Privacy policy

Privacy policy

Last Updated: December 30, 2025
Effective Date: December 30, 2025

1. Introduction and Scope

Infoterra LLP ("we," "us," "our," or the "Company") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use GraphFolio, our data analytics subscription platform (the "Service").

This Privacy Policy applies to all users of our Service and should be read in conjunction with our Terms of Service, Cookie Policy, and Refund Policy.

By using our Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

We are committed to full compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller Information

The data controller responsible for your personal information is:

Company Name: Infoterra LLP
Registered Address: Building 6, E 248 Street, Esil District, 010000 Astana, Kazakhstan
Tax ID (BIN): 230240009770
Email: info@graphfolio.com

For all privacy-related questions, concerns, or requests to exercise your data protection rights, please contact us at info@graphfolio.com.

3. Information We Collect

We collect several types of information to provide and improve our Service.

3.1 Account Information

When you register for an account, we collect:

  • First name and last name
  • Email address
  • Password (stored in encrypted form using industry-standard hashing algorithms)
  • Company name (optional field)

3.2 Technical and Security Data

To ensure security and prevent fraud, we automatically collect:

  • IP address (collected via Google reCAPTCHA for bot protection and fraud prevention)
  • Browser type and version
  • Device information (device type, operating system)
  • Login timestamps and activity logs
  • Session information

3.3 Usage Data

We collect information about how you interact with our Service:

  • Pages visited and features accessed
  • Reports viewed and downloaded
  • Time spent on platform
  • Navigation patterns

3.4 Payment Information

Payment processing is handled entirely by our payment processor, 2Checkout (Verifone), who acts as Merchant of Record. We do NOT store payment card information (credit card numbers, CVV codes, or expiration dates) on our servers.

We receive from 2Checkout only:

  • Transaction ID
  • Transaction status (successful/failed)
  • Payment amount
  • Invoice details

All sensitive payment information is securely stored and processed by 2Checkout in accordance with Payment Card Industry Data Security Standards (PCI DSS).

3.5 Communication Data

If you contact us via email, we collect:

  • Email correspondence content
  • Your email address
  • Any information you choose to provide
4. How We Use Your Information

We use the collected information for the following purposes:

4.1 Service Provision

  • Account creation and management: To create and maintain your user account
  • Authentication and security: To verify your identity and secure your account
  • Subscription delivery: To provide access to purchased reports and content
  • Multi-user license management: To facilitate email invitations for multi-user licenses

4.2 Payment Processing

  • Transaction processing: To process payments through 2Checkout
  • Invoice generation: 2Checkout generates and sends invoices on our behalf
  • Payment verification: To confirm successful payment before activating subscriptions

4.3 Communication

We send transactional emails only (no marketing communications):

  • Purchase confirmations: Confirmation of successful subscription purchases
  • Subscription expiry reminders: Notifications when your subscription is about to expire
  • Password reset emails: Secure password reset links when requested
  • Account notifications: Important updates regarding your account or service changes
  • License invitations: Email invitations for multi-user licenses

We do NOT send marketing, promotional, or newsletter emails.

4.4 Security and Fraud Prevention

  • Google reCAPTCHA: To detect and prevent automated bot activity, spam, and fraudulent registrations
  • Security monitoring: To detect suspicious activity and protect against unauthorized access
  • Compliance verification: To verify geographic eligibility (Kazakhstan exclusion)

4.5 Service Improvement

  • Analytics (with consent): Google Analytics to understand usage patterns and improve user experience
  • Performance monitoring: To identify and resolve technical issues
  • Feature optimization: To enhance platform functionality based on usage data

4.6 Legal Compliance

  • Legal obligations: To comply with applicable laws and regulations
  • Dispute resolution: To resolve disputes or enforce our Terms of Service
  • Data protection compliance: To fulfill GDPR and other data protection requirements
5. Legal Basis for Processing (GDPR Article 6)

Under GDPR, we process your personal data based on the following legal grounds:

5.1 Contractual Necessity (Article 6(1)(b))

Processing necessary to fulfill our contract with you (Terms of Service):

  • Account creation and management
  • Subscription delivery
  • Payment processing
  • Customer support

5.2 Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

  • Tax and financial record-keeping
  • Fraud prevention and detection
  • Response to legal requests

5.3 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

  • Security and fraud prevention
  • Service improvement and optimization
  • Technical issue resolution
  • Platform performance monitoring

5.4 Consent (Article 6(1)(a))

Processing based on your explicit consent:

  • Google Analytics cookies (you can opt out via cookie settings)
  • Optional communications (where consent is required by law)

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and secure our Service. For detailed information about the cookies we use, please refer to our separate Cookie Policy.

