Skip to main content

Privacy notice

How we handle your data.

This notice explains how SteelAxis OS handles personal data on steelaxis.eu. It is written for the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679). Plain English, no boilerplate.

v1 draft — reviewed against GDPR Articles 13 / 14 / 30. Will be replaced with a full counsel-reviewed policy before general availability.

1. Who is the controller

SteelAxis OS, an early-stage product run by Matiss Petersons. Contact for any privacy matter: matiss@steelaxis.eu. We’re not large enough to be required to appoint a Data Protection Officer, but Matiss handles every inbound privacy request personally.

2. What we collect on this page

When you join the waitlist, we collect:

  • Your email address (required) — so we can deliver what we promised at signup.
  • Shop name (optional) — helps Matiss respond meaningfully when you reply.
  • Country (optional, dropdown) — tells us roughly which EU jurisdictions our waitlist clusters in.
  • Marketing-attribution tags if your link arrived with them (e.g. utm_source=tiktok) — helps us know which channels work. These are non-personal.
  • The timestamp of your signup — for our own audit trail.

We do not use any analytics SDKs, tracking pixels, or advertising cookies. There is no Google Analytics, no Meta pixel, no Hotjar, no LinkedIn Insight Tag. The only browser storage we use is a single localStorage entry (sa-theme) that remembers whether you chose light or dark mode — not personal data and never sent to our servers.

3. Why we collect it and on what legal basis

Lawful basis: your consent, under GDPR Article 6(1)(a), given by ticking the consent box before you submit the form. You can withdraw that consent at any time (see § 7).

Purposes are limited to:

  • Sending you the monthly DPP / CPR briefing.
  • Delivering the DPP and CPR readiness guide when it publishes.
  • Notifying you when onboarding opens for early access.
  • Replying directly if you write back — Matiss reads every reply.

We do not use your data to profile you, train models, or generate inferences about you.

4. Who else sees it (recipients)

We use two processors. Both act on our written instructions only:

  • Resend sends the welcome and briefing emails. Operated by Resend, Inc. We use Resend’s EU region — your email and the message content are stored in Ireland (AWS eu-west-1). No transfer outside the EU/EEA.
  • Airtable stores the signup row. Operated by Formagrid Inc. in the United States. Transfers are covered by the EU–US Data Privacy Framework (Airtable is certified) and the European Commission’s Standard Contractual Clauses (Decision 2021/914).

We do not sell your data, share it with advertisers, or disclose it to anyone else except where the law compels us (a valid court order or equivalent).

5. International transfers

Resend stores data inside the EU (Ireland) — no transfer outside the EU/EEA. Airtable is US-hosted; that transfer is covered by the EU–US Data Privacy Framework and Standard Contractual Clauses (Decision 2021/914). If either safeguard becomes invalidated, we’ll migrate to an EU-hosted alternative for Airtable as well.

6. How long we keep it

Until you ask us to delete it, or until SteelAxis OS sunsets — whichever comes first. If you stop responding to the briefings for 24 months we’ll proactively delete your row from Airtable and stop sending you mail.

7. Your rights under GDPR

You have the right to:

  • Access a copy of the data we hold on you.
  • Rectify incorrect information.
  • Erase your data (“right to be forgotten”).
  • Restrict how we process it.
  • Port it to another controller, in a machine-readable format.
  • Withdraw consent at any time — this doesn’t affect the lawfulness of past processing.
  • Complain to your data protection authority. In Latvia that’s the Data State Inspectorate (dvi.gov.lv). Equivalent bodies exist in every EU member state.

To exercise any of these rights, email matiss@steelaxis.eu. We’ll respond within a working day — never more than the 30-day GDPR maximum.

8. Security

The site runs over HTTPS only. We don’t take payment data on this page. Server-side logs hash email addresses (SHA-256, first 12 hex chars) so the raw email never appears in an operational log line. Airtable and Resend both encrypt data at rest and in transit.

9. Updates to this notice

If we materially change how we handle data, we’ll update this page and email everyone on the waitlist before the change takes effect.

Last updated 2026-05-19. Questions, requests, or complaints? Email matiss@steelaxis.eu.