§ Legal · Privacy

Privacy Policy

Last updated: May 2026

1. Who we are

Sobrn is an early-stage European AI infrastructure practice. Formal company registration details will be provided before any paid engagement where required.

Contact: privacy@sobrn.eu

2. What data we collect, and why

When you submit the contact form at /contact on this site, we collect the information described below.

In addition to AI Workflow Audit requests, the same contact form captures short “fit call” requests prior to commissioning an audit.

  • Full name — to address you correctly in correspondence.
  • Work email — to contact you regarding your request. This is the only channel we will use.
  • Company name, role, country — to assess whether your company is within our operational scope (EU/EEA only).
  • Headcount and AI API spend — optional fields used to prioritise review. “Prefer not to say” is available on both fields.
  • Request type — a value indicating whether you requested an audit or a fit call, used solely to route and review the enquiry.
  • Workflow description and related fields — to understand whether the audit is the right fit and to prepare the initial call.

We do not collect data for marketing. We do not add you to a mailing list. We do not share your data with third parties.

3. Legal basis (GDPR Article 6)

We process your data on the basis of legitimate interest (Art. 6(1)(f)) — specifically, to review and respond to your enquiry. Our legitimate interest is to evaluate whether an engagement is a good fit for both parties; this interest is not overridden by your rights given the professional B2B context of the enquiry.

By explicitly accepting this policy at submission time, you also provide consent (Art. 6(1)(a)) to our use of the data for that purpose. You may withdraw consent at any time; see section 8.

4. Data retention

We retain form submissions for a maximum of 24 months, or until your engagement is concluded — whichever comes first. Submissions from companies that do not proceed to an engagement are deleted at the 24-month point.

5. Technical data

Our server logs a hashed (SHA-256) representation of your IP address for the purpose of preventing automated abuse. The raw IP address is not stored. This hash is not linkable to you as an individual and is used solely for security purposes.

We may store your browser’s user-agent string alongside your submission. This is used only for diagnostic purposes if a technical issue is reported.

6. Cookies

This site does not use advertising or tracking cookies. The contact form sets a short-lived, HttpOnly CSRF protection cookie (no cross-site tracking) while you complete a submission.

The analytics service we use (see section 7) does not set cookies. It uses a short-lived hash derived from your IP address and user-agent, salted daily, to deduplicate page views — this hash cannot be reversed to identify you, is not shared, and is rotated every 24 hours.

7. Third-party services

This site loads exactly one third-party resource: a small JavaScript file from GoatCounter (goatcounter.com), a privacy-respecting, open-source analytics service hosted in the European Union (Netherlands). All other fonts, styles, and scripts are served from sobrn.eu infrastructure.

GoatCounter records, per page view: the path you visited, the referring URL (if any), your browser and operating system family (e.g. “Chrome on macOS”), screen size, and country (derived from your IP — your raw IP address is not stored). It does not use cookies, cross-site identifiers, or fingerprinting. See the GoatCounter privacy policy for full details.

The legal basis for this processing is our legitimate interest (Art. 6(1)(f)) in understanding aggregate usage of the site to improve it. You can block this script with any standard browser content blocker without affecting functionality of the site or the contact form.

We do not use advertising networks, marketing pixels, or any other third-party tracking on this site.

8. Your rights (GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (this does not affect processing prior to withdrawal)

To exercise any of these rights, email privacy@sobrn.eu. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).

9. Data security

Form data is stored in an encrypted-at-rest database on infrastructure located within the EU. Access to the raw data is restricted to authorised personnel only. We use HTTPS for all data in transit.

10. Changes to this policy

If we make material changes to this policy, we will update the “Last updated” date above. We will not retroactively change how we handle data already submitted under a prior version of this policy.