6.1 Types of Cookies

Strictly Necessary Cookies (always active):

  • Session management (Laravel framework)
  • Authentication and login persistence
  • Security features
  • Google reCAPTCHA (bot and fraud protection)

Analytics Cookies (requires your consent):

  • Google Analytics (to understand usage patterns and improve service)

6.2 Cookie Consent

Upon your first visit, you will see a GDPR-compliant cookie consent banner where you can:

  • Accept all cookies
  • Reject non-essential cookies
  • Customize your cookie preferences

You can change your cookie preferences at any time through our cookie settings or your browser settings.

7. Third-Party Services

We work with carefully selected third-party service providers to operate our platform. Each processes personal data only as necessary to provide their specific service.

7.1 2Checkout (Verifone) - Payment Processing

Purpose: Payment processing and invoicing (acts as Merchant of Record)
Data Shared: Name, email, billing address, payment information
Location: Global infrastructure with data centers in multiple jurisdictions
Privacy Policy: https://www.2checkout.com/legal/privacy/

2Checkout processes all payment transactions and stores payment card information securely in compliance with PCI DSS standards. We do not have access to or store your full payment card details.

7.2 Google Analytics - Analytics

Purpose: Website analytics and usage statistics (requires opt-in consent)
Data Shared: Anonymized usage data, pages visited, session duration
Location: United States (with EU data processing agreements)
Privacy Policy: https://policies.google.com/privacy

Google Analytics is only activated if you consent via our cookie banner. You can opt out at any time through cookie settings.

7.3 Google reCAPTCHA - Security and Bot Protection

Purpose: Fraud prevention, bot detection, protection against automated abuse
Data Shared: IP address, browser information, device data, user interaction data
Location: United States (with EU data processing agreements)
Privacy Policy: https://policies.google.com/privacy

reCAPTCHA is essential for platform security and cannot be disabled.

7.4 Scalahosting - Data Hosting

Purpose: Server hosting and data storage
Data Shared: All account and usage data stored on platform
Location: Netherlands (EU jurisdiction)
Privacy Policy: https://www.scalahosting.com/legal/privacy-policy/

All your data is stored on secure servers located in the Netherlands, within the European Union, providing strong data protection under EU law.

7.5 Third-Party Data Processing Agreements

All third-party service providers process data on our behalf under strict data processing agreements that comply with GDPR requirements, including appropriate technical and organizational security measures.

8. Data Storage and Security

8.1 Data Storage Location

All user data is stored in the Netherlands (EU jurisdiction) through our hosting provider, Scalahosting. This ensures your data benefits from the strong data protection standards of European Union law.

8.2 Security Measures

We implement industry-standard security measures to protect your personal information:

  • Encryption: Passwords are encrypted using strong hashing algorithms (bcrypt)
  • HTTPS/SSL: All data transmitted between your browser and our servers is encrypted via HTTPS
  • Secure infrastructure: Hardened servers with firewall protection and intrusion detection
  • Access controls: Strict internal access controls limiting who can access personal data
  • Regular security updates: Ongoing monitoring and patching of security vulnerabilities
  • Backup systems: Regular encrypted backups to prevent data loss

8.3 No Absolute Security

While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but continuously work to protect your data using industry best practices.

9. Data Retention

9.1 Active Accounts

We retain your personal information for as long as your account remains active and is necessary to provide you with our Service.

9.2 Account Deletion

When you delete your account via your user dashboard:

  1. 30-Day Retention Period: Your personal data is retained for 30 days after deletion request
  2. Permanent Deletion: After 30 days, all personal data is permanently and irreversibly deleted from our systems
  3. Backup Deletion: Data is also removed from backup systems during the next backup cycle

9.3 Legal Retention Requirements

We may retain certain data longer if required by law, such as:

  • Financial transaction records (for tax and accounting purposes)
  • Data subject to legal holds or ongoing legal proceedings
  • Data necessary to resolve disputes or enforce our Terms of Service

In such cases, data is securely archived with restricted access until the retention requirement expires.

