OptiWolf is operated by UniBreeze Kft. (1141 Budapest, Paskál utca 48. fszt. 1., Hungary; company reg. no. 01-09-281663; tax no. 25162749-2-42). Contact for anything in this policy: [email protected].
OptiWolf handles personal data in two distinct roles:
If you visited a website that uses OptiWolf and want to exercise your privacy rights for data collected there, please contact that website's operator: they control that data. We support them in fulfilling your request, and we forward any request we receive directly to them where we can identify them.
| Context | Data | Purpose | Legal basis |
|---|---|---|---|
| Visiting optiwolf.com | Server and edge logs (IP address, user agent, requested URLs), processed transiently for delivery, security, and rate limiting | Operate and protect the site | Legitimate interests |
| Free CRO scanner | The website URL you submit and, if you request the full report, your email address | Produce and email your report; follow-up about OptiWolf | Consent / legitimate interests |
| Creating an account | Name, email address, password (stored only as a bcrypt hash), workspace name | Provide the service, authentication, service messages | Contract |
| Billing (paid plans) | Billing details and payment status, handled by our payment processor; we do not store card numbers | Charge subscriptions, invoicing, tax compliance | Contract / legal obligation |
| Support and email | Correspondence you send to our addresses | Answer you, improve the service | Legitimate interests |
We do not run advertising trackers on our sites and we do not sell personal data. Fonts on optiwolf.com are self-hosted, so no font request leaves our infrastructure. One third-party request does occur and is disclosed for accuracy: the free scanner's page-preview image is currently fetched from WordPress.com mShots (Automattic receives the URL you typed and your IP address). The scanner carries your email between its steps in your browser's sessionStorage only; it never appears in a URL.
Under the GDPR you can request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interests. Write to [email protected]; we respond within one month. You may also lodge a complaint with a supervisory authority. Ours is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, Budapest, naih.hu).
US state privacy laws (CCPA/CPRA and similar). We do not sell or share personal information as those laws define it, and we do not use it for cross-context behavioral advertising. For data our Snippet processes on customers' sites, we act as a service provider/processor. You can exercise applicable rights via [email protected].
The service is hosted on infrastructure in Germany (EU), fronted by Cloudflare's edge network. Passwords are stored as bcrypt hashes; transport is encrypted with TLS; database access is parameterized and tenant-scoped; webhooks we send are HMAC-signed. Vendors that process personal data for us are listed in Section 7 and, for our processor role, in the DPA's subprocessor annex. Where a vendor processes data outside the EEA, we rely on adequacy decisions (including the EU-US Data Privacy Framework where certified) and Standard Contractual Clauses.
When a customer installs OptiWolf on their site, the Snippet processes the following in visitors' browsers and sends the following to our servers:
Transmitted to OptiWolf (pseudonymous event data):
Never transmitted (stays in the visitor's browser). This is a deliberate design property of OptiWolf, not marketing: the behavioral visitor profile used for targeting (pages visited, session counts, referrer and UTM history) is computed and stored only in the visitor's browser (localStorage), and merge-tag personalization values (for example a first name read from the site's own cookie or URL) are resolved and rendered in the browser and never sent to our servers. OptiWolf keeps no server-side behavioral profile of any visitor. Personalization decisions are made on-device.
Retention of processor data. Leads are kept per each customer's retention setting (by default until the customer deletes them; customers can set an automatic purge window and can delete by email address across campaigns). Event data is kept for the life of the customer's experiments and account. Visitor IP addresses are used transiently (delivery, rate limiting, abuse prevention) and are not stored with event or lead records.
The full processor terms, including data categories, subprocessors, and international transfers, are in the Data Processing Agreement. The browser storage keys the Snippet uses are enumerated in the Cookie and Local Storage Policy.
| Vendor | What | Where |
|---|---|---|
| Cloudflare, Inc. | DNS, CDN/edge, DDoS protection, email routing for our @optiwolf.com addresses | Global edge; EU/US, DPF-certified |
| DigitalOcean, LLC | Cloud infrastructure hosting the service | Germany (EU) |
| Automattic (WordPress.com mShots) | Scanner preview screenshots | US |
| Payment processor (Stripe) | Subscription billing, once paid plans are live | EU/US, SCCs |
| Transactional email provider | Service emails (verification, notifications), once live; named here and in the DPA annex before use | To be selected |
Our sites and service are for businesses and are not directed at children. We do not knowingly collect data from anyone under 16.
We will post updates to this policy at optiwolf.com/privacy with a new effective date, and notify account holders of material changes.
Contact: [email protected] · UniBreeze Kft., 1141 Budapest, Paskál utca 48. fszt. 1., Hungary