Privacy Policy

Last updated: April 4, 2026

This Privacy Policy explains how SToFU Systems S.L. collects, uses, stores, protects, and discloses personal data in connection with this website, pre-contract communications, business development activity, and related operational processes.

We work in engineering domains where trust matters. That means privacy, security, and restrained handling of information are not side topics for us. They are part of how we operate.

In practice, we shape our public-site and client-facing personal-data handling around strict data-minimization, access-control, retention, and transfer principles, with GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and contract-based controls such as NDAs, DPAs, and SCCs in mind where they apply.

1. Who We Are

For the purposes of this Privacy Policy, the controller of personal data processed through this public website is SToFU Systems S.L., a company operating from Spain. In this Privacy Policy, “SToFU,” “we,” “us,” and “our” mean SToFU Systems S.L.

Our primary public contact for privacy-related matters is midgard@stofu.io. If you need legal, procurement, or compliance-specific coordination, you may also use the same address as an initial contact point and we will route the request appropriately.

2. Scope of This Policy

This Privacy Policy covers personal data processed in connection with:

• your use of the public website and its pages;
• messages you send through our contact form or by direct email;
• requests for technical review, proposals, consultations, or qualification calls;
• security, anti-spam, anti-abuse, and fraud-prevention controls used on the website;
• analytics that are enabled only if you affirmatively accept optional analytics cookies;
• business development communications before a separate customer agreement is signed.

This Privacy Policy does not replace project-specific contractual documents. If we process client production data, end-user data, or regulated datasets under a separate agreement, those specific terms may impose narrower purposes, additional security measures, and more detailed processor/controller allocations.

3. Categories of Personal Data We May Process

Depending on how you interact with us, we may process the following categories of personal data:

3.1 Identity and Contact Data

• name;
• email address;
• business contact details you voluntarily provide;
• job title, company name, or other professional identifiers if you include them in your communication or signature block.

3.2 Communication and Inquiry Data

• the contents of messages you send through our contact form;
• email correspondence and scheduling-related communications;
• project summaries, technical requirements, architecture notes, timelines, and procurement context you voluntarily share;
• records of whether and when we responded to your inquiry.

3.3 Technical and Usage Data

• IP address and derived network segment information used for rate limiting and security review;
• browser type, device type, operating system, and basic request metadata;
• HTTP origin/referrer signals where available;
• page path information associated with a form submission;
• consent preferences for cookie settings;
• limited analytics data if you have accepted optional analytics cookies.

3.4 Security and Anti-Abuse Data

• anti-spam form validation tokens and associated timestamps;
• hashed or normalized indicators used to detect automated abuse, duplicate submissions, or malicious traffic;
• blocked-attempt logs and related security telemetry.

3.5 Marketing and Relationship Data

• your preferences if you ask to receive follow-up communication;
• business relationship status such as prospective client, referral, partner, supplier, or existing client contact;
• notes necessary to manage a legitimate business conversation.

3.6 Publicly Available Information

If you contact us in a business context, we may also review publicly available professional information reasonably necessary to understand your inquiry, such as a company website, public company profile, or publicly listed professional role. We do not collect this material indiscriminately; we do so only where it helps us qualify a serious engineering conversation.

4. How We Collect Personal Data

We may collect personal data in the following ways:

• Directly from you when you complete a contact form, send us an email, request a call, or otherwise communicate with us.
• Automatically through standard server and security processes when you visit the website, submit forms, or interact with site functionality.
• Through your cookie preferences when you accept or reject optional analytics.
• From third parties you choose to use, such as external scheduling tools or social platforms, but only to the extent required by your interaction with those services.
• From publicly available sources where reasonably necessary to understand a business inquiry or evaluate service fit.

5. Why We Use Personal Data and Our Legal Bases

Applicable privacy laws require us to identify why we process personal data and what legal basis supports that processing. Depending on the context, we rely on one or more of the following legal bases: your consent, our legitimate interests, performance of a contract, steps requested by you prior to entering into a contract, and compliance with legal obligations.

5.1 To Respond to Your Inquiry

We use your contact details and message content to review your request, determine technical fit, and respond appropriately.

Legal basis: pre-contract steps requested by you; legitimate interests in operating a professional services business.

5.2 To Evaluate Service Fit and Prepare Commercial or Technical Follow-Up

We may use the data you provide to assess whether we can support the engagement, route your request internally, prepare a next-step recommendation, schedule a call, or provide a proposal or scope discussion.

