Legal

/01

Privacy Policy

What we collect, why we need it, and how you stay in control.

Last updated: July 8, 2026

This policy describes how 85CO handles personal data when you browse eightyfiveco.com, book a call, email us, or engage us for design and development work. 85CO is operated by 85CO SRL, a Romanian limited liability company based in Bucharest, Romania. Our processing is governed by the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Romanian Law no. 190/2018.

1. Data controller

The controller responsible for your personal data is 85CO SRL. For any privacy-related request — access, correction, deletion, objection, or withdrawal of consent — email hello@eightyfiveco.com. We aim to respond within 30 days, as required under Article 12(3) GDPR.

2. What we collect, why, and for how long

We limit collection to what is necessary for running the site, responding to inquiries, and delivering client work. Each category below states what is collected, the lawful basis, how long we keep it, and any third-party processor involved.

2.1 Cal.com (discovery call booking)

  • What: your name, email address, timezone, any notes you leave when booking, and meeting metadata (date, time, cancellation status).
  • Why / lawful basis: performance of pre-contractual steps at your request (Article 6(1)(b) GDPR) — scheduling the consultation you asked for.
  • Retention: until you ask us to delete your details, or three years after our last interaction, whichever comes first.
  • Processor: Cal.com, Inc. (United States), under a GDPR Data Processing Addendum. Transfers outside the EEA rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

2.2 Direct email contact

  • What: your email address, name, company, and any information you include in your message or attachments.
  • Why / lawful basis: our legitimate interest in responding to business inquiries (Article 6(1)(f) GDPR), and, where a project begins, contract performance (Article 6(1)(b) GDPR).
  • Retention: active correspondence is kept for the duration of the inquiry or project, then up to three years for reference unless you request earlier deletion.
  • Processor: your email provider and ours handle delivery; we do not use a separate marketing email platform on this site.

2.3 Google Analytics 4

  • What: when you accept analytics cookies, GA4 records page views, approximate geography at country or city level, device type, browser, language, and aggregated engagement metrics. GA4 does not store full IP addresses — IPs are used transiently to derive location and then discarded. We do not enable Google Signals or cross-device tracking.
  • Why / lawful basis: your explicit consent via our cookie banner (Article 6(1)(a) GDPR). We use Google Consent Mode v2: until you accept, analytics storage remains denied and Google receives only cookieless pings.
  • Cookies: _ga and _ga_* — set only after you accept analytics. Typical expiry is up to two years per Google's schedule.
  • Retention: event-level data in GA4 is retained for 14 months, then automatically deleted. Aggregated reports may persist longer under Google's policies.
  • Processor: Google Ireland Ltd. (EU) and Google LLC (United States), under Google's Data Processing Terms, Standard Contractual Clauses, and the EU-US Data Privacy Framework.
  • Withdraw consent: decline analytics in the cookie banner, or clear the 85co-cookie-consent entry in your browser's local storage and reload the page.

2.4 Vercel Analytics & Speed Insights

  • What: when you accept analytics cookies, Vercel Analytics collects aggregated page views, referrer URL, approximate country, and device type. Speed Insights records Core Web Vitals (such as LCP, CLS, and INP) to help us monitor performance. Visitors are identified by a short-lived, hashed identifier — not your name or email. Vercel Analytics does not use cookies.
  • Why / lawful basis: your explicit consent via our cookie banner (Article 6(1)(a) GDPR). The scripts do not load until you accept analytics.
  • Retention: aggregated traffic data is retained indefinitely; raw session data is kept for less than 24 hours.
  • Processor: Vercel Inc. (United States), under a GDPR Data Processing Addendum and Standard Contractual Clauses.
  • Withdraw consent: decline analytics in the cookie banner, or clear the 85co-cookie-consent entry and reload the page.

