Legal
Privacy Policy
Last updated: April 9, 2026
1. Data Controller
The data controller responsible for processing your personal data through this website is:
Septimus Cultura is currently in the pre-incorporation phase. Once legally established, this policy will be updated with the full legal entity name, registered address, and applicable tax identification number.
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Data You Provide Directly
- Email address — when you subscribe to our mailing list or request a free audit via the website forms.
- Account credentials — when you create an account via our authentication provider (Clerk). This may include your name, email, and profile picture.
- Plant technical parameters — when you use the H₂ Optimization Suite to configure and optimize hydrogen plant designs. This includes equipment specifications, capacity figures, and energy inputs. We apply a data anonymization layer before processing to ensure confidentiality.
2.2 Data Collected Automatically
- Usage analytics — with your consent, we use Vercel Analytics to collect anonymized data about page views and site interactions. No personally identifiable information is retained.
- Cookies and similar technologies — see our Cookie Policy for full details.
3. Legal Basis for Processing
Under Article 6 of the GDPR, we rely on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Mailing list subscription | Consent (Art. 6(1)(a)) |
| Account creation & authentication | Contractual necessity (Art. 6(1)(b)) |
| H₂ plant optimization processing | Contractual necessity (Art. 6(1)(b)) |
| Analytics cookies | Consent (Art. 6(1)(a)) |
| Essential (security) cookies | Legitimate interest (Art. 6(1)(f)) |
4. How We Use Your Data
- To provide, maintain, and improve our hydrogen optimization services.
- To send you communications about your audit results or account.
- To send marketing updates if you have opted in (you can unsubscribe at any time).
- To analyze anonymized usage patterns to improve our platform (with consent).
- To enforce our terms of service and protect against fraud or misuse.
5. Third-Party Data Processors
We engage trusted third-party service providers who process data on our behalf under strict data processing agreements:
| Provider | Purpose | Data Location |
|---|---|---|
| Clerk | Authentication and identity services | Global |
| Supabase | Cloud infrastructure and data storage | Global |
| Vercel | Website hosting and analytics | Global |
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Binding on our sub-processors (Clerk, Supabase, Vercel), all of which maintain GDPR-compliant data processing agreements and adhere to recognized compliance frameworks.
7. Data Retention
- Mailing list emails — retained until you unsubscribe or request deletion.
- Account data — retained for the duration of your active account. Deleted within 30 days of account closure.
- Plant optimization data — anonymized at point of processing. Aggregated results retained for service improvement; raw inputs are not stored beyond the session unless explicitly saved by the user.
- Analytics data — anonymized and aggregated; no personal data is retained.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of Access (Art. 15) — request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16) — request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
- Right to Restriction (Art. 18) — request restricted processing of your data.
- Right to Data Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to Object (Art. 21) — object to processing based on legitimate interests or direct marketing.
- Right to Withdraw Consent (Art. 7(3)) — withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at contact@septimuscultura.com. We will respond within 30 days.
9. Supervisory Authorities
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The relevant authorities for Septimus Cultura are:
- Spain — Agencia Española de Protección de Datos (AEPD): www.aepd.es
- Sweden — Integritetsskyddsmyndigheten (IMY): www.imy.se
10. Data Security
We implement industry-standard technical and organizational measures to protect your data, including:
- HTTPS encryption with HSTS preloading for all connections.
- Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
- Role-based access control and environment-level key management.
- Data anonymization layer applied to plant optimization inputs before processing.
11. Children's Privacy
Our services are designed for business professionals in the energy sector. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has submitted data to us, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via our website and, where appropriate, by email. We encourage you to review this page periodically.
13. Contact
For any questions or requests regarding this Privacy Policy or your personal data, please contact:
Data Protection — Septimus Cultura
Email: contact@septimuscultura.com