Privacy Policy

ITSailor is the trading name of Michal Jatczak, a Maltese sole trader operating from 507 Cityway, Triq Il-Madonna Tal-Gebla, Gzira GZR 1564, Malta. Malta VAT number MT32760411, DUNS number 507601021. Microsoft AI Cloud Partner Program Authorized partner, PLA ID 7113951. References to "we", "our", "ITSailor" in this Policy mean Michal Jatczak T/A ITSailor.

This Privacy Policy explains how we collect, use, and share personal data when you (a) visit itsailor.io, (b) use any of our free diagnostic tools, (c) purchase a paid workshop or eBook, (d) sign up for our SaaS products (SEAWALL FinOps Engine, HOIST autonomous IT support, DECKLOG private RAG — currently in sales MVP phase), or (e) contact us for consulting work.

We act as a data controller (GDPR Article 4(7)) for the data described below. This Policy serves as the controller-side transparency notice required by GDPR Articles 13 and 14. For personal data you instruct us to process inside your own systems (e.g. during a paid consulting engagement), we act as a data processor (Article 4(8)) under the separate Data Processing Agreement (DPA) executed with you, which incorporates Article 28(3) processor clauses.

• Tool submission data. Email, optionally name and company, plus the inputs and results of any diagnostic tool you choose to submit (e.g. M365 license CSV metadata, GitHub repo URL, deliverability scan results, automation ROI calculator inputs). Most tools work without submission — submission is opt-in for receiving a report by email.
• Workshop and eBook purchase data. Name, work email, company, selected SKU (€499 Architecture & Security Design Workshop, €149 M365 Tenant Hardening, €99 eBooks), order timestamp, billing address (where required), and Stripe customer ID.
• SaaS account data (SEAWALL / HOIST / DECKLOG). Email, hashed password, role, subscription tier and status, Stripe customer ID, and audit logs of dashboard actions. Where the product integrates with your cloud or knowledge sources (e.g. Azure tenant, SharePoint, GitHub), we collect only the minimum metadata required for the integration to function.
• Billing data. Stripe processes card data on our behalf; we never see or store full card numbers. We retain Stripe customer IDs, invoice metadata, and subscription state.
• Usage data. IP address, user agent, referrer, and minimal request logs of itsailor.io and the SaaS dashboards. We do not run third-party advertising trackers and we do not sell usage data.
• Contact and lead data. If you fill in the contact form or open a chat session, we retain the message content, your email, and any context you provide for the time required to follow up plus retention defined in section 05.
• Optional AI feature inputs. Where a feature is explicitly opt-in (e.g. HOIST Tier-0 ticket triage, DECKLOG document indexing), we process the inputs you submit and pass de-identified excerpts to the LLM provider (currently Azure OpenAI). Inputs are flagged as not used for model training.

• Performing the contract (Art. 6(1)(b) GDPR) — account creation, billing, support, and delivery of paid workshops, eBooks, and SaaS subscriptions.
• Legitimate interests (Art. 6(1)(f) GDPR) — security monitoring, fraud prevention, product analytics on aggregated usage, lead follow-up where you submitted a form expressing purchase intent.
• Legal obligation (Art. 6(1)(c) GDPR) — tax and accounting records under Maltese law (7-year retention); responding to lawful requests from regulators or courts.
• Consent (Art. 6(1)(a) GDPR) — optional newsletter; non-essential cookies (subject to your cookie banner choice); optional AI feature opt-ins. You can withdraw consent at any time from your dashboard or by emailing privacy@itsailor.io.

We share personal data with the following subprocessors strictly to deliver the Services. Where data leaves the EEA we rely on the European Commission's Standard Contractual Clauses (SCCs) and additional technical measures (TLS 1.2+ in transit, encryption at rest).

• Stripe Payments Europe Ltd. — payment processing and subscription billing (Ireland; EU-based, SCCs for any US data routing).
• Resend, Inc. — transactional email delivery for workshop provisioning, eBook delivery, and SaaS notifications (USA; SCCs).
• Hetzner Online GmbH. — production server hosting (Falkenstein, Germany) and Storage Box backups. Houses our n8n automation, Directus backend, Postgres databases, and SaaS application data. EU jurisdiction.
• Cloudflare, Inc. — DNS, CDN, and Zero Trust Tunnel for our self-hosted services (USA; SCCs; EU edge nodes serve EU traffic).
• Vercel, Inc. — frontend hosting and edge logs for itsailor.io (USA; SCCs; EU edge regions preferred).
• GitHub, Inc. — private repository hosting for client deliverables (Terraform modules, Intune baselines, SOPs), and authentication for the DevEx Maturity Scan tool (USA; SCCs).
• Microsoft Ireland Operations Limited. — Azure infrastructure for AI-powered features in HOIST and DECKLOG (EU region preferred). Azure OpenAI inputs flagged as not used for model training. Microsoft 365 services where you choose to purchase through us via the Pax8 marketplace.
• Pax8 Inc. — Microsoft 365 licensing marketplace (EU operations from the Netherlands). Only billing metadata flows to Pax8 when you purchase Microsoft licences through us; your Microsoft tenant data does not.

