Privacy Policy

Last updated: 2026-06-19 · SIA Point-X · Riga, Latvia, EU

01 — Who we are

Who we are

SIA Point-X (“SIA Point-X”, “we”, “us”) is a digital product agency registered in Latvia, EU. We operate the website point-x.co and are the data controller for personal data processed through it.

Contact: [email protected] (assembled client-side to prevent harvesting).

02 — What we collect

What data we collect and why

We collect personal data only through the project inquiry form on this site. We do not use tracking cookies, advertising pixels, or behavioural analytics.

Data	Purpose	Legal basis (GDPR Art. 6)	Retention
Name	Identify the person we are corresponding with	Art. 6(1)(b) — steps prior to entering a contract; or Art. 6(1)(f) — legitimate interest	12 months from last contact, then deleted
Email address or Telegram handle	Reply to the inquiry via chosen channel	Same	Same
Project brief (free text)	Understand the scope and respond meaningfully	Same	Same
Submission timestamp & IP address	Anti-spam. Not stored beyond the request.	Same	Same

We do not collect: payment data, sensitive categories (Art. 9 GDPR), data from minors, or data from sources other than the form above.

03 — Sharing

Who we share your data with

Form submissions are stored in our own internal system (Payload CMS on a private PostgreSQL database hosted in the EU) and are accessible only to authorised Point-X staff. We do not forward submissions to any external CRM or third-party data processor.

We do not sell, rent, or share your data with any third parties for marketing or advertising purposes.

04 — Cookies & analytics

Cookies and analytics

The public website (point-x.co) is designed to operate without tracking cookies:

Analytics: We use Umami in cookieless mode. Umami records page views without setting cookies and without storing personally identifiable information. No cross-site tracking.

CAPTCHA: The contact form uses Cloudflare Turnstile (invisible). Turnstile is designed to be privacy-preserving and does not use cookies for tracking. It may use browser storage (not cookies) for challenge verification as a strictly necessary security measure. See Cloudflare's privacy policy.

CMS admin panel: (admin.point-x.co) runs on a separate subdomain and sets session cookies only for authenticated staff. These cookies are scoped to that subdomain and are not present on point-x.co.

No cookies requiring consent (advertising, analytics, profiling) are placed on this site. A cookie-consent banner is therefore not displayed — consistent with GDPR Recital 30 and guidance from supervisory authorities regarding strictly necessary / cookieless deployments.

05 — Data transfers

Data transfers outside the EU/EEA

Personal data submitted via the contact form is stored exclusively on infrastructure located within the EU/EEA (Google Cloud, europe-west1 region). No personal data is transferred to countries outside the EU/EEA.

06 — Your rights

Your rights under GDPR

As a data subject you have the right to:

Access — request a copy of personal data we hold about you (Art. 15)

Rectification — correct inaccurate data (Art. 16)

Erasure — request deletion (“right to be forgotten”) (Art. 17)

Restriction — limit how we process your data (Art. 18)

Portability — receive your data in a structured, machine-readable format (Art. 20)

Object — object to processing based on legitimate interest (Art. 21)

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Latvian Data State Inspectorate (DVI) or the supervisory authority in your country of residence.

07 — Changes

Changes to this policy

We may update this policy as our services or legal obligations change. The “Last updated” date at the top will reflect any revisions. Continued use of the site after a change constitutes acknowledgement of the updated policy.