LEGAL · PRIVACY POLICY
Privacy Policy.
Last updated: 29 April 2026 Effective: 29 April 2026
This document covers the processing of personal data in connection with the use of capila.io and your communication with us. The processing of personal data when we provide accounting, payroll, tax, and advisory services is governed by a separate Data Processing Agreement (DPA) that we conclude with each client — see section 4.
This document describes how Capila s.r.o. processes personal data in connection with the use of capila.io and your communication with us — that is, data of website visitors, people who contact us, newsletter subscribers, job applicants, and clients' contact persons. Processing follows Regulation (EU) 2016/679 (GDPR) and Slovak Act No. 18/2018 Coll. on the Protection of Personal Data.
1. Controller
The controller of personal data is:
Capila, s. r. o. Registered office: Bottova 2/A, 811 09 Bratislava — Staré Mesto, Slovak Republic ID No. (IČO): 54 649 447 Tax No. (DIČ): 2121756725 VAT No. (IČ DPH): SK2121756725 Registration: Commercial Register of the Bratislava III City Court, section: Sro, file no. 161568/B
Contact for data protection matters: Email: info@capila.io Phone: +421 908 191 865
Capila has not appointed a Data Protection Officer (DPO) under Article 37 GDPR — we are not legally required to do so. The contact above handles all questions and requests.
2. What personal data we process
Depending on how you interact with us, we process the following categories of personal data:
Visitors to capila.io IP address, browser and device data, date and time of visit, pages visited, and interactions. Cookie details are governed by the separate Cookies page.
Leads (prospective clients) Data you provide via contact form, email, or when booking a call through Calendly: first and last name, email, phone, company name and ID number, position, and the content of your inquiry.
Clients' contact persons Identification and contact details of the people who represent the client in our relationship — name, position, email, phone, and the content of communications.
Job applicants CV, cover letter, contact details, and any other information the applicant provides.
Newsletter subscribers Email address and, optionally, name.
3. Purposes and legal bases
We process personal data only for specific, predefined purposes and always on one of the legal bases set out in Article 6 GDPR.
Pre-contractual and contractual relations (Art. 6(1)(b) GDPR) Handling inquiries, preparing quotes, communicating around contract conclusion, maintaining client business contacts.
Compliance with legal obligations (Art. 6(1)(c) GDPR) In particular, retention of contractual and invoicing documentation under Slovak Act No. 431/2002 Coll. on Accounting and Act No. 222/2004 Coll. on VAT.
Legitimate interest (Art. 6(1)(f) GDPR) Website security and stability, prevention and detection of misuse, maintaining a database of business contacts, improving website content, protection of legal claims, direct marketing toward existing clients within the scope of the services provided.
Consent (Art. 6(1)(a) GDPR) Newsletter, optional cookies (analytics and functional), retention of applicant CVs beyond the current selection process.
You may withdraw consent at any time by emailing info@capila.io or via the method specified in the relevant notice (for example, the unsubscribe link in the newsletter). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
4. Processing in connection with accounting services
When providing accounting, payroll, tax, and advisory services, we process personal data entrusted to us by the client (in particular, data of the client's employees, suppliers, and business partners) as a processor under Article 28 GDPR. The client remains the controller of this data.
This processing is not governed by this document but by a separate Data Processing Agreement (DPA), which we conclude with the client as an annex to the service agreement. We process the data exclusively under the client's instructions and for the purposes agreed in the contract.
If you are a data subject of a Capila client (for example, an employee) and want to exercise your rights, please contact the client as the controller. Capila will support the client in handling such requests.
5. Retention
We keep personal data only as long as necessary to fulfil the purpose of processing or as required by law.
| Data category | Retention period |
|---|---|
| Contact form data and business communication | 3 years from last contact |
| Contractual and invoicing documentation | 10 years (Section 35 of Act No. 431/2002 Coll.) |
| Applicant CVs | 1 year from the end of the selection process (longer only with consent) |
| Newsletter | Until consent is withdrawn |
| Cookies | By type (see Cookies) |
| Web logs and security records | At most 12 months |
Once the retention period expires, we securely delete or anonymise the data.
