COSMOS-SECURE
ENSK

Legal

Personal Data Processing Terms

1. Data Controller

The controller of personal data, i.e. the entity that processes the personal data of the data subject, is Decent Cybersecurity s. r. o., with its registered office at Teplická 4, Piešťany 921 01, Company ID: 52682846 (hereinafter the “Controller”).

We value the privacy of all individuals and respect their right to the protection of personal data. The Controller processes personal data in accordance with Act No. 18/2018 Coll. on the Protection of Personal Data and on the amendment and supplementation of certain acts, and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR) (hereinafter the “Act”).

The Controller processes personal data only on lawful legal bases:

  • performance of a contract or pre-contractual measures
  • compliance with a legal obligation under a special regulation
  • performance of a task carried out in the public interest
  • fulfilment of the legitimate interests of the Controller, unless overridden by the legitimate interests of the data subject
  • where it is necessary to protect the life, health or property of the data subject or of another natural person

In other cases, we process personal data of data subjects only with their consent, which the data subject may withdraw at any time.

2. Purposes and Legal Basis of Processing

Where a contractual relationship exists between the data subject and the Controller, the Controller processes personal data on the legal basis of the contract, exclusively to the extent necessary to fulfil the purposes of that contract.

The Controller also processes personal data of data subjects for the purpose of handling enquiries, addressing shortcomings and conducting surveys, on the legal basis of legitimate interest or the consent of the data subject, in the scope of name, surname, address, e-mail and telephone number.

For the operation of the website cos-sec.eu, the Controller processes anonymised traffic data via Google Analytics, exclusively after the data subject has granted consent through the cookie banner. The legal basis is the data subject’s consent under Art. 6(1)(a) GDPR.

3. Cookies and Google Analytics

The website cos-sec.eu uses cookies to improve functionality. By browsing our pages after granting consent, you agree to the use of cookies in accordance with your browser settings.

The contact form and protected sections of cos-sec.eu may use the Cloudflare Turnstile service to verify that the visitor is not an automated bot. Turnstile processes: the visitor’s IP address, the browser User-Agent and basic device information. These data are used solely for verification and are not stored long-term. Provider: Cloudflare Inc., San Francisco, USA. The legal basis is the Controller’s legitimate interest in protection against automated attacks under Art. 6(1)(f) GDPR.

The website uses Google Analytics 4 (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) for anonymised traffic measurement.

Google Analytics is activated only after the visitor has granted consent through the cookie banner. Without consent, no analytics cookies are stored and no data is transmitted.

Types of cookies used:

  • Strictly necessary cookies — used for the secure and optimal display of the website. They do not collect information for marketing purposes.
  • Performance cookies — used for anonymous analysis of visitor behaviour on the website (Google Analytics).

What data Google Analytics collects:

  • IP address — Google Analytics 4 processes the IP only temporarily to determine geographic location and does not store it in reports. Sharing the IP with Google is subject to Google Consent Mode v2 settings and the data processing agreement between the Controller and Google Ireland Limited.
  • Pages viewed and time spent on the page
  • Device and browser type
  • Country of access (based on anonymised IP)

What data Google Analytics does not collect:

  • Name, e-mail or any directly identifying data
  • Data is not used for remarketing or advertising
  • We do not track individual users across websites (no User-ID)

Cookie storage period: Analytics cookies are stored for a maximum of 12 months from the granting of consent.

How to change your cookie settings: Most internet browsers allow you to delete cookies, block all cookies or only third-party cookies. The procedure depends on the browser you are using. Disabling certain cookies may affect the functionality of the website.

4. Retention Period of Personal Data

All personal data is processed only to the extent necessary to fulfil the stated purposes and only for the time required to achieve those purposes, but no longer than the period set by the applicable legal regulations.

Personal data processed on the basis of the data subject’s consent is processed until the consent is withdrawn. However, the Controller may continue to process certain data after withdrawal of consent if it has another legal basis to do so.

Personal data processed on the legal basis of legitimate interest or for direct marketing purposes is processed until the data subject lodges an objection.

5. Recipients of Personal Data

The Controller may disclose personal data of data subjects to third parties only where required or permitted by law, or with the consent of the data subject. The Controller discloses personal data to the following processors:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — Google Analytics service (anonymised website traffic data)
  • Supabase, Inc. (USA) — backend and authentication provider. Processes e-mail addresses, encrypted passwords and IP addresses of users at sign-in. Data regions in the EU.
  • Cloudflare, Inc. (USA) — Turnstile service for protection against automated attacks. Processes the IP address and technical browser attributes.
  • Anthropic PBC (USA) — text content processing via the Claude API. Does not process personal data of website users, only the content of aggregated public sources.
  • Firecrawl (USA) — technical provider of scraping of publicly available websites. Does not process personal data of website users.
  • Lovable AB (Sweden) — development and hosting platform, mediates calls to AI models.

The Controller ensures that each processor provides sufficient guarantees for the implementation of appropriate technical and organisational measures in accordance with Art. 28 GDPR. For transfers of personal data outside the EU/EEA, the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) or other appropriate safeguards under Chapter V GDPR apply. Updates to contractual relationships with processors take place on an ongoing basis.

The Controller may further disclose personal data to providers of external services (technical support, server services, traffic measurement) to the extent strictly necessary.

6. Rights of the Data Subject

The data subject has the following rights in relation to the processing of personal data:

Right of access — the data subject has the right to obtain from the Controller confirmation as to whether their personal data is being processed and, if so, to request information about the processing.

Right to rectification — the data subject has the right to have inaccurate personal data corrected and incomplete personal data completed.

Right to data portability — where personal data is processed on the legal basis of contract or consent, the data subject has the right to data portability in a structured, commonly used and machine-readable format.

Right to erasure — the data subject has the right to have personal data erased where:

  • it is processed in breach of the law
  • consent has been withdrawn
  • the data subject objects to the processing and there are no overriding legitimate grounds of the Controller
  • the personal data is no longer necessary for the purpose for which it was obtained
  • the retention period for the personal data has expired

Right to restriction of processing — the data subject has the right to restrict the processing of personal data in the cases set out in the Act.

Right to object — the data subject has the right to object to the processing of personal data in all cases where the legal basis is the legitimate interest of the Controller, as well as in the case of direct marketing including profiling.

Right to lodge a complaint — if the data subject suspects that personal data is being processed unlawfully, they have the right to file a motion to initiate proceedings with the Office for Personal Data Protection of the Slovak Republic (www.dataprotection.gov.sk).

Right to withdraw consent — where the legal basis of processing is consent, the data subject may withdraw consent at any time free of charge using the contact details below. Withdrawal of consent does not affect the lawfulness of processing prior to its withdrawal.

7. Contact

The data subject may exercise their rights and contact the Controller at:

Decent Cybersecurity s. r. o.
Teplická 4, Piešťany 921 01
Company ID: 52682846

E-mail: michaela.abel@decentcybersecurity.eu

8. Changes to This Document

The Controller reserves the right to update this document. The current version is always available on this page.

Last updated: May 2026