The data we hold, and why.

CatinTech is the operator of this website and the platform behind your client portal. We're the data controller for the personal data described below. Our legal identity, registration details and contact email are on the Imprint page.

When you take a hosting subscription, we additionally act as a data processor for the personal data your end-users generate on the site we operate for you. That relationship is governed by the Data Processing Agreement.

From the marketing site

• Lead form submissions — name, email, optional company and budget range, message body, locale, source page, user-agent, and IP address.
• Locale preference — stored as a cookie so we don't re-ask on every visit.
• Server logs — aggregated request counters and error stacks. No third-party analytics, no tracking pixels.

From the client portal

• Account — email, hashed password, role, locale, email-verified timestamp.
• Profile — display name, company, optional billing address.
• Project content — your brief, attachments, and ticket messages.
• Operational — IP and timestamps tied to Terms-of-Service acceptances and security-sensitive events.

From the payment flow

• Stripe metadata — charge ID, invoice ID, last 4 digits of card. We never see or store full card numbers; they stay inside Stripe's PCI environment.

We process the data above for these purposes only:

• To send you the offer you requested and the invoices for it.
• To run the website, the platform, and the ticketing system.
• To detect fraud and abuse, and to keep your account secure (e.g. rate-limiting, breach detection).
• To comply with legal obligations (accounting, tax, EU consumer protection).

We do not sell your data, we do not use it to train AI models, and we do not share it with advertisers.

• Contract — Art. 6(1)(b) — to deliver the services you signed up for.
• Legal obligation — Art. 6(1)(c) — bookkeeping, invoicing, EU consumer law.
• Legitimate interest — Art. 6(1)(f) — abuse prevention, error monitoring, securing the platform.

We share data only with the subprocessors listed at /legal/subprocessors, and only with the minimum data each one needs to do its job. We never sell data and we never share it with advertisers or data brokers.

We may disclose data when legally required by a court order or equivalent valid legal process, and only after reviewing the request and pushing back where appropriate.

• Account & project data — for the duration of the engagement plus 24 months for warranty and tax purposes, then deleted.
• Stripe metadata — 10 years, as required by EU accounting law.
• Marketing leads that never convert — 24 months from last contact, then deleted.
• Server logs — 30 days for application logs, 12 months for security-relevant events.

You can:

• Access a copy of your data
• Correct inaccuracies
• Delete your data (right to be forgotten)
• Export your data in a portable format
• Restrict or object to certain processing
• Lodge a complaint with your national supervisory authority

The fastest way is the data-request form. We respond within 30 days at the latest, almost always in one or two business days.

TLS 1.2+ everywhere, AES-256 at rest, role-based access with MFA on admin consoles, dependency scanning in CI, encrypted nightly backups, and audit logs on every administrative action. The full list lives in the DPA, section 6.

We set five strictly-necessary cookies. No tracking, no advertising, no consent banner. Full list and rationale on the Cookie policy.

We update this page whenever something material changes (new vendor, new purpose, longer retention, etc.) and notify account holders by email at least 30 days before any change goes live, unless the change is purely clarifying.

For anything privacy-related, write to hello@catintech.com with subject “Privacy” or use the data-request form.