Legal
Privacy Policy
1. Introduction & Identity of the Data Controller
This Privacy Policy describes how Phoenix Insights, the trading name of Olga Tsatsani (sole trader), collects, uses, stores, and shares personal data when you visit our website or engage with our services.
Data Controller: Olga Tsatsani trading as Phoenix Insights
VAT number: 145572234
GEMI registration: 188391603000
Address: 7 Narcissou St., Neo Irakleio, Greece
Email: hello@phoenixinsights.gr
We are subject to Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Greek Law 4624/2019. Our services are directed exclusively to business clients (B2B). This website is not intended for, and we do not knowingly collect data from, consumers or individuals under 18.
2. What Personal Data We Collect
2.1 Contact Form
When you submit an enquiry via our contact form, we collect:
- Name — to identify you and address you correctly
- Email address — to respond to your enquiry
- Project description — free-text information about your project or requirements
Form submissions are transmitted either directly to our business email address or via a third-party form processing service (currently Formspree, Inc. — see Section 5). We do not store form data on our own servers beyond what arrives in our inbox.
2.2 Analytics & Usage Data
With your prior consent (see Section 4 on Cookies), we use analytics services to understand how visitors interact with our website. The service currently active on this site is:
- Microsoft Clarity — session recordings, heatmaps, scroll depth, click patterns
We may in future activate additional services including Google Analytics 4 (page views, traffic sources, device data) and PostHog (event tracking, user flows). This policy will be updated accordingly before any such activation. These services may collect your IP address (which they partially anonymise), browser type, operating system, referral URL, and interaction data. They operate under their own privacy policies (linked in Section 5). No analytics service is activated without your consent.
2.3 Research & Engagement Data (Service Clients Only)
When we conduct UX research or neuro-research engagements on behalf of a client organisation, we may process:
- Contact information of the client's designated representatives (name, email, role)
- Biometric / neurological data from research participants: EEG signals, eye-tracking gaze data, emotional valence scores — classified as special category data under GDPR Article 9
- Behavioural interaction data recorded via online heatmap or session-recording tools, where remote research sessions are conducted
The processing of research participant data is governed by separate participant information sheets and explicit consent forms provided at the point of research. Phoenix Insights acts as data controller for research data collected under its own methodology, and as data processor where the client is the controller of their end-user data.
2.4 Data Collected Automatically
Our web hosting infrastructure may automatically log standard server-access data (IP address, timestamp, page requested, HTTP status code). These logs are retained for security and diagnostic purposes only and are not used for profiling.
3. Legal Basis for Processing
| Processing Activity | Legal Basis (GDPR Art. 6) | Where applicable |
|---|---|---|
| Responding to a contact form enquiry | Art. 6(1)(b) — steps prior to entering a contract; or Art. 6(1)(f) — legitimate interests | All enquiries |
| Analytics cookies & usage tracking | Art. 6(1)(a) — consent | Google Analytics, PostHog, Microsoft Clarity |
| Client contract management & invoicing | Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (tax law) | Engaged clients |
| Biometric / EEG research data (participants) | Art. 9(2)(a) — explicit consent | Research engagements |
| Server access logs | Art. 6(1)(f) — legitimate interests (security, fraud prevention) | All visitors |
Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests do not override your rights, given the B2B context and the nature of the data processed.
4. Cookies & Tracking Technologies
We use a cookie consent mechanism. When you first visit the site, a banner will ask for your consent before any analytics are activated. You may change or withdraw your consent at any time by clicking "Cookie Settings" in the site footer.
Strictly Necessary Local Storage
We store your consent preference in your browser's localStorage (not an HTTP cookie)
under the key phoenix-consent. This entry records whether you accepted or declined
analytics, persists until you clear your browser storage, and is never transmitted to any server.
It is strictly necessary for the consent mechanism to function and requires no consent itself.
Analytics (consent required — currently active)
| Provider | Purpose | Data transferred to | Duration |
|---|---|---|---|
| Microsoft Clarity Microsoft Corp. | Session recordings, heatmaps, scroll and click behaviour | USA (Standard Contractual Clauses) | Up to 13 months |
Microsoft Clarity involves transfer of personal data to the United States under Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU). Clarity is loaded only if you explicitly accept analytics cookies.
