Privacy Policy

This Privacy Policy describes how Diletta Luna OÜ (registry code 14646450), located at Sepapaja 6, 15551 Tallinn, Estonia ("we", "us", or "our"), processes personal data when you use our Directonaut service. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.

Diletta Luna OÜ acts as the data controller for your personal data. For any privacy-related inquiries, please use our contact form.

We collect and process the following categories of personal data:

• Account information: email address, password (encrypted), account settings
• Business information: company name and website data (including stored copies for service personalization)
• Service data: website analysis results, AI-generated insights, and directory submission data
• Payment information: transaction records (payment amounts, dates) - note that actual payment processing is handled by Stripe
• Usage data: IP address, browser type, device information, interaction with our service
• Communication data: support requests, feedback, correspondence with us
• Technical data: cookies, log files, device identifiers
• Analytics data: service usage patterns, feature interaction statistics

We maintain copies of your website content to provide personalized AI-powered tools, user research, and data-backed growth strategies. This data may be updated periodically to ensure the accuracy of our services.

For users under 13 years of age: We do not knowingly collect or process personal data from children under 13 years old. If you become aware that a child has provided us with personal data, please contact us immediately.

We use AI models to analyze website content and provide recommendations. This involves: • Processing website content through AI models for analysis • Generating automated insights and recommendations • Creating personalized growth strategies All AI processing is done in compliance with GDPR Article 22 regarding automated decision-making.

We process your personal data based on the following legal grounds:

• Contract performance: To provide AI-powered tools for customer discovery, automated directory submissions, and data-driven growth strategies
• Legal obligations: To comply with accounting and tax laws
• Legitimate interests: To improve our services, ensure security, and enhance service personalization
• Consent: For marketing communications (where applicable)

We use your data specifically to:

• Deliver personalized AI-powered research and insights
• Automate directory submissions and track their status
• Process payments and maintain transaction records
• Provide customer support and respond to inquiries
• Improve and optimize our service functionality
• Ensure security and prevent fraud
• Send service-related notifications

For AI-powered features, which are core to our service, we rely on: • Contract performance (Article 6(1)(b) GDPR) as these features are essential to providing our services • Legitimate interests (Article 6(1)(f) GDPR) for continuous service improvement and personalization Since AI processing is fundamental to how Directonaut operates, you cannot opt out of AI-powered features while using our service. If you do not wish to have your data processed by AI systems, you will need to discontinue using Directonaut.

We may transfer your personal data to countries outside the European Economic Area (EEA). When we do, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions issued by the European Commission
• Binding Corporate Rules where applicable
• Additional technical measures to ensure data security

Our primary data processing occurs within the EU, but some services may involve transfers to:

• United States (for certain cloud services and analytics)
• Other countries where our service providers operate

You can request information about specific transfer mechanisms by contacting us.

We implement appropriate technical and organizational measures following Article 32 of the GDPR to ensure data security:

• End-to-end encryption for data in transit
• Multi-factor authentication (MFA) for admin account access where possible
• Regular automated security scanning and vulnerability assessments
• Strict access controls based on the principle of least privilege
• Comprehensive incident response and breach notification procedures
• Automated system monitoring and intrusion detection
• Secure development practices and code reviews

We conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing activities and maintain ISO 27001 aligned security practices.

In case of a personal data breach that risks your rights and freedoms, we will notify: • The Estonian Data Protection Inspectorate within 72 hours • Affected individuals without undue delay • Our Data Protection Officer immediately

We share your personal data with these categories of processors:

• Payment processing: Stripe handles all payment processing
• Data storage: Backblaze for secure data storage and backups
• Email delivery: Postmark for sending transactional emails
• PDF generation: API2PDF for creating PDF documents
• AI processing: Dify.ai, Anthropic (Claude), and OpenAI for AI-powered analysis and insights
• Analytics services (with pseudonymized data)
• Directory services (only when explicitly requested by you)

All our processors are bound by Data Processing Agreements that ensure GDPR compliance and appropriate data protection measures. We carefully select our service providers to ensure they meet our security and privacy standards.

In accordance with Article 30 of the GDPR, we maintain detailed records of our processing activities, including:

• Categories of processing activities
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International transfers and safeguards
• Retention periods
• Technical and organizational security measures

These records are available to supervisory authorities upon request and help us maintain accountability for our data processing activities.

We retain your personal data for as long as necessary to provide our services and comply with legal obligations. This includes:

• Account and service data: For as long as needed to provide our services
• Transaction records: As required by applicable tax and accounting laws
• Usage data: Up to 12 months for service optimization
• Communication records: As needed for support and service improvement

We follow data minimization principles by: • Only collecting data necessary for our services • Automatically deleting unnecessary data • Regularly reviewing and updating data retention periods • Providing options to limit data processing

Under the GDPR, you have the following rights:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Restrict or object to processing
• Data portability
• Withdraw consent for marketing

To exercise these rights, please use our contact form. We'll respond within one month. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee).

We use the following types of cookies:

• Essential cookies: Required for service functionality
• Analytics cookies: To understand service usage (with your consent)
• Functional cookies: To remember your preferences

You can manage cookie preferences through your browser settings.

Our service is built around AI-powered automation for website analysis and insights. This is a core feature that:

• Analyzes your website content and structure using AI models
• Generates automated recommendations for improvements
• Processes automated directory submissions
• Provides performance scoring and benchmarking

While our service is AI-driven, we ensure transparency by:

• Providing clear explanations of how we reach conclusions
• Allowing you to review and challenge any recommendations
• Having human oversight of our AI systems
• Maintaining high standards of AI accuracy and fairness

As a growing startup, we may: • Introduce new features and processing activities • Partner with additional service providers • Expand to new markets We commit to: • Notifying you of significant changes • Maintaining data protection standards during growth • Conducting privacy impact assessments for new features • Ensuring vendor compliance with our privacy standards

We may update this policy occasionally to reflect changes in our practices or legal requirements. We'll notify you of significant changes through our service or by email. Continued use of our service after such changes constitutes acceptance of the updated policy.

For any privacy-related questions, to exercise your rights, or to contact our Data Protection Officer: Diletta Luna OÜ Attn: Data Protection Officer Sepapaja 6 15551 Tallinn Estonia Please use our contact form for all inquiries.

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired. Any invalid, illegal, or unenforceable provision shall be deemed to be modified to the extent necessary to render it valid, legal, and enforceable while preserving its intent, or if such modification is not possible, shall be severed from this Privacy Policy.