1. What This Policy Covers

This policy applies to:

- The Studio Elluvio website (elluvio.studio) and any subdomains
- Communications with the studio by email, contact form, or messaging service (including WhatsApp Business)
- Personal data processed during client engagements, project delivery, and post-engagement maintenance
- Personal data collected indirectly, such as through referrals or third-party introductions

It does not apply to third-party websites linked from elluvio.studio. Each linked site has its own privacy policy, which we recommend reading before submitting personal data.

2. What We Collect

We collect only the personal data we need to operate the practice and deliver the service you've requested. Specifically:

Information you provide directly:

- Name, email address, phone number
- Company or brand name, website URL
- Project details, brief descriptions, or business context shared via form, email, WhatsApp, or document upload
- Any additional information you choose to share during a consultation, audit, or engagement

Information collected automatically:

- IP address, browser type, device type, operating system, referring URL — collected solely for hosting performance, security, and basic site analytics
- Essential cookies required for site functionality (described in Section 8)

Information from third parties:

- Occasionally, personal data is shared with us by a referral source (a mutual contact introducing a prospective client). When this happens, we treat the data with the same care as if you had submitted it directly, and we will inform you of the source upon first contact, as required by GDPR Article 14.

We do not collect special category data (health, biometric, religious, political, sexual orientation, etc.) unless it is strictly necessary for a specific engagement, in which case we will obtain explicit consent first and document a Data Protection Impact Assessment if applicable.

3. Why We Collect It

We process personal data for the following purposes:

- To respond to inquiries - answering your form submission, email, or message
- To deliver requested services - fulfilling consulting, design, development, or production work you have engaged us for
- To communicate during engagements - sending project updates, proposals, invoices, or relevant information
- To improve the website and services - using aggregated, non-identifying analytics to understand how the site is used
- To maintain operational records - storing project files, client correspondence, and contracts for the duration required by tax, accounting, and legal regulations
- To comply with legal and contractual obligations - including invoicing, tax reporting, and dispute resolution

We do not:

- Sell, rent, or trade your personal data to anyone, ever
- Use your personal data for advertising or marketing without your explicit, opt-in consent
- Use automated decision-making or profiling that has legal or significant effects on you
- Process your data for any purpose not listed in this policy without first obtaining your consent

4. Legal Basis for Processing

Under GDPR Article 6, every act of processing personal data must rest on a lawful basis. We rely on the following:

- Consent - when you fill out a form, opt-in to a communication, or explicitly agree to processing for a specific purpose. You may withdraw consent at any time.
- Contractual necessity - when processing is required to deliver a service you've engaged us for, or to take steps at your request before entering into a contract.
- Legitimate interest - for routine business operations such as security, fraud prevention, basic website analytics, and improving our services. We balance these interests against your rights and freedoms, and you may object at any time.
- Legal obligation - when we are required by law to retain data (tax records, anti-money-laundering checks, etc.) or to respond to lawful requests from authorities.

Under UAE Personal Data Protection Law, similar lawful bases apply, with additional protections for cross-border transfers (described in Section 6).

5. How Long We Keep It

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, plus any legally required retention periods. Specific retention periods:

When data is no longer required for the original purpose and is not subject to a legal retention obligation, we securely delete or anonymize it.
‍
You may request earlier deletion of your data at any time, subject to our legal obligations to retain certain records (Section 9 explains your rights in detail).

6. Who We Share Data With

We share personal data only with carefully selected service providers who help us operate the practice. Each provider is bound by a Data Processing Agreement that requires them to handle your data with the same standards described in this policy.

