Privacy Policy

Last Updated: November 13, 2025

1. Introduction

Welcome to EuroToolkit ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website www.eurotoolkit.eu (the "Site").

Data Controller:
Yardbird
Nørre Søgade 27
1370 Copenhagen, Denmark
Company Registration: DK35898158
Email: info@eurotoolkit.eu

This Privacy Policy applies to all users of our Site, including visitors, registered users, and tool submitters. By using our Site, you agree to the collection and use of information in accordance with this policy.

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Consent: When you voluntarily provide information (e.g., subscribing to our newsletter, creating an account)
• Contract Performance: When processing is necessary to provide services you've requested (e.g., user accounts, tool submissions)
• Legitimate Interests: For analytics and improving our services, where your interests don't override ours
• Legal Obligation: When we must process data to comply with the law

3. Information We Collect

3.1 Information You Provide Directly

Account Registration:

• Email address
• Name (optional)
• Profile information you choose to provide

Tool Submissions:

• Tool name, description, and details
• Your name and contact information
• Website URLs and related information
• Any additional information you provide in your submission

Newsletter Subscription:

• Email address
• Subscription preferences

Payment Information:

• When you make a payment, we collect billing information through our payment processor, Stripe
• We do not store complete credit card numbers on our servers

Communications:

• Information you provide when contacting us via email or through our Site
• Correspondence and feedback

3.2 Information Collected Automatically

Technical Data:

• IP address
• Browser type and version
• Operating system
• Device information
• Pages visited and time spent on pages
• Referring website
• Date and time of access

Cookies and Similar Technologies:
We use only essential cookies required for site functionality:

• Essential Cookies: Required for authentication and basic site functionality (Better Auth session cookies)

Privacy-Friendly Analytics: Both PostHog (configured in cookieless mode) and Plausible Analytics operate without setting cookies, respecting user privacy by default.

For more information about cookies, see Section 5 below.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Provision

• Creating and managing user accounts
• Processing and reviewing tool submissions
• Providing access to our directory of tools
• Sending transactional emails related to your account or submissions

4.2 Communication

• Sending newsletters (only if you've subscribed)
• Responding to your inquiries and support requests
• Sending important updates about our services
• Notifying you about changes to our terms or policies

4.3 Payment Processing

• Processing payments through Stripe
• Managing subscriptions
• Preventing fraud and abuse

4.4 Analytics and Improvement

• Understanding how users interact with our Site
• Analyzing user behavior and preferences
• Improving our services, content, and user experience
• Debugging and fixing technical issues
• Conducting research and analysis

4.5 Security and Legal Compliance

• Protecting against security threats and fraud
• Enforcing our Terms of Service
• Complying with legal obligations
• Protecting our rights and property

5. Cookies and Tracking Technologies

5.1 Types of Cookies We Use

Essential Cookies (Functional)

• Purpose: Authentication, session management, and core site functionality
• Provider: Better Auth
• Duration: Session-based and persistent
• Legal Basis: Necessary for site operation
• Note: These are the ONLY cookies we use on our Site

Analytics (No Cookies)

• Purpose: Understanding site usage and user behavior
• Providers: PostHog (cookieless mode), Plausible Analytics
• Cookies: None - both configured to operate without cookies
• Legal Basis: Legitimate interest
• Privacy: Both services are configured for maximum privacy, collecting only aggregated, anonymous data

5.2 Why We Don't Need Cookie Consent Banners

Since we only use essential cookies required for authentication and site functionality, and our analytics tools operate in cookieless mode, we do not require cookie consent banners under the ePrivacy Directive. You can use our Site without accepting any tracking cookies.

5.3 Managing Essential Cookies

You can control and manage essential cookies through your browser settings. However, please note that blocking essential cookies will prevent you from:

• Logging into your account
• Maintaining your session
• Using authenticated features

Browser-Specific Instructions:

• Chrome: Settings > Privacy and security > Cookies
• Firefox: Settings > Privacy & Security > Cookies
• Safari: Preferences > Privacy > Cookies
• Edge: Settings > Privacy > Cookies

5.4 Do Not Track Signals

Our analytics tools (PostHog and Plausible) are configured to respect user privacy by default. Both operate without cookies and collect only aggregated, anonymous data. We do not track individual users across websites.