Legal basis: pre-contract steps; legitimate interests.

5.3 To Secure the Website and Prevent Abuse

We use anti-spam controls, origin checks, rate limits, duplicate-detection logic, challenge tokens, and related security measures to protect our systems and reduce malicious or automated submissions.

Legal basis: legitimate interests in network, application, and communication security.

5.4 To Operate and Improve the Website

We use technical data to maintain the website, troubleshoot failures, optimize performance, and improve usability. If you opt in to optional analytics, we may also use aggregate insights to understand which pages are useful and where visitors meaningfully engage.

Legal basis: legitimate interests for strictly necessary technical processing; consent for optional analytics where required by law.

5.5 To Manage Business Records and Legal Risk

We may retain and use relevant communications to document business interactions, maintain internal records, comply with law, respond to legal requests, and establish, exercise, or defend legal claims.

Legal basis: legal obligations; legitimate interests.

5.6 To Send Relevant Follow-Up Communication

If you initiate a business conversation with us, we may send follow-up messages related to your inquiry, an active commercial discussion, or a directly relevant service conversation. Where required by applicable law, we will rely on your consent before sending non-essential marketing communications.

Legal basis: consent where legally required; otherwise legitimate interests in business development conducted proportionately and professionally.

5.7 No Sale of Personal Data

We do not sell your personal data. We also do not use the public website as a channel for data brokerage or broad advertising profiles. We do not treat inquiry data as an asset to be monetized outside the context of operating our own business.

6. Cookies, Consent, and Similar Technologies

We use a minimal consent and browser-storage setup designed to support site stability and optional analytics, together with server-side request-integrity controls for the contact flow. Our public site presents a consent interface that allows you to accept or reject optional analytics.

6.1 Essential Site Storage and Request Integrity Controls

These mechanisms are used to support functions that are reasonably necessary for the site to operate as intended, including:

• remembering your consent preference in local browser storage so we do not repeatedly prompt you;
• issuing and validating contact-form security tokens without relying on ordinary browsing cookies;
• supporting anti-spam and abuse-prevention logic;
• maintaining safe and stable website behavior.

On the public site, if you reject optional analytics, the site is designed not to place its own cookies during ordinary browsing.

6.2 Optional Analytics

We only enable optional analytics after an affirmative acceptance. If you reject optional analytics, analytics should not be loaded. At the time of this policy update, the site uses a Google Analytics implementation that is gated behind the site’s consent choice and configured with IP anonymization.

6.3 Consent Choices

You can typically manage your choice in one or more of the following ways:

• by using the cookie banner when it appears;
• by reopening cookie settings through the website interface where available;
• through your browser settings, subject to the limitations of browser-level controls.

6.4 No Broad Ad-Tech Stack

We do not intentionally run a large advertising or cross-site profiling stack on this public site. Our approach is deliberately narrower: essential functionality first, optional analytics only upon consent, and proportionate security logging where needed.

7. When We Share Personal Data

We may disclose personal data only where reasonably necessary, including to the following categories of recipients:

• hosting, infrastructure, and IT providers that help us operate the website or supporting systems;
• email and communication service providers used to receive, route, or respond to inquiries;
• security and operational support providers where needed to maintain system integrity or investigate abuse;
• analytics providers if, and only if, optional analytics have been enabled through your consent choice;
• professional advisors, such as legal, accounting, insurance, or compliance advisors, where disclosure is reasonably necessary;
• competent authorities, courts, regulators, or law enforcement when required by law or necessary to protect rights, property, or safety;
• counterparties in a corporate transaction such as a restructuring, merger, financing, acquisition, or sale, subject to appropriate confidentiality measures.

Where third parties process personal data on our behalf, we expect them to handle that data only for the authorized purpose and under appropriate confidentiality and security obligations.

8. International Transfers

Because internet infrastructure, technical service providers, and business operations may involve more than one country, personal data may be processed outside your country of residence, including outside Spain and, where relevant, outside the EEA or UK.

When we transfer personal data across borders, we aim to use appropriate safeguards that are suitable to the context. Depending on the transfer, those safeguards may include contractual commitments, standard contractual clauses, vendor privacy commitments, technical controls, and access restrictions designed to ensure a comparable level of protection.

No cross-border transfer mechanism eliminates all risk. However, we take the subject seriously and try to match the sensitivity of the data with the level of operational discipline applied to it.