We do not share your data with advertising networks, data brokers, or third parties for marketing purposes.
International transfers: Some processors are located outside your country of residence. When personal data is transferred internationally - including transfers between the EU, the UAE, and Serbia - we apply the following safeguards:

- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU to third countries
- Equivalent contractual safeguards required under UAE Federal Decree-Law No. 45 of 2021 for transfers from the UAE
- Adequacy decisions, where they apply (Serbia is recognized as an adequacy country by the European Commission)
- Supplementary technical and organizational measures where required by Schrems II

Documentation of these safeguards is available on request to inquiries@elluvio.studio.
‍
Legal disclosures: We may disclose personal data if required by law, court order, or lawful request from a regulatory or law enforcement authority. We will notify you of such requests where legally permitted.

7. Cookies and Tracking

The Studio Elluvio website uses only essential cookies required for basic site functionality, set by our hosting provider (Webflow). These are necessary for the site to load and operate correctly.

We do not use:

- Analytics cookies (no Google Analytics, Hotjar, Mixpanel, or similar tools)
- Advertising or remarketing cookies
- Third-party tracking pixels (Facebook, LinkedIn, TikTok, etc.)
- Cross-site behavioral profiling
- Any cookies that personally identify you for marketing purposes

We use Google Search Console to monitor how the site appears in search results, but Search Console operates server-side and does not place cookies on your browser or collect personal data from visitors.
‍
If we ever introduce non-essential cookies or third-party analytics in the future, we will update this policy and present a cookie consent banner that allows you to opt in or opt out before any such cookies are set.
‍
You may control or delete cookies through your browser settings, though disabling essential cookies may affect site functionality.

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Under GDPR (EU residents):

- Right of access - request a copy of the personal data we hold about you
- Right to rectification - request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") - request deletion of your data, subject to legal retention obligations
- Right to restrict processing - request that we limit how we use your data
- Right to data portability - receive your data in a structured, machine-readable format
- Right to object - object to processing based on legitimate interest, including profiling
- Right to withdraw consent - at any time, where processing is based on consent
- Right to lodge a complaint with your local supervisory authority (for EU residents, your national data protection authority)

Under UAE PDPL (UAE residents):

- Similar rights apply, including rights of access, correction, deletion, objection, and withdrawal of consent
- The right to lodge a complaint with the UAE Data Office

Under Serbian data protection law (Serbian residents):

- Rights aligned with GDPR, with the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik).

To exercise any of these rights, contact inquiries@elluvio.studio. We will respond within 30 days (or sooner if local law requires), and we will not charge a fee unless your request is manifestly unfounded or excessive.

9. Data Security

We apply technical and organizational safeguards to protect personal data from unauthorized access, alteration, disclosure, or destruction. These include:

- Encrypted data storage and transmission (HTTPS, encrypted email where supported)
- Restricted access controls - only personnel who require data for their role can access it
- Regular security reviews of systems and third-party processors
- Secure deletion procedures when data reaches the end of its retention period
- Staff training on data handling and privacy obligations

No system is completely immune to risk. If we ever experience a personal data breach that poses a risk to your rights and freedoms, we will:

- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected data subjects without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34
- Document the breach, our response, and any remediation measures taken

10. Children’s Privacy

The Studio Elluvio website and services are not directed to individuals under 16 years of age (or the local age of digital consent, whichever is higher). We do not knowingly collect personal data from minors.

If you believe a child has provided us with personal data, please contact inquiries@elluvio.studio so we can delete it promptly.

11. Changes to This Policy

We may update this policy from time to time to reflect operational changes, legal developments, or new processors. Significant changes will be communicated to active clients by email and posted on this page with an updated "Last updated" date.
‍
We recommend reviewing this policy periodically. Continued use of the website or services after changes are posted constitutes acceptance of the updated policy.

12. Contact and Complaints

For all privacy-related matters:
Email: inquiries@elluvio.studio
For complaints, you have the right to contact your local data protection authority directly

The studio operates from Dubai, Salzburg, and Belgrade - across the UAE, the EU, and the Balkans. Business hours are Monday to Friday, 9 AM - 5 PM CET. We aim to respond to privacy inquiries within one business day, and to formal data subject requests within 30 days as required by law.