Closetforge
← Back to Closetforge

Privacy Policy

Version 1.0 · Effective [LAUNCH DATE]

This Privacy Policy explains how Smartilabs razvoj in svetovanje d.o.o. ("Closetforge", "we", "us"), registered in Slovenia at Prvomajska ulica 11, 4226 Žiri, Slovenia, registration number 9396454000, VAT ID SI98239759, processes Personal Data when we act as the data controller under the EU General Data Protection Regulation (GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2).

This Privacy Policy applies to:

  • Visitors to our marketing website at closetforge.com
  • Carpenters and other business users who sign up for an account ("Customers")
  • Personnel of Customers who administer accounts ("Authorised Users")

This Privacy Policy does not apply to data processed about end consumers (homeowners) who use the embedded Configurator on a Customer's website. For that data, the Customer is the controller and Closetforge acts as a processor under the Data Processing Addendum at closetforge.com/legal/dpa. End consumers should consult the privacy policy of the carpenter whose website they are using.


1. Personal Data we collect

1.1 When you visit closetforge.com

  • Device and connection data: IP address (truncated for analytics), browser type, operating system, language, referring page, pages visited, time on page
  • Cookies and similar technologies: as described in our Cookie Policy at closetforge.com/cookies

1.2 When you create a free trial or paid account

  • Identity: name, work email, phone number (optional), company name, role
  • Billing: billing address, VAT ID, payment-method identifier (we do not store full card numbers — payment data is held by our payment processor; see Section 5)
  • Authentication: hashed password, magic-link tokens, TOTP secrets if you enable 2FA

1.3 When you use the Service

  • Account activity: logins, feature usage, pages visited within the admin, time stamps
  • Catalog and brand data: the materials, hardware, prices, and brand assets you upload (this is Customer Data and is not used for analytics; see MSA Section 7)
  • Support and communication: emails, chat messages, recorded demo calls (with consent)

1.4 When you contact us

  • Form submissions: name, email, message content, the page you submitted from
  • Demo bookings: name, email, company, calendar information

We do not knowingly collect Personal Data of children under 16.


2. How we use Personal Data

We process Personal Data on the legal bases below.

PurposeLegal basis (GDPR Art. 6)
Provide and operate the Service for paying customersPerformance of a contract
Provide a free trial and demosPerformance of pre-contractual measures at your request
Bill you and collect paymentPerformance of a contract; legal obligation (tax)
Send service notifications, security alerts, and changes to termsLegitimate interest (operating the Service)
Send marketing emails to existing customers about features and tipsLegitimate interest (direct marketing to existing customers under PECR-style soft-opt-in)
Send marketing to non-customers (newsletters, product launches)Consent — opt-in only, withdrawable at any time
Analyse aggregate site usage to improve the siteLegitimate interest
Detect, prevent, and respond to abuse, fraud, and security incidentsLegitimate interest; legal obligation
Comply with law and respond to lawful requestsLegal obligation
Defend legal claimsLegitimate interest

When we rely on legitimate interest, we have completed a balancing test. You can ask us for a summary by emailing privacy@closetforge.com.


3. AI and automated processing

Closetforge uses third-party AI services (currently OpenAI; see Sub-processor List) to power the AI chat in the Configurator and to support search and content features in the admin. We do not use Personal Data of Customers or Authorised Users to train third-party AI models. Our agreements with AI providers prohibit them from using your data for model training.

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing, within the meaning of GDPR Article 22.


4. Sharing Personal Data

We share Personal Data only with:

  • Sub-processors that help us deliver the Service (hosting, email delivery, customer support, analytics, AI). The current list is at closetforge.com/subprocessors. We have signed contracts with each that meet GDPR Article 28 requirements.
  • Professional advisers (lawyers, accountants, auditors) under duties of confidentiality.
  • Authorities when required by law or to defend legal claims.
  • Acquirers in connection with a merger, acquisition, or sale of assets, with notice to you and continued protection of your data.

We do not sell Personal Data and we do not share it with advertising networks for cross-context behavioural advertising.


5. Payments

Card payments are processed by [Stripe Payments Europe, Limited] (or the processor named on closetforge.com/subprocessors). Closetforge receives a token and the last four digits of the card; we do not have access to the full card number. The processor is the controller for fraud-prevention purposes and a processor for transaction handling. See the processor's privacy notice for details.


6. International transfers

We process Personal Data primarily within the EU/EEA. When we transfer Personal Data outside the EU/EEA (for example to a US-based AI provider or analytics vendor), we rely on:

  • The European Commission's adequacy decision for the country (where one exists, including the EU–US Data Privacy Framework for certified US recipients), or
  • Standard Contractual Clauses approved by the European Commission, supplemented by additional safeguards (encryption in transit, encryption at rest, access controls, contractual purpose limitations).

You can request a list of recipients and the safeguards in place by emailing privacy@closetforge.com.


7. Retention

We keep Personal Data only as long as necessary for the purposes for which it was collected.

CategoryRetention
Account data of active customersFor the duration of the account and 3 years after termination, for legal-claim defence and audit
Billing records10 years (Slovenian tax law)
Support tickets3 years after the ticket is closed
Marketing-list dataUntil you unsubscribe, then suppressed only for ensuring you are not re-contacted
Web analytics14 months
Server access logs90 days, longer if relevant to a security investigation
Free-trial data, if not converted6 months after trial expiry

After retention periods end we delete or anonymise the data.


8. Your rights

Under the GDPR, you have the right to:

  • Access: receive a copy of the Personal Data we hold about you
  • Rectification: have inaccurate Personal Data corrected
  • Erasure: have Personal Data deleted in certain circumstances ("right to be forgotten")
  • Restriction: ask us to limit processing in certain circumstances
  • Portability: receive your Personal Data in a structured, commonly used, machine-readable format
  • Object: object to processing based on legitimate interest, including direct marketing (we will stop)
  • Withdraw consent: at any time, where processing is based on consent (this does not affect prior lawful processing)
  • Complain: to a supervisory authority — for Slovenia, the Information Commissioner (Informacijski pooblaščenec): www.ip-rs.si

To exercise your rights, email privacy@closetforge.com. We will respond within one month, extendable by two further months for complex requests with notice. We may need to verify your identity. There is no fee unless requests are manifestly unfounded or excessive.


9. Security

We implement technical and organisational measures appropriate to the risk, including:

  • TLS 1.2+ for data in transit and AES-256 at rest
  • Role-based access controls and least-privilege provisioning
  • Multi-factor authentication for staff with access to production systems
  • Regular backups with documented restore tests
  • Vulnerability scanning and dependency monitoring
  • Incident response procedures and breach notification within 72 hours to authorities where required

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the relevant authorities as required.


10. Cookies

See the Cookie Policy at closetforge.com/cookies for the cookies and similar technologies we use, their purposes, and how to manage them. We do not set non-essential cookies without your consent.


11. Changes to this Privacy Policy

We may update this Privacy Policy. Material changes will be notified by email (where you are an account holder) and by a banner on closetforge.com at least 14 days before the effective date. Past versions are archived at closetforge.com/legal/archive.


12. Contact

Data controller: Smartilabs razvoj in svetovanje d.o.o., Prvomajska ulica 11, 4226 Žiri, Slovenia Email: privacy@closetforge.com Postal: as above, marked "Privacy"

If we appoint a Data Protection Officer (not currently required for our scale of processing), their contact details will be added here.