Most personal data is stored and processed inside the EU/EEA (Malta, Germany, Ireland, Netherlands). Where data leaves the EEA — primarily to US-headquartered subprocessors with EU operations or EU edge nodes — we rely on Chapter V GDPR mechanisms, specifically the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914, Modules 1 and 2 as applicable) signed with each subprocessor.

Following the CJEU's judgment in Schrems II (C-311/18), we apply supplementary technical measures alongside the SCCs: encryption in transit (TLS 1.2 minimum), encryption at rest where supported, and minimisation of the personal data flowing to non-EEA endpoints. A transfer impact assessment (TIA) summary is available on written request under NDA.

• Lead and tool submission data — up to 24 months from last contact, then deleted or anonymised.
• Customer account data — for the duration of the subscription or engagement, and 12 months after termination, then deleted unless legally required.
• Billing records — 7 years (Maltese tax law).
• Audit and request logs — 90 days rolling.
• Contact form and chat messages — 12 months from last interaction.
• Newsletter subscribers — until you unsubscribe; we honour unsubscribe requests immediately and purge from active lists within 30 days.

If your personal data is subject to the GDPR (Regulation 2016/679) you hold the following rights, exercisable free of charge in the first instance (Article 12(5)):

• Access (Article 15) — request a copy of personal data we hold about you and the processing context.
• Rectification (Article 16) — correct inaccurate or incomplete data.
• Erasure (Article 17) — request deletion (subject to the retention rules in section 05 and to any legal-obligation exemptions in Article 17(3)).
• Restriction (Article 18) — limit how we process your data while a dispute or correction is pending.
• Portability (Article 20) — receive your data in a structured, commonly-used, machine-readable format and transmit it to another controller.
• Object (Article 21) — to processing based on legitimate interests (Article 6(1)(f)) or direct marketing (which we stop unconditionally).
• Withdraw consent (Article 7(3)) — where processing relies on consent under Article 6(1)(a) or 9(2)(a); withdrawal does not affect prior lawful processing.
• Not be subject to solely automated decisions (Article 22) — see section 10. We do not run such decisions today.
• Lodge a complaint (Article 77) with the Information and Data Protection Commissioner of Malta (IDPC) — our lead supervisory authority — or with the supervisory authority of your EU/EEA Member State of residence.

We use a minimal set of strictly necessary cookies for authentication (session token) and security (CSRF). Under Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) and the Maltese Electronic Communications Act (Chapter 399), strictly necessary cookies do not require prior consent. All other categories — functional, analytics, marketing — are opt-in only via the consent banner (CJEU Planet49, C-673/17: pre-ticked boxes do not constitute valid consent).

The full inventory, vendor list, retention, and consent withdrawal mechanism live in the dedicated Cookie Policy. You can change your cookie preferences at any time via the “Cookie preferences” link in the site footer; the change writes an audit row to our consent_log collection and re-prompts on schema-version bumps.

Per GDPR Article 32, we implement technical and organisational measures appropriate to the risk of the personal data we process. These include TLS 1.2+ in transit, encryption at rest for databases that support it, principle-of-least-privilege access, dependency scanning, server hardening (UFW, fail2ban, unattended security patches), automated daily backups to off-site Storage Box, and secret rotation procedures. We use the same baseline we deliver to our clients — see our public Architecture Workshop materials for the technical specifics.

We notify the IDPC of personal data breaches within 72 hours of becoming aware where the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33). Where the risk is high, we also notify affected individuals without undue delay (Article 34).

The Services are not directed to anyone under 16 and are sold business-to-business only. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@itsailor.io and we will delete it.

Per GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. Where AI features make recommendations on our platform (e.g. HOIST suggesting a ticket resolution path, DECKLOG returning ranked documents, AI Readiness Scan scoring), these are advisory only — a human (your team, or ours during a consulting engagement) makes the final decision, so Article 22 does not apply.

Where the EU AI Act (Regulation 2024/1689) classifies any function we add in the future as “high-risk” under Annex III, we will publish the relevant transparency disclosures (Article 50) before that function goes live.

Material changes to this Policy will be announced by email at least 30 days before they take effect to all active customers, and posted on this page with a revised effective date. Older versions are available on request.

• Data Subject Rights requests (access, rectification, erasure, portability, objection, restriction, withdraw consent): dsr@itsailor.io
• General privacy questions: privacy@itsailor.io
• Legal: legal@itsailor.io
• General contact: hello@itsailor.io

We have not appointed a formal Data Protection Officer under Article 37 — our scale and processing categories do not require one. If a DPO is appointed in the future, contact details will be added to this section.

Postal: Michal Jatczak T/A ITSailor, 507 Cityway, Triq Il-Madonna Tal-Gebla, Gzira GZR 1564, Malta.