Privacy Policy
Last updated: 20 April 2026
1. Identity of the Data Controller
Castreal (legal entity registration pending) ("Castreal", "we", "us", or "our") is the data controller responsible for processing your personal data.
| Registered Name | Castreal (registration pending) |
| Registered Address | Romania (full address to be published upon company registration) |
| Country | Romania (EU) |
| Contact Email | hello@castreal.io |
| Data Protection Contact | dpo@castreal.io |
| Website | https://castreal.io |
2. Scope of This Policy
This Privacy Policy applies to all personal data we collect through our website at castreal.io, including the landing page, email sign-up forms, and any associated services. It covers both our current pre-launch (waitlist) activities and our planned full platform operations.
3. What Data We Collect
We collect the following categories of personal data:
3.1 Data You Provide Directly
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Lead signup, catalog preview delivery, product updates | Consent (Art. 6(1)(a) GDPR); Contract performance (Art. 6(1)(b) GDPR) |
3.2 Data Collected Automatically via UTM & Referral Tracking
When you visit our website, we collect campaign attribution data to understand how visitors find us:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) | Understand which marketing channels drive traffic | Legitimate interest (Art. 6(1)(f) GDPR) |
| Referrer hostname | Identify the website that referred you to us | Legitimate interest (Art. 6(1)(f) GDPR) |
| Landing path | Identify which page you landed on | Legitimate interest (Art. 6(1)(f) GDPR) |
Ad source (from URL ?ad or utm_content parameter) |
Track specific ad creative performance | Legitimate interest (Art. 6(1)(f) GDPR) |
3.3 Data Stored in Your Browser (localStorage)
We use your browser's localStorage (similar to cookies) to store the following identifiers. Under the ePrivacy Directive (2002/58/EC), storing data on your device requires consent unless strictly necessary for the service you requested.
| Key | What It Stores | Purpose | Legal Basis |
|---|---|---|---|
cr_consent |
Your consent choice ("all" or "essential") | Remember your privacy preference | Strictly necessary (exempt from consent) |
cr_seen |
Returning visitor flag (true/false) | Distinguish new vs. returning visitors in analytics | Consent (ePrivacy + Art. 6(1)(a) GDPR) |
cr_submitted |
Whether you have already submitted the signup form | Prevent duplicate form displays | Strictly necessary (exempt from consent) |
3.4 Analytics & Behavioral Events
When you consent to analytics, we collect behavioral events via our server-side analytics system (Cloudflare Analytics Engine). These events are sent as beacons to /api/event and include:
| Event | Description |
|---|---|
page-load | Page was loaded |
form-focus | User focused the email input field |
form-submit | Signup form was submitted |
form-submit-ok | Signup completed successfully |
form-submit-fail | Signup failed (e.g., server error) |
time-to-cta | Time in milliseconds until user interacted with the call-to-action |
scroll-depth | How far you scrolled (25%, 50%, 75%, or 100%) |
section-view | Which section of the page entered your viewport |
nav-click | Navigation link was clicked |
email-link | Email contact link was clicked |
filter-click | A showcase filter was used |
search-used | The showcase search was used |
lead-submit | A new unique email was submitted |
Each analytics event also includes:
- Session ID: a random identifier generated per page load (format:
s_abc12345), not linked to your identity - Device type: mobile, tablet, or desktop (inferred from viewport width)
- Returning visitor flag: whether you have visited before
Analytics events are only collected when you consent to non-essential analytics via our consent banner. If you choose "Essential Only", no behavioral events are sent.
3.5 Server-Side Page-View Logging
Independently of your consent choice, our web server records a basic page-view event each time an HTML page is served. This is standard server-side infrastructure logging and does not use cookies, localStorage, or any client-side code. Each event records:
- Page path: which page was requested (e.g.,
/,/privacy) - Country code: your approximate country, provided by Cloudflare's network routing (e.g., "DE", "RO")
- Referrer hostname: the domain that linked you to us, from the HTTP Referer header
- Device class: mobile, tablet, or desktop, inferred from the User-Agent header (the header itself is not stored)
- UTM parameters: if present in the URL query string
These events are aggregated and cannot identify individual visitors. No IP addresses, session identifiers, or device fingerprints are stored. This processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in understanding basic traffic patterns for our service.
3.6 Data We Do Not Collect
Our own code does not set traditional browser cookies. However, if you consent to analytics, the Meta Pixel may cause Facebook to set cookies on its own domain (e.g., _fbp), and the TikTok Pixel may similarly set cookies for ad measurement. Apart from this, we do not collect your name, phone number, payment information, or IP addresses for analytics purposes. Our first-party analytics system does not track you across websites.
4. Legal Basis for Processing
We process your personal data on the following legal grounds under the GDPR:
- Consent (Art. 6(1)(a)): for sending marketing communications, setting non-essential localStorage values, collecting analytics events, and loading the Meta Pixel and TikTok Pixel for conversion tracking. You may withdraw consent at any time.
- Contract performance (Art. 6(1)(b)): to process your lead submission and deliver the requested catalog preview or early access.
- Legitimate interest (Art. 6(1)(f)): for basic UTM and referrer data attached to form submissions, and for server-side page-view logging (Section 3.5), which helps us measure our marketing effectiveness and understand traffic patterns. Our legitimate interest is balanced against your rights; this data is not used to profile you individually.
