Privacy Policy

• We are Hallett's Cove Partners, vl. Ivan Pešić, a Croatian sole-proprietor business operating Operator Tools.
• We collect the data you give us (email, name, business numbers you enter, payment data via Stripe) and a small amount of technical data needed to run the Service securely.
• We use it to operate the Service, fulfil our contract with you, send transactional emails, and — only with your consent — marketing emails.
• Your data is stored primarily in the EU (Supabase, Ireland) and processed by a small number of sub-processors (Stripe, Resend, Vercel, Airtable). All transfers outside the EEA use lawful mechanisms.
• We do not sell your data. We do not use your business numbers or saved scenarios to train any machine-learning model — ours or anyone else's.
• You have full GDPR rights, including access, rectification, erasure, restriction, portability, objection, withdrawing consent, and lodging a complaint with the Croatian supervisory authority (AZOP).
• Email us at ivan.pesic@hallettscovepartners.com to exercise any right.

The data controller for the personal data described in this Policy is:

• Trade name:Hallett's Cove Partners, vl. Ivan Pešić
• Form: paušalni obrt (Croatian sole-proprietor)
• Address: Bana Josipa Šokčevića 17, 32270 Županja, Republic of Croatia
• OIB: 01454270162
• Privacy contact: ivan.pesic@hallettscovepartners.com

We are not required to appoint a Data Protection Officer under GDPR Article 37. The contact above is the primary point of contact for any privacy-related question.

• To provide the Service — creating and authenticating your account, storing your business profile, running and saving scenarios, producing dashboards, monthly reviews, the decision log, and PDF/CSV exports.
• To process payments — sending the data needed to Stripe and recording the outcome.
• To communicate with you transactionally — account confirmations, receipts, refund confirmations, important service notices, and security alerts.
• To communicate with you for marketing — only where you have given explicit consent. See Section 6.
• To improve the Service — primarily by looking at aggregated, anonymised usage patterns (e.g. which tools are run most often). We do not look at individual Content for product development.
• To prevent fraud and abuse— through Stripe's fraud-detection tools, account-activity monitoring, and rate limiting.
• To comply with legal obligations — including tax, accounting, and consumer-law record-keeping.
• To enforce these terms and pursue or defend claims — for example in the event of a chargeback or dispute.

• Performance of a contract (Art. 6(1)(b)) — for operating the Service, providing access to the features you have signed up for, and sending transactional emails.
• Compliance with a legal obligation (Art. 6(1)(c)) — for retaining payment records and similar data to satisfy Croatian tax, accounting, and consumer-protection rules.
• Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, basic analytics on aggregated usage, and defending legal claims. We have weighed these interests against your privacy rights and consider that the processing is proportionate and expected.
• Consent (Art. 6(1)(a)) — for marketing communications. You can withdraw consent at any time without affecting the lawfulness of earlier processing.

With your explicit consent, we may send you marketing emails about Operator Tools, including but not limited to:

• New tools, features, and updates;
• Tips, guides, and best-practice content related to small-business decision-making;
• Customer surveys and product-research invitations;
• Promotional offers, where applicable.

How we obtain consent. By a clearly-labelled opt-in checkbox (not pre-ticked) at the point where we ask for it (currently sign-up; in future, account settings). We keep a record of when and how you opted in.

How to withdraw consent.Click the “unsubscribe” link in any marketing email, or email ivan.pesic@hallettscovepartners.com. We will stop sending marketing emails without undue delay (and in any event within a few business days). Withdrawing consent does not stop transactional emails, which we send under the contract.

The Service uses a small set of strictly necessary cookies. We do not use third-party advertising, retargeting, or analytics cookies.

Because we only use strictly-necessary cookies, no cookie consent banner is required under the ePrivacy Directive. If we ever introduce analytics or marketing cookies, we will deploy a compliant consent mechanism first.

We do not sell or rent your personal data. We share it only with the sub-processors below, who act on our instructions under written data-processing agreements, and where required by law (e.g. a valid court order, or tax authorities).

We update this list when sub-processors change. Material changes (adding a new sub-processor that materially affects your data) will be communicated by email or in-app notice in advance where practicable.