6. Third-Party Services and Data Sharing

We share your information with the following third-party service providers:

6.1 Essential Service Providers

Stripe (Payment Processing)

• Purpose: Processing payments and subscriptions
• Data Shared: Billing information, transaction details
• Location: United States (adequate safeguards in place)
• Privacy Policy: https://stripe.com/privacy

Resend (Email Delivery)

• Purpose: Sending transactional emails and newsletters
• Data Shared: Email address, name
• Privacy Policy: https://resend.com/legal/privacy-policy

Better Auth (Authentication)

• Purpose: User authentication and session management
• Data Shared: Email, authentication data
• Note: Open-source library, data remains on our servers

6.2 Analytics Providers

PostHog (Product Analytics)

• Purpose: Understanding user behavior and improving our service
• Data Shared: Usage data, events, anonymized identifiers
• Configuration: Cookieless mode - no cookies set
• Location: United States (data can be stored in EU upon request)
• Privacy Policy: https://posthog.com/privacy

Plausible Analytics (Web Analytics)

• Purpose: Privacy-friendly website analytics
• Data Shared: Aggregated, anonymous usage statistics (no personal data)
• Location: European Union
• Privacy Policy: https://plausible.io/privacy
• Note: Fully GDPR compliant, no cookies, no personal data collection

6.3 Infrastructure Providers

Amazon Web Services (AWS S3)

• Purpose: File storage (if applicable)
• Data Shared: Files and associated metadata
• Location: EU region
• Privacy Policy: https://aws.amazon.com/privacy/

Upstash Redis

• Purpose: Rate limiting and caching
• Data Shared: Temporary session data, IP addresses
• Privacy Policy: https://upstash.com/privacy

ScreenshotOne

• Purpose: Generating tool preview screenshots
• Data Shared: Website URLs submitted by users
• Privacy Policy: https://screenshotone.com/privacy-policy/

6.4 OAuth Providers (Optional)

Google (Social Login)

• Purpose: Alternative authentication method
• Data Shared: Email, name, profile picture (only if you choose to use Google login)
• Privacy Policy: https://policies.google.com/privacy

6.5 Data Sharing Principles

We do not:

• Sell your personal data to third parties
• Share your data for marketing purposes without your consent
• Provide your data to third parties except as described in this policy

We may share your information:

• When required by law or legal process
• To protect our rights, property, or safety
• In connection with a business transfer (merger, acquisition)
• With your explicit consent

7. International Data Transfers

As we operate in Denmark and target EU users, we prioritize keeping data within the European Economic Area (EEA). However, some of our service providers are located outside the EEA, primarily in the United States.

When we transfer personal data outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Privacy Shield Framework (where applicable)
• Explicit consent from users

Service providers in the United States (Stripe, PostHog, parts of AWS) have implemented appropriate safeguards for EU data, including SCCs and compliance with EU-US data transfer frameworks.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

Account Data:

• Retained while your account is active
• Deleted within 30 days of account deletion request
• Some data may be retained longer if required by law

Tool Submissions:

• Retained indefinitely while the tool listing is active
• Deleted upon request (subject to legitimate business interests)

Newsletter Subscriptions:

• Retained until you unsubscribe
• Deleted within 30 days of unsubscribing

Payment Records:

• Retained for 7 years for accounting and legal compliance purposes

Analytics Data:

• PostHog: Configurable retention period (default 7 years, can be reduced)
• Plausible: Aggregated data retained indefinitely, no personal data stored

Communication Records:

• Support emails and inquiries: Retained for 2 years
• Legal correspondence: Retained as required by law

Automatically Collected Data:

• Server logs: 90 days
• Session data: Duration of session or 30 days

9. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, request access to that data.

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure/"Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

9.4 Right to Restriction of Processing (Article 18)

You can request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful, but you don't want the data erased
• We no longer need the data, but you need it for legal claims
• You've objected to processing pending verification

9.5 Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects.

9.8 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

9.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of the alleged infringement.

Danish Data Protection Authority (Datatilsynet):
Carl Jacobsens Vej 35
2500 Valby, Denmark
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk

10. How to Exercise Your Rights

To exercise any of your rights under GDPR, please contact us at:

Email: info@eurotoolkit.eu
Subject Line: "GDPR Request - [Your Right]"

Please include:

• Your full name and email address
• Description of your request
• Proof of identity (if necessary to prevent unauthorized access)

We will respond to your request within one month of receipt. In complex cases, we may extend this by two additional months and will inform you of the extension.

Account Settings:
You can also directly update or delete certain information through your account settings:

• Update your profile information
• Change email preferences
• Delete your account

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

11.1 Technical Measures

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest
• Secure authentication with Better Auth
• Regular security updates and patches
• Rate limiting to prevent abuse (Upstash Redis)
• Database security and access controls (PostgreSQL/Prisma)

11.2 Organizational Measures

• Limited access to personal data (need-to-know basis)
• Regular security audits and monitoring
• Employee training on data protection
• Incident response procedures
• Secure development practices

11.3 Third-Party Security

All third-party service providers are carefully vetted and required to maintain appropriate security measures and comply with GDPR requirements.

