Privacy Policy
011. General Provisions
This Privacy Policy (the "Policy") sets out how personal data of users of the goldjaxe.com website (the "Website") is processed and protected. The Policy is adopted in order to comply with applicable data protection law.
The scope of this Policy is limited to the goldjaxe.com website. Other resources and services operated under the GOLDJAXE brand on separate domains are governed by their own privacy policies.
Use of the Website and submission of the contact form constitute acceptance of this Policy. If the User does not agree with this Policy, the User shall discontinue use of the Website.
022. Data Controller
The data controller responsible for the processing of personal data collected through the Website is GOLDJAXE.
- Brand: GOLDJAXE;
- Contact email for personal data matters: privacy@goldjaxe.com.
All requests from data subjects, including requests to exercise their rights, to withdraw consent or to submit complaints, shall be sent to privacy@goldjaxe.com. Requests are processed within thirty (30) calendar days from receipt.
033. Categories of Data Subjects and Personal Data
The Controller processes personal data of the following categories of data subjects:
- visitors of the Website using cookies and similar technologies;
- users who have submitted an enquiry through the contact form (the "Contact Form").
The following categories of personal data are processed:
- data submitted via the Contact Form: name (or any other identifier chosen by the User), company name, email address, the selected request category and the text of the message;
- record of the User’s consent to the processing of personal data (checkbox state) and the timestamp of consent;
- technical data automatically collected upon visiting the Website: IP address, user-agent string, country and region inferred from the IP address, interface language, visited pages and timestamps;
- marketing attribution data, where present in the request: referral source and campaign parameters (UTM tags) and the page from which the request was submitted.
The Controller does not process special categories of personal data (such as data on racial or ethnic origin, political views, religious or philosophical beliefs, health or sexual life) and does not process biometric personal data.
044. Purposes and Legal Bases of Processing
The Controller processes personal data solely for explicitly stated purposes. Each purpose has its own independent legal basis under applicable data protection law:
- Processing of enquiries submitted via the Contact Form and follow-up communication. Legal basis: performance of a contract or pre-contractual measures initiated by the data subject.
- Web analytics and measurement of traffic, where enabled in the future. Legal basis: consent of the data subject. Web analytics is not currently used on the Website.
- Marketing and informational communications, where separate consent is given. Legal basis: consent. Consent may be withdrawn at any time.
- Ensuring the operation and security of the Website, including protection against attacks, spam-bots and fraudulent activities. Legal basis: the legitimate interests of the Controller, provided that the rights of the data subject are not infringed.
- Compliance with the Controller’s legal obligations, including the retention of records where required by applicable law.
The Controller does not make decisions producing legal effects for the data subject, or otherwise significantly affecting the data subject, based solely on automated processing.
055. Storage, Retention and Security of Personal Data
Personal data is processed using the Controller’s infrastructure and the infrastructure of the processors listed in Section 6. Given the international nature of these services, personal data may be processed and stored in more than one jurisdiction (see Section 7).
Retention periods are determined by the purpose of processing:
- correspondence and enquiry data of Users — three (3) years from the date of the last interaction;
- records required to be retained by applicable law — for the period prescribed by that law;
- analytics cookies and identifiers, where enabled — for the period stated in Section 8;
- data processed for marketing purposes — until the data subject withdraws consent.
Upon expiry of the retention period, achievement of the processing purpose or withdrawal of consent, the Controller ensures destruction of personal data within thirty (30) calendar days.
The Controller implements reasonable organisational and technical measures appropriate to the risk, including:
- encryption of data in transit using TLS version 1.2 or higher;
- encryption of data at rest at the storage infrastructure level;
- role-based access control (RBAC) following the principle of least privilege;
- multi-factor authentication (MFA) for administrative access;
- regular backups with integrity verification;
- use of firewalls and a Web Application Firewall (WAF);
- maintenance of security event logs with access controls;
- internal policies governing the processing and protection of personal data.
066. Recipients of Personal Data
The Controller engages third parties as processors acting on its instructions. Each such party is bound by a written agreement requiring confidentiality and a level of protection no lower than that maintained by the Controller.
The following processors are engaged:
- Kommo Inc. (Delaware, United States of America) — provision of the customer relationship management (CRM) platform used to handle enquiries and communications with Users;
- Gcore S.A. (Grand Duchy of Luxembourg, operating a global edge network) — content delivery network (CDN) and Web Application Firewall (WAF) services;
- n8n workflow automation platform, self-hosted on GOLDJAXE-owned infrastructure — routing of enquiries and integration between internal systems.
The Controller does not sell personal data, does not share data with advertising networks for the purpose of building third-party profiles and does not disclose personal data to any other parties beyond those listed above.
Disclosure of personal data to competent authorities is carried out exclusively on the grounds and in the manner provided for by applicable law.
077. International Transfers of Personal Data
Because the processors listed in Section 6 operate internationally, personal data may be transferred across borders when Users interact with the Website.
In particular, enquiry data is processed by Kommo Inc. in the United States of America, and technical data is processed by Gcore S.A. across a global edge network with a point of presence in the Grand Duchy of Luxembourg.
Where the applicable data protection law requires a specific legal ground for an international transfer, the Controller relies on the consent of the data subject (provided upon submission of the Contact Form) or on another lawful transfer mechanism available under that law.
The data subject is entitled to withdraw consent to international transfers at any time by sending a request to privacy@goldjaxe.com.
099. Rights of the Data Subject
Subject to the applicable data protection law, the data subject has the right to:
- obtain information relating to the processing of their personal data (right of access);
- request rectification, blocking or erasure of personal data that is incomplete, outdated, inaccurate, unlawfully obtained or no longer necessary for the stated purpose;
- withdraw previously given consent to the processing of personal data;
- object to processing for purposes other than those declared by the Controller;
- lodge a complaint with the competent supervisory authority or seek a judicial remedy against acts or omissions of the Controller.
Rights are exercised by sending a written request to privacy@goldjaxe.com. The request must include information sufficient to identify the data subject (or their authorised representative).
The Controller will review the request and provide a reasoned response within thirty (30) calendar days from receipt. If the response cannot be provided within this period, the Controller will notify the data subject of the reasons for the extension.
1010. Changes to the Policy
The Controller may amend this Policy. Versioning follows the MAJOR.MINOR scheme, where an increase in the MAJOR number corresponds to material changes affecting the rights and obligations of data subjects, and the MINOR number reflects technical or editorial corrections.
Material changes will be communicated to Users via an information banner displayed on the Website prior to the effective date of the new version.
The current version of the Policy is always available at goldjaxe.com/privacy. The date of the latest update and the edition number are displayed at the top of the page.
Continued use of the Website after the effective date of an amended Policy constitutes acceptance of the new version. If the User does not agree with the amended Policy, the User shall discontinue use of the Website and may submit a request to withdraw consent and delete data via privacy@goldjaxe.com.
1111. Contacts
Contact details of the Controller for personal data matters:
- Email: privacy@goldjaxe.com;
- Brand: GOLDJAXE;
- Website: goldjaxe.com.
1212. Governing Law and Jurisdiction
This Policy and any relations arising in connection with the processing of personal data are governed by the data protection law applicable to the Controller and to the data subject’s location.
Disputes arising in connection with the processing of personal data shall be resolved in accordance with the rules of jurisdiction established by the applicable procedural law. A User who qualifies as a consumer may bring a claim before the courts of their place of residence where the applicable law so provides.
If any provision of this Policy is held invalid by a competent authority, the remaining provisions shall remain in full force and effect.