Your data is held primarily in the European Union (Supabase, Ireland). Some of our sub-processors are based outside the EEA (notably the United States). Where personal data is transferred outside the EEA, we rely on lawful transfer mechanisms, in particular the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

We do not transfer data to jurisdictions that have not been deemed to offer adequate protection or where appropriate safeguards are not in place.

• Account and Content — for as long as your account is open. If you ask us to delete your account, we delete your account record and Content within 30 days, subject to the legal retention requirements below.
• Payment records — at least 11 years from the end of the financial year in which the transaction occurred, to comply with Croatian tax and accounting law (Zakon o računovodstvu).
• Consumer-related records (warranty / withdrawal correspondence) — for the duration of any limitation period applicable to consumer claims, plus a reasonable buffer.
• Email correspondence — for as long as needed to answer your queries and for a reasonable period thereafter for quality and record-keeping purposes.
• Marketing consent records — for as long as the consent is active and for a reasonable period after withdrawal to evidence compliance.
• Server logs— short-term only (typically 24 hours to a few days), subject to our hosting provider's retention.
• Backups — operational backups of the database are taken regularly and rotated; deleted data may persist in backups for up to 35 days before being overwritten.

We take reasonable technical and organisational measures to protect your data, including:

• Transport encryption (HTTPS / TLS) for all traffic between your browser and the Service;
• Encryption at restfor the database via Supabase's managed storage;
• Row-Level Security (RLS) policies on every user-owned database table, so users can only see their own rows;
• Service-role isolation — the privileged Supabase key is never exposed to the browser and is used only in narrowly-scoped server-side functions;
• Webhook signature verification for all Stripe events;
• Password storage as a salted hash via Supabase Auth; we never see your plain-text password;
• Least-privilege access for the operator (we avoid looking at individual Content where not strictly necessary);
• Routine dependency updates and a security review of the privileged code paths.

No system can be guaranteed completely secure. In the event of a personal-data breach affecting you, we will notify you and, where required, the supervisory authority (AZOP) without undue delay and in any event within 72 hours of becoming aware, as required by GDPR Articles 33 and 34.

As a data subject, you have the following rights with respect to your personal data:

• Right of access (Art. 15) — confirmation of whether we process your data and a copy of it.
• Right to rectification (Art. 16) — correction of inaccurate or incomplete data.
• Right to erasure (Art. 17, “right to be forgotten”) — deletion of your data where one of the grounds in the GDPR applies. Note that legally-mandated retention (e.g. tax records) may delay or limit erasure of some categories.
• Right to restriction of processing (Art. 18) — pausing processing in defined circumstances.
• Right to data portability (Art. 20) — receiving your data in a structured, commonly-used, machine-readable format. You can use the in-app CSV and PDF exports for this; we can also provide a JSON export on request.
• Right to object (Art. 21) — to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — at any time, where processing is based on consent (notably for marketing). Withdrawal does not affect the lawfulness of earlier processing.
• Right to lodge a complaint (Art. 77) — with the Croatian Personal Data Protection Agency (AZOP), at Selska cesta 136, 10000 Zagreb, Croatia, azop.hr, or with the supervisory authority in the EU Member State of your habitual residence or place of work.

To exercise any of these rights, email ivan.pesic@hallettscovepartners.com. We will respond within one month (extendable by two further months for complex requests, with notice). We may need to verify your identity before fulfilling a request.

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you.

The Service's “recommended next tool” on the dashboard is a simple rules-based heuristic operating on whether you have run certain tools recently. It does not produce consequential outcomes about you or your business.

We do not use artificial-intelligence or machine-learning models on your data, nor share your data with third parties to train such models.

The Service is not intended for children under 16, and we do not knowingly collect data from children under that age. If you believe a child has provided us with personal data, please contact us so we can delete it.

We may update this Privacy Policy from time to time. The current version is always available at this URL and the “Last updated” date at the top reflects the latest revision. For material changes, we will give reasonable advance notice (typically by email) before the change takes effect.

For any privacy-related question, request, or complaint:

• Email: ivan.pesic@hallettscovepartners.com
• Postal:Hallett's Cove Partners, vl. Ivan Pešić, Bana Josipa Šokčevića 17, 32270 Županja, Republic of Croatia

You also have the right to complain to a supervisory authority, notably the Croatian Personal Data Protection Agency (AZOP) — see Section 12.

See also our Terms of Service.