10. No Marketing Communications

We do NOT send marketing or promotional emails. All communications from us are strictly transactional and directly related to your use of the Service:

  • Purchase confirmations
  • Subscription expiry reminders
  • Password reset emails
  • Account security notifications
  • License invitation emails (for multi-user subscriptions)
  • Critical service updates

You will never receive newsletters, promotional offers, or marketing materials from us.

11. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

11.1 Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access that data. You can export your personal data from your account dashboard.

How to exercise: Log in to your account and navigate to "Export Data" or contact us at info@graphfolio.com.

11.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your information directly in your account settings or contact us at info@graphfolio.com.

11.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data.

How to exercise: Delete your account via your user dashboard. Your data will be permanently deleted after a 30-day retention period.

11.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain circumstances.

How to exercise: Contact us at info@graphfolio.com with your request and justification.

11.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

How to exercise: Use the "Export Data" function in your account dashboard or contact us at info@graphfolio.com.

11.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests.

How to exercise: Contact us at info@graphfolio.com to object to specific processing activities.

11.7 Right to Withdraw Consent

Where processing is based on consent (e.g., Google Analytics), you have the right to withdraw consent at any time.

How to exercise: Adjust your cookie preferences in cookie settings or contact us at info@graphfolio.com.

11.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

11.9 Response Time

We will respond to your requests within one month of receipt. In complex cases, we may extend this period by two additional months and will inform you of the delay.

12. International Data Transfers

12.1 Primary Data Storage

Your personal data is primarily stored within the European Union (Netherlands), ensuring it benefits from strong EU data protection laws.

12.2 Third-Party Services Outside EU

Some third-party services (Google Analytics, Google reCAPTCHA, 2Checkout) may process data outside the EU. In such cases:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with third parties
  • Adequacy Decisions: We rely on EU Commission adequacy decisions where available
  • Additional Safeguards: Appropriate technical and organizational measures are in place

12.3 Your Consent

By using our Service, you consent to the transfer of your data to these third-party services under the safeguards described above.

13. Children's Privacy

13.1 Age Restriction

Our Service is not intended for individuals under 18 years of age or the age of majority in their jurisdiction (whichever is greater). We do not knowingly collect personal information from minors.

13.2 Parental Discovery

If you are a parent or legal guardian and believe your child has provided us with personal information without your consent, please contact us immediately at info@graphfolio.com. We will promptly delete such information from our systems.

13.3 Verification

We do not have processes to verify the age of users. We rely on users to comply with our age restrictions as stated in our Terms of Service.

14. Changes to This Privacy Policy

14.1 Right to Modify

We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or service features. The type of notification depends on the nature of the changes:

14.2 Minor Updates

Minor updates include corrections, clarifications, formatting improvements, and contact information changes. These updates:

  • Are effective immediately upon posting
  • Do not require advance notification
  • Will be reflected in the "Last Updated" date at the top of this document

14.3 Material Changes

Material changes include modifications to the types of data we collect, new third-party services, changes to data retention periods, changes to your rights, new data processing purposes, or other significant changes to how we handle your personal information. For material changes:

  • Email Notification: We will notify you via email to your registered email address
  • Website Notice: We will display a prominent notice on our platform
  • Advance Notice: Changes will be effective 30 days after notification
  • Renewed Consent: Where required by GDPR or other applicable law, we will obtain your renewed consent before the changes take effect

14.4 Your Rights Upon Changes

Under GDPR and applicable data protection laws, when we make material changes:

  • You have the right to object to the changes
  • You have the right to delete your account and request data deletion
  • You can withdraw consent for specific processing activities
  • Your rights remain protected throughout the transition period

14.5 Continued Use and Acceptance

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy, except where renewed consent is legally required.

If you do not agree with material changes, you should:

  • Stop using the Service before the effective date
  • Delete your account through your account dashboard
  • Request deletion of your personal data (your right under GDPR Article 17)

14.6 Review Responsibility

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company Name: Infoterra LLP
Email: info@graphfolio.com
Registered Address: Building 6, E 248 Street, Esil District, 010000 Astana, Kazakhstan
Tax ID (BIN): 230240009770

For privacy-related inquiries: info@graphfolio.com

We will respond to your inquiry within a reasonable timeframe, typically within one month.

By using our Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.