11.4 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected users without undue delay
• Document the breach and our response

12. Children's Privacy

Our Site is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@eurotoolkit.eu, and we will delete such information from our systems.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify users of material changes via email (for registered users)
• Post a notice on our Site
• For significant changes affecting your rights, we may seek your renewed consent

We encourage you to review this Privacy Policy periodically. Your continued use of the Site after changes are posted constitutes acceptance of the updated policy.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: info@eurotoolkit.eu
Data Controller: Yardbird
Address: Nørre Søgade 27, 1370 Copenhagen, Denmark
Company Registration: DK35898158

Response Time: We aim to respond to all inquiries within 5 business days.

15. Additional Information for EU Users

15.1 Legal Requirements

This Privacy Policy complies with:

• General Data Protection Regulation (GDPR) - EU Regulation 2016/679
• Danish Data Protection Act (Databeskyttelsesloven)
• ePrivacy Directive (2002/58/EC)

15.2 Purpose Limitation

We process personal data only for the specific purposes outlined in this policy and do not use it in ways incompatible with those purposes without informing you.

15.3 Data Minimization

We collect only the personal data necessary for the purposes for which it is processed.

15.4 Accuracy

We take reasonable steps to ensure personal data is accurate and up to date. You can help us by updating your information when it changes.

15.5 Storage Limitation

We retain personal data only as long as necessary for the purposes outlined in Section 8 (Data Retention).

15.6 Integrity and Confidentiality

We implement appropriate security measures as outlined in Section 11 (Data Security).

15.7 Accountability

We maintain records of our processing activities and can demonstrate compliance with GDPR principles upon request.

16. Cookie Consent Management

Good News: No Cookie Banner Required

Since we only use essential cookies for authentication and site functionality, and our analytics tools (PostHog and Plausible) operate in cookieless mode, we do not require cookie consent banners under EU ePrivacy Directive.

What This Means for You:

• No annoying cookie popups
• Full site functionality without consent prompts
• Privacy-first approach from the start
• You can still manage essential cookies through your browser settings

Essential Cookies:
Essential cookies (Better Auth session cookies) are exempt from consent requirements under GDPR and ePrivacy Directive because they are strictly necessary for providing the service you explicitly request (authentication and account access).

If you wish to disable even essential cookies, you can do so through your browser settings, though this will prevent you from logging in and using authenticated features.

17. Specific Service Information

17.1 Newsletter

• Purpose: Sending updates about new tools and directory news
• Frequency: Monthly (approximately)
• Legal Basis: Consent
• Unsubscribe: Use the unsubscribe link in any email or contact info@eurotoolkit.eu
• Provider: Resend
• Data Stored: Email address, subscription date, open/click data

17.2 Tool Submissions

• Review Process: Submissions are manually reviewed before publication
• Publication: Approved tools become publicly visible
• Attribution: Submitter information may be displayed with the tool listing (as provided)
• Retention: Tool listings remain active unless removal is requested
• Removal Requests: Contact info@eurotoolkit.eu

17.3 User Accounts

• Purpose: Managing tool submissions, preferences, and interactions
• Authentication: Email-based magic links or Google Account login
• Session Management: Better Auth session cookies
• Data Access: Users can access and modify their data through account settings
• Account Deletion: Request via email or through account settings

18. Automated Processing and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects users. Analytics data is used only for aggregate insights and service improvement.

19. Marketing Communications

We will only send marketing communications (newsletters) to users who have explicitly opted in. You can:

• Opt out at any time using the unsubscribe link
• Update your email preferences in your account settings
• Contact us to update your preferences

We do not share your email address with third parties for their marketing purposes.

20. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will:

• Notify you via email before the transfer
• Ensure the new entity adheres to this Privacy Policy or provide you with notice of changes
• Give you the opportunity to delete your account before the transfer

Summary for Users

We take privacy seriously and use a cookieless, privacy-first approach. We only use essential cookies for authentication - no tracking cookies at all. Our analytics tools (PostHog and Plausible) operate without cookies, collecting only aggregated, anonymous data. You have full rights under GDPR to access, correct, delete, or port your data. We only share data with trusted service providers who help us operate the service. Your data stays secure, and we never sell it to third parties.

Privacy Highlights:

• ✅ No tracking cookies
• ✅ No cookie consent banners needed
• ✅ Privacy-friendly analytics
• ✅ Full GDPR rights

For questions or to exercise your rights, email us at info@eurotoolkit.eu.

This Privacy Policy is effective as of November 26, 2025.