1. Data Controller

The data controller for this website and the KanCAT service is KanCAT, a company registered in England and Wales. Contact: privacy@kancat.uz.

2. Data We Collect

We collect the following categories of personal data:

  • Identifiers: name, email address (submitted via waitlist, demo request, or contact form).
  • Usage data: page views, click events, session recordings (PostHog), UTM parameters (Google Analytics 4).
  • Technical data: IP address, browser type and version, operating system, referrer URL.

We do not collect special category data (health, financial, biometric, or political information).

3. Legal Basis for Processing

  • Legitimate interest (Article 6(1)(f) GDPR): analytics to improve the service.
  • Consent (Article 6(1)(a) GDPR): marketing cookies and session recordings — you may withdraw consent at any time via the cookie banner.
  • Contract performance (Article 6(1)(b) GDPR): processing form submissions to respond to your inquiry.

4. Third-Party Data Processors

We use the following sub-processors. Each has a Data Processing Agreement (DPA) in place:

  • Paddle (payment processor) — EU Standard Contractual Clauses applicable. paddle.com/legal/dpa
  • PostHog EU (product analytics) — data stored in the EU region (eu.posthog.com). GDPR-compliant by design.
  • Google Analytics 4 — IP anonymisation enabled; Google DPA signed. Data processing in accordance with Google's EU data protection commitments.
  • Vercel (hosting) — Standard Contractual Clauses in place for EU data transfers.
  • Railway (application hosting) — SCCs in place.

5. Data Retention

  • Form submissions (waitlist, contact): 24 months from submission date.
  • Google Analytics 4: 14 months (default retention setting).
  • PostHog: configurable; currently set to 12 months.
  • Server logs: 30 days rolling.

6. Your Rights Under GDPR

As a data subject, you have the following rights. We will respond within 30 days of a valid request:

  • Access — request a copy of your personal data.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — request that we restrict processing of your data.
  • Objection — object to processing based on legitimate interest.
  • Withdrawal of consent — withdraw consent for analytics or marketing at any time via the cookie banner or by emailing us.

To exercise any right, email privacy@kancat.uz.

7. Data Protection Contact

KanCAT does not meet the thresholds for a mandatory Data Protection Officer under GDPR Article 37 (fewer than 250 employees, no large-scale special-category processing). Our data protection contact is reachable at privacy@kancat.uz.

8. International Transfers

Where we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place — either the EU Standard Contractual Clauses (Module 2: Controller to Processor) or an adequacy decision by the European Commission. All processors listed in Section 4 are covered by such safeguards.

9. Cookies

We use cookies and similar tracking technologies. For a full list of cookies, their purposes, and retention periods, see our Cookie Policy. You can manage your cookie preferences at any time via the consent banner.

10. Updates to This Policy

We will update this policy when our data practices materially change. The date at the top of this page reflects the most recent revision. For material changes, we will notify users who have provided an email address.

11. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.