9. Data Retention

We retain personal data only for as long as reasonably necessary for the purpose for which it was collected, including operational follow-up, business recordkeeping, security review, compliance, and the establishment, exercise, or defense of legal claims.

The actual retention period depends on context, but in general:

• inquiry and correspondence records may be kept for a reasonable period while a discussion is active or could reasonably be resumed;
• security and anti-abuse records may be retained for as long as necessary to investigate patterns, enforce controls, or protect the site;
• consent preferences may be stored in local browser storage to avoid repeatedly asking the same user for the same decision;
• analytics data retention depends on the relevant analytics configuration and your consent state;
• some information may be retained longer where legal, regulatory, accounting, tax, or dispute-related obligations require it.

When data is no longer needed, we seek to delete, anonymize, or otherwise render it unusable, subject to the practical and legal constraints of the system involved.

10. Security and Confidentiality

We apply technical and organizational measures designed to reduce the risk of unauthorized access, misuse, disclosure, alteration, or destruction of personal data. These measures may include access restrictions, network and application controls, secure transmission practices, security logging, abuse prevention, and operational review of suspicious activity.

We also design the public contact flow with anti-spam and anti-abuse safeguards rather than relying solely on third-party CAPTCHA services. This is part of a broader attempt to keep the public site leaner and more controlled.

No website, email workflow, or internet transmission environment can be guaranteed to be completely secure. For that reason, we ask you not to send unnecessary secrets, credentials, payment card data, or regulated special-category information through the public website unless and until an appropriate secure exchange mechanism and contractual framework are in place.

11. Your Rights

Depending on your location and applicable law, you may have the right to request access to personal data, correction of inaccurate data, deletion, restriction of processing, objection to certain processing, portability of eligible data, and withdrawal of consent where processing is based on consent.

You may also have the right to:

• object to direct marketing at any time;
• ask for additional information about how we process your data;
• request that we explain the basis on which particular data is being processed;
• complain to a competent supervisory authority if you believe your rights have been violated.

We may need to verify your identity before responding to certain requests, especially where disclosure or deletion could affect security or the rights of another person. We may also decline or narrow a request where an exemption applies, the request is manifestly unfounded or excessive, or another law permits or requires us to retain the relevant data.

12. Marketing Communications

We do not aim to run an aggressive bulk-marketing machine through this site. If you contact us, we may send business-relevant follow-up in response to that inquiry. If you no longer want to hear from us, you can tell us at any time and we will respect that request, subject to any communications that remain strictly necessary for an ongoing business or legal matter.

Where applicable law requires opt-in consent for certain categories of communication, we will seek to rely on that consent and you may withdraw it at any time going forward.

13. Children and Sensitive Information

This website is directed to businesses, technical teams, and adult users. It is not intended for children. We do not knowingly collect personal data from children through the public site.

We also do not ask you to submit special-category personal data through the public website. Please do not send health data, biometric data, government identifiers, payment card details, secrets, credentials, exploit samples tied to identifiable individuals, or other highly sensitive material through the public contact form unless we have expressly agreed on a secure process and an appropriate legal framework.

If you submit personal data about another person, you are responsible for ensuring that you have the authority and legal basis to share it with us.

14. Third-Party Websites and Services

Our website may contain links to third-party sites and services, including external scheduling tools, social platforms, or partner websites. We do not control the privacy practices of those third parties. Their own terms and privacy notices govern their processing.

Examples of third-party interactions may include scheduling via an external appointment platform, visiting our LinkedIn profile, or accessing external references linked from the site. We encourage you to review those providers’ policies before sharing personal data with them.

15. Contact Details and Complaints

If you have questions about this Privacy Policy, want to exercise a privacy right, or want to raise a concern, please contact us at:

SToFU Systems S.L.
Spain
Email: midgard@stofu.io

If you are located in the EU/EEA or UK and believe that our handling of your personal data is inconsistent with applicable law, you may also have the right to lodge a complaint with the relevant supervisory authority. If you are in Spain, that may include the Spanish Data Protection Agency (AEPD), without prejudice to your right to complain to another competent authority.

We would, however, appreciate the opportunity to address concerns directly first, especially where the issue can be resolved quickly through clarification, correction, or deletion.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the website, the way we operate, legal requirements, or risk posture. When we make material updates, we will revise the “Last updated” date at the top of this page and publish the new version here.

Your continued use of the website after an updated version becomes effective means that the latest version will apply to future interactions, to the extent permitted by law. Historic versions may be available on request where reasonably necessary.