect, prevent, and respond to abuse, fraud, and security incidents | Legitimate interest; legal obligation |
| Comply with law and respond to lawful requests | Legal obligation |
| Defend legal claims | Legitimate interest |
When we rely on legitimate interest, we have completed a balancing test. You can ask us for a summary by emailing privacy@closetforge.com.
3. AI and automated processing
Closetforge uses third-party AI services (currently OpenAI; see Sub-processor List) to power the AI chat in the Configurator and to support search and content features in the admin. We do not use Personal Data of Customers or Authorised Users to train third-party AI models. Our agreements with AI providers prohibit them from using your data for model training.
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing, within the meaning of GDPR Article 22.
4. Sharing Personal Data
We share Personal Data only with:
- Sub-processors that help us deliver the Service (hosting, email delivery, customer support, analytics, AI). The current list is at closetforge.com/subprocessors. We have signed contracts with each that meet GDPR Article 28 requirements.
- Professional advisers (lawyers, accountants, auditors) under duties of confidentiality.
- Authorities when required by law or to defend legal claims.
- Acquirers in connection with a merger, acquisition, or sale of assets, with notice to you and continued protection of your data.
We do not sell Personal Data and we do not share it with advertising networks for cross-context behavioural advertising.
5. Payments
Card payments are processed by [Stripe Payments Europe, Limited] (or the processor named on closetforge.com/subprocessors). Closetforge receives a token and the last four digits of the card; we do not have access to the full card number. The processor is the controller for fraud-prevention purposes and a processor for transaction handling. See the processor's privacy notice for details.
6. International transfers
We process Personal Data primarily within the EU/EEA. When we transfer Personal Data outside the EU/EEA (for example to a US-based AI provider or analytics vendor), we rely on:
- The European Commission's adequacy decision for the country (where one exists, including the EU–US Data Privacy Framework for certified US recipients), or
- Standard Contractual Clauses approved by the European Commission, supplemented by additional safeguards (encryption in transit, encryption at rest, access controls, contractual purpose limitations).
You can request a list of recipients and the safeguards in place by emailing privacy@closetforge.com.
7. Retention
We keep Personal Data only as long as necessary for the purposes for which it was collected.
| Category | Retention |
|---|---|
| Account data of active customers | For the duration of the account and 3 years after termination, for legal-claim defence and audit |
| Billing records | 10 years (Slovenian tax law) |
| Support tickets | 3 years after the ticket is closed |
| Marketing-list data | Until you unsubscribe, then suppressed only for ensuring you are not re-contacted |
| Web analytics | 14 months |
| Server access logs | 90 days, longer if relevant to a security investigation |
| Free-trial data, if not converted | 6 months after trial expiry |
After retention periods end we delete or anonymise the data.
8. Your rights
Under the GDPR, you have the right to:
- Access: receive a copy of the Personal Data we hold about you
- Rectification: have inaccurate Personal Data corrected
- Erasure: have Personal Data deleted in certain circumstances ("right to be forgotten")
- Restriction: ask us to limit processing in certain circumstances
- Portability: receive your Personal Data in a structured, commonly used, machine-readable format
- Object: object to processing based on legitimate interest, including direct marketing (we will stop)
- Withdraw consent: at any time, where processing is based on consent (this does not affect prior lawful processing)
- Complain: to a supervisory authority — for Slovenia, the Information Commissioner (Informacijski pooblaščenec): www.ip-rs.si
To exercise your rights, email privacy@closetforge.com. We will respond within one month, extendable by two further months for complex requests with notice. We may need to verify your identity. There is no fee unless requests are manifestly unfounded or excessive.
9. Security
We implement technical and organisational measures appropriate to the risk, including:
- TLS 1.2+ for data in transit and AES-256 at rest
- Role-based access controls and least-privilege provisioning
- Multi-factor authentication for staff with access to production systems
- Regular backups with documented restore tests
- Vulnerability scanning and dependency monitoring
- Incident response procedures and breach notification within 72 hours to authorities where required
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the relevant authorities as required.
10. Cookies
See the Cookie Policy at closetforge.com/cookies for the cookies and similar technologies we use, their purposes, and how to manage them. We do not set non-essential cookies without your consent.
11. Changes to this Privacy Policy
We may update this Privacy Policy. Material changes will be notified by email (where you are an account holder) and by a banner on closetforge.com at least 14 days before the effective date. Past versions are archived at closetforge.com/legal/archive.
12. Contact
Data controller: Smartilabs razvoj in svetovanje d.o.o., Prvomajska ulica 11, 4226 Žiri, Slovenia Email: privacy@closetforge.com Postal: as above, marked "Privacy"
If we appoint a Data Protection Officer (not currently required for our scale of processing), their contact details will be added here.