Privacy policy

Summary

• We do not run analytics, tracking pixels, advertising cookies, or fingerprinting.
• We process the minimum data needed to run the site, the chat widget, and the free AIO tools, and to defend against abuse.
• Some of our service providers are based in the United States. Transfers happen under Standard Contractual Clauses and (where applicable) the EU-US Data Privacy Framework.
• You have the rights set out under the GDPR (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, complaint to the Datenschutzbehörde).

1. Controller

The controller responsible for processing under Art. 4(7) GDPR is:

Vanja Ivančević, trading as Daystrom (Einzelunternehmen, Austria)
[FILL: Street address, postal code, city, Austria]
Email: hello@daystromworks.com

No data protection officer (DPO) is appointed; the controller does not meet the criteria of Art. 37 GDPR / §5 DSG.

2. Server logs

When you visit the site, our hosting provider (Vercel) processes the following technical data: IP address, user-agent string, referrer, requested URL, response status, timestamp. This is required to deliver the page and to defend against abuse.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the site).
Retention: in line with Vercel's log retention (typically up to 30 days). We do not aggregate or persist logs beyond Vercel's defaults.

3. Chat widget

The site offers an AI chat assistant. When you send a message, we transmit your messages, your browser timezone, and the current date to a large-language-model provider (primary: OpenRouter routing to Meta Llama 3.3 70B; fallback: Groq) to generate a reply. Your IP address is read on our server for rate-limiting only and is not stored alongside your messages.

If you choose to send a message to the operator or book a call, the assistant collects your name, email, company, and a short description of your problem. With that, we either (a) forward the message via Resend to vanja.ivancevic@gmail.com, or (b) hand your details to a Cal.com booking widget, which completes the booking on Cal.com.

Legal basis: Art. 6(1)(b) GDPR (taking steps at your request prior to entering into a contract) for booking and messaging; Art. 6(1)(f) GDPR (legitimate interest in offering an assistant and preventing abuse) for the chat itself.
Retention: chat messages are not persisted server-side; they exist only for the duration of the conversation in your browser. Forwarded emails are kept in our mailbox for as long as needed to follow up, and at most as required by §132 BAO (commercial-record retention).

What you should not send: please do not include special-category data (health, religion, etc.) or personal data of third parties in chat messages: the message is sent to a third-party LLM provider and to our mailbox.

4. Bot protection (Cloudflare Turnstile)

The chat form is protected by Cloudflare Turnstile, a CAPTCHA-style challenge that runs in your browser and verifies you are not a bot. Turnstile may process your IP address, user-agent, and behavioural signals from your interaction with the page.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in defending against automated abuse).
Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Privacy policy: cloudflare.com/privacypolicy.

5. Free AIO tools (/tools/aio-check, Fix Pack)

When you submit a URL to the AIO check, we fetch that URL from our server, analyse the response, and return a report. Your IP address and the submitted hostname are used for rate limiting (stored in Upstash Redis). The report itself is stored under a random slug for 30 days so you can share or revisit it. No email is required for the free check.

When you request a Fix Pack, you provide your email address. The generated ZIP and a manifest (containing your email, the audited site, score, and grade) are stored in Upstash Redis for 30 days. We email you the download link via Resend, and we email ourselves a notification of the new request.

When you request the AIO report by email, we store your email address and the report slug in Upstash Redis (no automatic expiry on the lead list) and email you the report via Resend.

Legal basis: Art. 6(1)(b) GDPR (delivering the service you requested) for the email and the stored result; Art. 6(1)(f) GDPR (rate limiting and abuse prevention) for the IP-based limits.
Retention: reports and Fix Pack ZIPs auto-expire after 30 days. Lead records (email plus audited URL plus score) are kept until you ask us to delete them.

6. Booking calls (Cal.com)

Calls are scheduled through a Cal.com booking widget embedded in the chat. When you book, your name, email, the slot you choose, and any notes you enter are processed by Cal.com to create the booking, send confirmations, and add the event to our calendar.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measure at your request).
Provider: Cal.com, Inc. Privacy policy: cal.com/privacy.
Retention: per Cal.com's policy and our own calendar; bookings tied to invoiced engagements are retained for the periods required by §132 BAO.

7. Cookies and local storage

The site sets no advertising or analytics cookies. Theme preference (light/dark) is stored in your browser's local storage if you change it; that data never leaves your device. No consent banner is shown because no consent-requiring technologies are used.

8. Fonts and images

Typefaces are loaded from Google Fonts (fonts.googleapis.com, fonts.gstatic.com). When fonts are requested, your browser connects to Google's servers and your IP address is transmitted. Some images may be loaded from Unsplash (images.unsplash.com).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in delivering the page consistently).

9. Processors and third-country transfers

The following processors handle data on our behalf. Some are based in the United States. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR and, where applicable, the EU-US Data Privacy Framework. You should be aware that residual access by US authorities (for example under FISA 702) cannot be excluded.

• Vercel Inc. (USA): hosting, edge functions, logs. Privacy · DPA
• Upstash, Inc. (USA / EU regions): Redis storage for rate limiting, AIO reports, and Fix Pack bundles. Privacy · DPA
• Cloudflare, Inc. (USA, global edge): Turnstile bot challenge. Privacy
• OpenRouter (OpenRouter, Inc.) (USA): LLM routing for the chat assistant. Privacy
• Groq, Inc. (USA): fallback LLM inference for the chat assistant. Privacy
• Resend (Resend, Inc.) (USA, EU region available): transactional email delivery. Privacy · DPA
• Cal.com, Inc.: booking widget and scheduling back-end. Privacy
• Google Ireland Ltd.: Google Fonts. Privacy
• Unsplash Inc.: image hotlinking. Privacy

10. Automated decision-making and profiling

No decisions with legal or similarly significant effect on you are made automatically. The chat assistant generates conversation replies; booking decisions are made by humans.

11. Your rights

Under the GDPR you have the right to:

• Access (Art. 15): confirmation of whether we process your data, and a copy of it.
• Rectification (Art. 16): correction of inaccurate data.
• Erasure (Art. 17): deletion, where the legal grounds apply.
• Restriction of processing (Art. 18).
• Data portability (Art. 20).
• Objection (Art. 21): in particular against processing based on legitimate interest.
• Withdrawal of consent (Art. 7(3)): without affecting the lawfulness of processing before withdrawal.

To exercise any of these, email hello@daystromworks.com.

12. Right to complain

You may lodge a complaint with the Austrian data protection authority:
Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien, Austria
Email: dsb@dsb.gv.at
Web: dsb.gv.at

13. Changes

We may update this policy when the site or its processors change. Material changes will be highlighted at the top of this page.

Last updated: [FILL: launch date, e.g. 2026-04-26]