Privacy Policy
This page explains what personal data Conlatio FZ-LLC collects when you visit this site or submit a form, how we use it, and the rights you have under the GDPR.
Last updated: April 2026
1. Who we are
Conlatio FZ-LLC, registered in the United Arab Emirates, is the controller of the personal data processed through this website. You can reach us via the contact form.
2. What data we collect
When you use the contact form we collect the name, work email, company (optional), and message you submit, plus the IP address and browser user-agent of your request, and the locale and page from which you submitted. When you request the free playbook we collect the email you submit, plus the same IP, user-agent, locale, and source-page context. When you accept cookies we use Google Analytics 4 to collect aggregated, anonymised usage statistics (pages visited, approximate location, device type). IP addresses are anonymised. With the same consent we use PostHog (hosted in the EU region) for product analytics and session replay. This records the pages you visit and your in-page interactions (clicks, navigation), your device and browser type, and an approximate location derived from your IP address. Session replay records a reconstruction of your visit with all form fields masked, so the text you enter into forms is never captured.
3. Why we process your data (legal basis)
Contact and playbook submissions: to reply to you, deliver the playbook, and follow up about your enquiry. Legal basis: your consent (Art. 6(1)(a) GDPR) and our legitimate interest in responding to business enquiries (Art. 6(1)(f) GDPR). Analytics: only if you explicitly accept cookies. Legal basis: your consent (Art. 6(1)(a) GDPR). Abuse prevention: we log IP addresses and user-agents for a short window to rate-limit form submissions and prevent spam. Legal basis: our legitimate interest in protecting the service (Art. 6(1)(f) GDPR).
4. Cookies and analytics
We use one cookie-equivalent value in your browser's localStorage to remember your consent choice. No tracking cookies are set until you explicitly click Accept. If you accept, we load Google Analytics 4 (measurement ID G-53SZBEJ4E8) with IP anonymisation enabled, and PostHog (EU region) for product analytics and session replay so we can understand how the site is used. Session replay masks all form fields, so anything you type into a form is never recorded. If you decline, no analytics scripts are loaded at all. You can change your choice at any time using the Cookie settings link in the footer.
5. Third parties who process data on our behalf
Supabase (EU, Frankfurt region): stores form submissions in a managed Postgres database. Data processing agreement in place. Vercel (EU, Frankfurt region): hosts the website. Standard contractual clauses and data processing agreement in place. Google Analytics (only after consent): aggregates anonymised usage statistics. Standard contractual clauses in place; IP anonymisation enabled. PostHog (EU region, only after consent): product analytics and session replay. Data is stored in the EU under a data processing agreement; session recordings mask all form input. We do not sell your data. We do not share it beyond these processors.
6. How long we keep it
Contact form submissions: kept until the matter is closed, then archived for up to 2 years to support follow-up conversations. Playbook signups: kept while you remain subscribed; removed on unsubscribe request. Analytics data: retained per Google Analytics defaults (14 months). PostHog session recordings: automatically deleted after 30 days. Aggregated PostHog product-analytics events: retained for a limited period and then deleted. IP addresses and user-agents: kept alongside the submission record and purged with it.
7. Your rights under the GDPR
You have the right to: • Access the personal data we hold about you • Rectify inaccurate data • Request erasure ('right to be forgotten') • Restrict or object to processing • Data portability (receive your data in a structured format) • Withdraw consent at any time (use Cookie settings in the footer, or email us) • Lodge a complaint with a supervisory authority To exercise any of these rights, contact us via the form. We respond within 30 days.
8. International transfers
Hosting and primary processing happen within the European Union. Supabase and Vercel are configured to use the Frankfurt region, which means the form data you submit is stored and processed in Germany. The data controller, Conlatio FZ-LLC, is registered in the United Arab Emirates and operates from outside the EU. Where access to your data occurs from countries without an adequacy decision under the GDPR, we rely on the European Commission's Standard Contractual Clauses and supplementary technical and organisational measures to ensure an adequate level of protection. Google Analytics, loaded only after your consent, may process aggregated and anonymised usage data outside the EEA under Standard Contractual Clauses, with IP anonymisation enabled. PostHog is hosted in the European Union (EU region), so the analytics and session-replay data processed through it stays within the EU and is not transferred outside the EEA.
9. Security
Form submissions are written via server-side code using a service-role key that never reaches your browser. Database-level row security is enabled on all tables. All traffic to and from the site is encrypted in transit (HTTPS). We do not store credit card or payment data on this site.
10. Changes to this policy
We may update this policy as the site evolves or regulations change. The 'last updated' date at the top of the page reflects the most recent revision. Material changes will be announced on the homepage for a reasonable period.