Analytics (referenced — not currently active)
The following services are documented for transparency as they may be activated in the future. This policy will be updated, and fresh consent will be sought, before any of these are deployed.
| Provider | Purpose | Data transferred to | Duration |
|---|---|---|---|
| Google Analytics 4 Google LLC | Aggregated usage statistics, traffic sources, device data | USA (Standard Contractual Clauses) | Up to 2 years |
| PostHog PostHog Inc. | Event tracking, user flows, product analytics | EU cloud or USA (SCC), depending on configuration | Up to 1 year |
Google Fonts
Our website loads typefaces from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). A request to Google's servers is made to retrieve the font files; this may involve transmission of your IP address to Google. Google states it does not use this data to track individual users. If you prefer, you may use a browser extension to block third-party font requests.
5. Third-Party Processors & Recipients
We share personal data only where necessary and under data processing agreements (DPAs):
| Processor | Role | Data shared | Privacy policy |
|---|---|---|---|
| Microsoft Corp. (Clarity) | Data processor — currently active | Session recordings, heatmap data | privacy.microsoft.com |
| Google LLC (Analytics — not active) | Data processor | Pseudonymised usage data | policies.google.com/privacy |
| PostHog Inc. (not active) | Data processor | Event & interaction data | posthog.com/privacy |
| Formspree, Inc. (if applicable) | Data processor | Contact form submissions (name, email, project description) | formspree.io/legal/privacy-policy |
We do not sell, rent, or otherwise disclose personal data to third parties for their own marketing purposes. We may disclose data where required by applicable law or a lawful order by a competent public authority.
6. International Data Transfers
Some of our processors (Google, Microsoft, Formspree) are based in the United States. Transfers to these processors are made under Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU), which provide appropriate safeguards for the protection of your personal data. PostHog may store data within the EU/EEA; we will update this policy if that configuration changes.
7. Data Retention
| Category | Retention period | Reason |
|---|---|---|
| Contact form enquiries (not resulting in engagement) | 12 months from receipt | Legitimate interest in follow-up |
| Client contract records & invoices | 10 years | Greek tax and commercial law obligation |
| Analytics data | Per processor (see Section 4) | As per consent & processor policy |
| Research participant data (EEG, eye-tracking) | As specified in participant consent form; typically 5 years unless participant withdraws earlier | Scientific integrity; explicit consent |
| Server access logs | 90 days | Security diagnostics |
8. Your Rights Under GDPR
Subject to applicable conditions and limitations, you have the following rights:
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you
- Right to rectification (Art. 16) — have inaccurate data corrected
- Right to erasure (Art. 17) — request deletion ("right to be forgotten"), subject to legal retention obligations
- Right to restriction of processing (Art. 18) — request that we limit how we use your data
- Right to data portability (Art. 20) — receive your data in a machine-readable format where processing is based on consent or contract
- Right to object (Art. 21) — object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing
- Rights related to automated decision-making (Art. 22) — we do not make decisions about you based solely on automated processing
To exercise any of these rights, contact us at hello@phoenixinsights.gr. We will respond within 30 days. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the supervisory authority. In Greece, this is the Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ): https://www.dpa.gr.
9. Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include: encrypted data transit (TLS/HTTPS), access controls limited to authorised personnel, and data minimisation practices. No transmission over the internet is completely secure; we cannot guarantee absolute security, but we take our obligations seriously.
10. Research Participant Data — Special Category Notice
EEG and eye-tracking data constitute biometric data under GDPR Article 4(14) and are processed as special category data under Article 9. Such data is collected exclusively on the basis of explicit, informed, and freely given consent. Each research participant receives a participant information sheet and signs a separate consent form before any data is collected.
Where research is conducted remotely using screen-based tools (e.g., online heatmap software, remote eye-tracking platforms, or behavioural recording tools), participants are informed in advance of the tools in use and the data those tools capture. Participants retain the right to withdraw consent at any time and to request deletion of their data, subject to scientific integrity requirements agreed at the outset.
Research data is stored on password-protected, encrypted storage and shared only with the commissioning client organisation under a data processing or joint-controller agreement, as appropriate.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be indicated by a new "Last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of our website after any change constitutes acceptance of the updated policy.
12. Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact:
Olga Tsatsani trading as Phoenix Insights
7 Narcissou St., Neo Irakleio, Greece
hello@phoenixinsights.gr