2.5 Hotjar

  • What: when you accept analytics cookies, Hotjar records how you interact with pages — clicks, scroll depth, mouse movement, and navigation paths — to produce heatmaps and session replays. It also collects device type, screen resolution, browser, language, and country-level location. Hotjar masks typed input in form fields by default so passwords and similar data are not captured.
  • Why / lawful basis: your explicit consent via our cookie banner (Article 6(1)(a) GDPR). Hotjar does not load, set cookies, or send data until you accept analytics.
  • Cookies: first-party Hotjar cookies such as _hjSessionUser_*, _hjSession_*, and _hjIncludedInSessionSample_* — set only after you accept analytics. Expiry follows Hotjar's schedule (typically up to one year).
  • Retention: session recordings and heatmap data are retained per our Hotjar project settings; you can request deletion at any time.
  • Processor: Hotjar Ltd. (Malta, EU), under Hotjar's Data Processing Agreement. Data is processed within the European Union.
  • Withdraw consent: decline analytics in the cookie banner, or clear the 85co-cookie-consent entry and reload the page. Hotjar cookies can also be removed through your browser settings.

2.6 Client engagements

  • What: during active projects we may process contact details, billing information, project briefs, brand assets, credentials shared for integrations, and communications needed to deliver branding, product design, or development work.
  • Why / lawful basis: contract performance (Article 6(1)(b) GDPR) and, where relevant, our legitimate interest in administering projects (Article 6(1)(f) GDPR).
  • Retention: for the project term plus up to seven years where required for accounting, tax, or legal obligations; project deliverables you own are handed over on completion.
  • Processors: depends on the engagement — for example hosting (Vercel), design tools, or AI APIs named in your statement of work. We use subprocessors only where needed and under appropriate data-processing terms.

3. Cookies and similar technologies

We keep cookies to a minimum. Optional analytics only run after you opt in.

  • Strictly necessary (always on): a localStorage entry recording your cookie consent choice (85co-cookie-consent). This value stays in your browser and is not transmitted to us.
  • Analytics (optional): Google Analytics 4 (section 2.3), Vercel Analytics & Speed Insights (section 2.4), and Hotjar (section 2.5). All three load only after you accept analytics. We do not use advertising, retargeting, or social-media tracking pixels on this site.

You can change your choice at any time by clearing site data for eightyfiveco.com or using the decline option when the banner appears again. Withdrawing consent does not affect the lawfulness of processing that happened before withdrawal.

4. International transfers

Some processors listed above are located in the United States or other countries outside the European Economic Area. Where personal data leaves the EEA, we rely on Standard Contractual Clauses and, where the processor is certified, the EU-US Data Privacy Framework. We do not transfer personal data to jurisdictions without an adequate level of protection unless appropriate safeguards are in place.

5. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you (Article 15).
  • Rectification — ask us to correct inaccurate data (Article 16).
  • Erasure — ask us to delete your data where the law allows (Article 17).
  • Restriction — ask us to pause processing in certain cases (Article 18).
  • Portability — receive data you provided in a structured, machine-readable format where applicable (Article 20).
  • Object — object to processing based on legitimate interest, including direct marketing (Article 21).
  • Withdraw consent — at any time for processing that relies on consent (Article 7(3)).
  • Lodge a complaint with a supervisory authority. In Romania this is ANSPDCP. You may also complain in the EU country where you live or work.

To exercise any right, email hello@eightyfiveco.com. We may ask you to verify your identity before fulfilling a request.

6. How we keep data secure

Traffic to eightyfiveco.com is served over HTTPS. Credentials and API keys for third-party services are stored in server-side environment variables, not in client-side code. Access to client project data is limited to team members who need it. We do not sell, rent, or trade personal data.

7. Children

85CO provides professional services to businesses and founders. The site is not aimed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has shared data with us, contact hello@eightyfiveco.com and we will delete it promptly.

8. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

9. Changes to this policy

When we make material changes, we update the "Last updated" date at the top of this page. Continued use of the site after an update means you accept the revised policy. For significant changes affecting active clients, we will notify you directly where appropriate.

10. Contact

Privacy questions and general inquiries: hello@eightyfiveco.com.
85CO SRL — Bucharest, Romania.

Book a call