5. Third-Party Data Processors
We share your data with the following service providers, each acting as a data processor under GDPR Art. 28. We rely on the standard data processing terms included in each provider's service agreements.
| Provider | Country | Purpose | Data Shared |
|---|---|---|---|
| Cloudflare, Inc. | United States | Website hosting (Workers), KV data storage for lead submissions, Analytics Engine for behavioral events, CDN and DDoS protection | Email address, UTM data, analytics events, IP address (processed transiently for security) |
| Resend, Inc. | United States | Transactional email delivery (catalog preview, confirmations) | Email address |
| Meta Platforms Ireland Limited (joint controller) | Ireland / United States | Conversion tracking via Meta Pixel (loaded only with consent) | Page interactions, browser and device data, Facebook cookies (if logged in). See Section 5.1. |
| TikTok Technology Limited (joint controller) | Ireland / Singapore | Conversion tracking via TikTok Pixel (loaded only with consent) | Page interactions, browser and device data. See Section 5.2. |
5.1 Meta / Facebook Pixel
We use the Meta (Facebook) Pixel for conversion tracking. The Meta Pixel is loaded only after you grant consent via our consent banner. We and Meta Platforms Ireland Limited act as joint controllers (per CJEU "Fashion ID" ruling, C-40/17) for the initial data collection through the Pixel.
When the Pixel is active, it may set cookies on Facebook's domain (e.g., _fbp) and collect data about your interactions with our site, potentially linking them to your Facebook account (if you are logged in). You can manage your ad preferences at facebook.com/adpreferences. For details on how Meta processes your data, see Meta's Privacy Policy.
5.2 TikTok Pixel
We use the TikTok Pixel for conversion tracking on TikTok ad campaigns. The TikTok Pixel is loaded only after you grant consent via our consent banner. We and TikTok Technology Limited act as joint controllers for the initial data collection through the Pixel.
When the TikTok Pixel is active, it may collect data about your interactions with our site and set cookies to measure ad effectiveness. You can manage your TikTok ad preferences at tiktok.com/setting. For details on how TikTok processes your data, see TikTok's Privacy Policy.
6. International Data Transfers
Castreal is based in the European Union (Romania). However, some of our service providers are located in the United States. When we transfer personal data outside the European Economic Area (EEA), we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): European Commission-approved contractual terms that require the recipient to protect your data to EU standards.
- EU-U.S. Data Privacy Framework: where the recipient is certified under the framework, providing an adequacy-based transfer mechanism.
- Technical safeguards: encryption in transit and at rest, plus access controls.
Specifically:
- Cloudflare offers EU data processing and has committed to GDPR compliance through its DPA and Standard Contractual Clauses. Data routed through Cloudflare's global network is protected by encryption.
- Resend processes email delivery data under SCCs. We have ensured that Resend commits to GDPR-compliant data handling.
- Meta Platforms is a joint controller (not a processor) for data collected via the Meta Pixel. Meta is certified under the EU-U.S. Data Privacy Framework and also provides SCCs. See Meta's Privacy Policy.
- TikTok Technology Limited is a joint controller for data collected via the TikTok Pixel. TikTok processes EU data through its Irish entity and relies on SCCs for international transfers. See TikTok's Privacy Policy.
We continuously monitor legal developments (including the impact of the "Schrems II" ruling and the EU-U.S. Data Privacy Framework) and will adjust our transfer mechanisms as necessary.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Lead email addresses (Cloudflare KV) | Retained until you request deletion or for up to 24 months after collection, whichever is sooner. If the platform launches and you create an account, your data transitions to your account profile. |
| Analytics Engine events | Retained per Cloudflare's default Analytics Engine retention period (up to 90 days). Events are aggregated and cannot be linked back to individual users after collection. |
| localStorage data | Persistent in your browser until you clear your browser data or use our "Cookie Settings" link to reset your consent. |
| UTM / referral data (attached to lead submission) | Same retention as lead email, up to 24 months. |
| Meta Pixel data | Collected by Meta upon consent. Retention is governed by Meta's Privacy Policy. We cannot control Meta's retention period; you can delete your data via your Facebook ad preferences. |
| TikTok Pixel data | Collected by TikTok upon consent. Retention is governed by TikTok's Privacy Policy. You can manage your data via TikTok settings. |
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate data.
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): request that we limit how we process your data.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest or for direct marketing.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at dpo@castreal.io. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
| Authority | ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (Romanian Data Protection Authority) |
| Website | www.dataprotection.ro |
If you are located in another EU Member State, you may also contact your local data protection authority.
9. Cookies and Similar Technologies
We do not use traditional browser cookies. Instead, we use localStorage, a browser-based storage mechanism that functions similarly to cookies. Under the ePrivacy Directive (2002/58/EC) and its national implementations (including Germany's TTDSG §25), localStorage is treated the same as cookies for consent purposes.
9.1 Our Consent Mechanism
When you first visit our site, a consent banner is displayed offering two choices:
- "Accept All" enables analytics tracking (behavioral events, returning visitor detection) and loads the Meta Pixel and TikTok Pixel for ad conversion measurement, in addition to essential functionality.
- "Essential Only" sets only strictly necessary localStorage values (consent preference and form submission flag). No analytics events are sent and no advertising pixels are loaded.
Your choice is stored in cr_consent in localStorage. You can change your preference at any time by clicking "Cookie Settings" in the website footer, which clears your stored consent and re-displays the banner.
9.2 Cloudflare Analytics Engine
Our analytics are powered by Cloudflare Analytics Engine, a server-side analytics system. Unlike traditional analytics tools (such as Google Analytics), our approach:
- Does not set cookies
- Does not track you across websites
- Does not build a profile of your browsing behavior
- Processes events on our own infrastructure (Cloudflare Workers)
Analytics beacons are only sent when you have consented to analytics via the consent banner.
10. Children's Privacy
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us at dpo@castreal.io and we will delete the data promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we may also notify you by email (if we have your address) or through a prominent notice on our website.
We encourage you to review this policy periodically.
12. Contact
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
- General inquiries: hello@castreal.io
- Data protection / privacy: dpo@castreal.io