Request consultation

Privacy Policy

How TopCMS collects, uses, retains and protects personal data — written for clarity and compliance with GDPR and Ukrainian privacy law.

Last updated: May 8, 2026 8 min read

Last updated: 8 May 2026
Effective date: 8 May 2026

This Privacy Policy explains what personal data TopCMS ("we", "us", "our") collects when you visit topcms.space/ or engage us as a client, why we collect it, how we use it, who we share it with, and the rights you have over your data. We've written it in plain language and structured it to satisfy the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Ukrainian Law on Personal Data Protection.

If anything below is unclear, write to [email protected] — we’ll explain in plain language and in writing.

1. Who we are

TopCMS is a CMS engineering studio operating at topcms.space/. For the purposes of this policy, the data controller is TopCMS, contactable at [email protected]. If you are an EU resident exercising rights under GDPR, this is the contact point for all data-subject requests.

2. What personal data we collect

We collect only the data we genuinely need to deliver our services and run the website. Specifically:

2.1. Data you provide directly

  • Lead form submissions: name, email, company name (optional), phone (optional), project description and budget range that you submit through any form on the site.
  • Email correspondence: any data you choose to share when emailing us — quotes, briefs, attachments, follow-up messages.
  • Discovery call recordings: only when you explicitly consent at the start of the call. We never record without consent.
  • Contractual data: if we engage on a project — invoicing details, signed Statement of Work, project credentials and any other data needed for service delivery.

2.2. Data collected automatically

  • Server access logs: IP address, user-agent string, requested URL, referer, timestamp. Retained for 30 days for security and abuse-prevention purposes.
  • Analytics events: page views, scroll depth, click events on key elements (CTA, navigation, search). Anonymized — IP addresses are truncated before storage.
  • Cookies and local storage: session cookies, theme preference (light/dark), language preference, consent status. See section 5.

We do not collect: payment card data (handled directly by Stripe / Wise / Wayforpay — we never see card numbers); biometric data; health data; political opinions; religious beliefs; trade-union membership; sexual orientation; or any other special category of personal data under GDPR Article 9.

3. How and why we use your data

Each category of data has a specific lawful basis under GDPR Article 6:

  • To respond to inquiries (Art. 6(1)(b) — pre-contractual measures): we use lead-form data and email correspondence to send proposals, schedule discovery calls and answer questions.
  • To deliver paid services (Art. 6(1)(b) — contract performance): we use contractual data to scope, build, deploy and maintain projects we’re engaged on.
  • To improve the site (Art. 6(1)(f) — legitimate interest): we use anonymized analytics to understand which content pages are useful, fix broken flows, optimize performance.
  • To prevent abuse and security incidents (Art. 6(1)(f) — legitimate interest): server access logs and cookie-based session data help us detect bot traffic, brute-force attempts, scraping.
  • To comply with legal obligations (Art. 6(1)(c)): we retain invoicing and contractual records for the period required by Ukrainian tax law (7 years).
  • To send marketing communication (Art. 6(1)(a) — consent): only if you explicitly opt in. We do not buy email lists; we do not send unsolicited cold pitches.

4. Cookies and similar technologies

This site uses cookies and local storage. They fall into three categories under the EU ePrivacy Directive:

4.1. Strictly necessary cookies

Required for the site to function — session ID, CSRF protection, language preference, theme preference. These cannot be disabled. Lawful basis: legitimate interest (essential function); ePrivacy exemption applies.

4.2. Analytics cookies

We use Google Analytics 4 with IP anonymization, no Google Signals, no advertising features. Cookie names: _ga, _ga_*. Retention: 14 months. Lawful basis: consent. You can opt out via the cookie banner on first visit, or by sending us a request at any time.

4.3. Marketing cookies

We do not use marketing or advertising cookies. We do not run remarketing. We do not embed third-party trackers (Facebook Pixel, LinkedIn Insight, etc.). If we ever add any, we’ll update this policy and request fresh consent before activation.

5. Third-party services

We use carefully chosen third-party services to deliver our work. Each one processes a defined slice of personal data under its own privacy policy:

  • Hosting provider: Hetzner / DigitalOcean / Cloudways (depending on plan) — processes server logs and uploaded site data. Hetzner Privacy, DigitalOcean Privacy.
  • Email delivery: Amazon SES (transactional) and Postmark (occasionally) — processes outbound email content and recipient addresses.
  • CDN: Cloudflare — processes IP addresses and request metadata for caching and DDoS protection. Cloudflare Privacy.
  • Analytics: Google Analytics 4 (anonymized, consent-required). Google Privacy.
  • Form submissions: Fluent Forms (self-hosted on this site — no external SaaS).
  • Project management (during active engagement): Linear or Asana for issue tracking; Slack for client communication; Google Workspace for documents. We use these only after a Statement of Work is signed.
  • Payment processing: Stripe / Wayforpay / Wise — we do not store card data ourselves. Stripe Privacy.