6. Recipients and processors
We do not share personal data with third parties except where necessary to operate the website and our communications, or where required by law. We may share data with:
- Processors who provide website and internal-system operations on our behalf (full list below).
- Capila's professional advisors (lawyers, auditors) to the extent necessary.
- Public authorities to the extent and under conditions established by law.
We have Article 28 GDPR contracts in place with all processors.
Current list of processors for the capila.io website:
| Processor | Purpose | Data processed | Location |
|---|---|---|---|
| Vercel Inc. | Website hosting and serverless functions | IP address, browser data, request content | USA (SCC under Art. 46 GDPR) |
| Cloudflare, Inc. | Bot protection (Turnstile) | IP address, browser data, challenge token | USA (SCC under Art. 46 GDPR) |
| Wildbit, LLC (Postmark) | Transactional email delivery (confirmations, contact form) | Email, name, message content | USA (SCC under Art. 46 GDPR) |
| Notion Labs, Inc. | Internal lead-management database | Name, email, company, inquiry content, language | USA (SCC under Art. 46 GDPR) |
| PostHog Inc. | Anonymous website analytics (with consent only) | Pseudonymous identifier, pages visited, interactions | EU (Frankfurt, eu.i.posthog.com) |
| Calendly LLC | Call booking (optional, when you click) | Name, email, booking time | USA (SCC under Art. 46 GDPR) |
| Google LLC | Embedded office-location map (Google Maps Embed) | Visitor IP address when the map is displayed | USA (SCC under Art. 46 GDPR) |
For all processors outside the EEA we have Standard Contractual Clauses (SCCs) approved by the European Commission in place under Art. 46(2)(c) GDPR. Several of these processors are also certified under the EU–U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023). The current version of this list is also available on request at info@capila.io.
7. Transfers to third countries
Some processing takes place with processors established in the United States (Vercel, Cloudflare, Postmark, Notion, Calendly, Google) — see the table in section 6. For every such transfer we ensure an appropriate level of protection via Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914 under Art. 46(2)(c) GDPR. Several of these processors are additionally certified under the EU–U.S. Data Privacy Framework.
Analytics (PostHog) is hosted in the European Union (Frankfurt) and analytics data does not leave the EEA.
8. Your rights
As a data subject, you have the following rights under GDPR and Slovak Act No. 18/2018 Coll.:
- Right of access to your personal data and information about its processing (Art. 15 GDPR).
- Right to rectification of inaccurate or incomplete data (Art. 16 GDPR).
- Right to erasure ("right to be forgotten") under the conditions of Art. 17 GDPR.
- Right to restriction of processing (Art. 18 GDPR).
- Right to data portability in a structured, commonly used, and machine-readable format (Art. 20 GDPR).
- Right to object to processing based on legitimate interest or for direct marketing (Art. 21 GDPR).
- Right to withdraw consent at any time, where processing is based on consent.
- Right to lodge a complaint with a supervisory authority.
You can exercise your rights by emailing info@capila.io or in writing at our registered office. We respond within 30 days; in more complex cases, we may extend this by a further two months and will inform you accordingly. We may ask for additional information to verify your identity.
If you believe we are processing your data in breach of the law, you have the right to lodge a complaint with the supervisory authority:
Office for Personal Data Protection of the Slovak Republic Hraničná 12, 820 07 Bratislava 27 www.dataprotection.gov.sk
9. Cookies
The capila.io website uses necessary, analytics, and functional cookies. We do not use marketing or third-party tracking cookies. Details and settings are on the dedicated Cookies page.
10. Data security
We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, loss, or destruction. These include encryption in transit (HTTPS), controlled system access, multi-factor authentication, contractual confidentiality of the Capila team, and regular review of security measures.
In the event of a personal data breach likely to result in a high risk to your rights, we will inform you without undue delay in line with Article 34 GDPR.
11. Changes to this policy
We may update this document from time to time, particularly in response to legal changes, tools used, or website scope. We will notify you of material changes via the website or email at least 30 days before they take effect. The current version is always available on this page with the effective date.