We do not sell your data to third parties. We do not share it for advertising or marketing purposes. The only sharing happens with the processors listed above, strictly to deliver the service you’ve engaged us for.

6. Data retention

  • Lead-form submissions (no contract): 12 months from submission, then deleted.
  • Active client data: for the duration of the engagement, plus 30 days post-launch grace period.
  • Invoicing & contractual records: 7 years (Ukrainian tax-law requirement).
  • Server access logs: 30 days.
  • Analytics events: 14 months in Google Analytics, after which Google deletes them automatically.
  • Email correspondence: retained while professionally relevant, anonymized or deleted on request.

7. Your rights under GDPR and Ukrainian law

If you are an individual whose personal data we hold, you have the following rights. We respond to all requests within 30 days at no cost:

  • Right of access (Art. 15): a copy of all personal data we hold about you, with information on processing purposes and recipients.
  • Right to rectification (Art. 16): correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 — “right to be forgotten”): deletion of your data when it’s no longer needed and there is no legal obligation to keep it.
  • Right to restrict processing (Art. 18): we’ll keep the data but stop using it while a dispute is being resolved.
  • Right to data portability (Art. 20): a machine-readable export of data you provided to us, transferable to another controller.
  • Right to object (Art. 21): for processing based on legitimate interest — we’ll stop unless we can demonstrate compelling grounds that override your rights.
  • Right to withdraw consent (Art. 7(3)): at any time, equally easy as giving it. Doesn’t affect lawfulness of prior processing.
  • Right to lodge a complaint with a supervisory authority: in Ukraine — the Office of the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua); in the EU — your local Data Protection Authority.

To exercise any right, email [email protected] with the subject line “Privacy request” and a brief description of what you want. We may ask for proof of identity to prevent unauthorized access — we’ll explain exactly what proof and why.

8. International data transfers

Some of our processors (Google, Cloudflare, Amazon SES) operate servers outside the European Economic Area and Ukraine — primarily the United States. When transferring personal data internationally, we rely on the European Commission’s adequacy decisions where applicable, or on Standard Contractual Clauses (SCCs) approved by the European Commission. We have signed Data Processing Agreements with each processor that include the required safeguards.

9. Security measures

  • Encryption in transit: all traffic to and from topcms.space/ uses TLS 1.3.
  • Encryption at rest: production databases use volume-level encryption (AES-256).
  • Access control: 2FA enforced on all admin accounts; principle of least privilege; audit log for all admin actions.
  • Backups: daily off-site encrypted backups; 30-day retention with point-in-time recovery.
  • Vulnerability management: weekly security patching for WordPress core, plugins, OS packages; quarterly third-party penetration testing.
  • Incident response: defined breach-notification procedure compliant with GDPR Art. 33-34 — affected individuals informed within 72 hours of confirmed breach.

10. Children’s privacy

Our services target businesses, not minors. We do not knowingly collect personal data from anyone under 16. If you are aware that a child has submitted personal data to us, please contact us immediately at [email protected] and we will delete it.

11. Changes to this policy

We update this policy when our practices change or when new legal requirements come into effect. The “Last updated” date at the top of the page reflects the most recent revision. For material changes — e.g., a new third-party processor, a new data category, a change to retention periods — we’ll notify you by email if we have an active engagement, and post a banner on the site for 30 days. Continued use of the site after the effective date of changes constitutes acceptance.

12. Contact

For all privacy-related questions, requests or complaints:

  • Email: [email protected] (subject: Privacy request)
  • Postal: available on written request — we’ll provide a registered postal address for legal correspondence within 7 days.
  • Response time: within 30 days for GDPR requests; within 7 business days for general inquiries.

You may also contact a supervisory authority directly. In Ukraine, this is the Office of the Ukrainian Parliament Commissioner for Human Rights (Verkhovna Rada Ombudsman) at ombudsman.gov.ua. In the EU, your local Data Protection Authority — a list is maintained by the European Data Protection Board at edpb.europa.eu.