Last updated: March 22, 2026
This Privacy Policy explains how Host Server SRL ("Company", "we", "us", "our"), operating the Pivlu platform ("Service"), collects, uses, stores, and protects your personal data. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and applicable Romanian data protection laws.
Data Controller: Host Server SRL, VAT ID: RO46725988
Contact: office@pivlu.com
Website: https://pivlu.com
1.1 Account Data
When you create an account, we collect:
- Full name
- Email address
This data is necessary to provide the Service and is processed on the legal basis of contract performance (GDPR Article 6(1)(b)).
1.2 Payment Data
Payment processing is handled entirely by Stripe, Inc. We do not store your credit card numbers, bank account details, or other financial information on our servers. Stripe processes your payment data as an independent data controller under their own Privacy Policy.
We receive from Stripe only: transaction confirmation, last four digits of your card (for display purposes), and billing status.
1.3 Analytics Data
Our built-in web analytics (Pivlu Analytics) processes visitor IP addresses in real time to determine approximate geographic location, browser type, and device information. We do not store full IP addresses. Before any storage takes place, the last three digits of your IP address are permanently removed. The anonymised portion is used only for aggregate traffic analysis and cannot be used to identify you individually. The analytics data we retain is aggregated and does not contain personally identifiable information.
We do not use Google Analytics, Facebook Pixel, or any third-party tracking services.
1.4 Usage Data
We automatically collect technical information when you use the Service, including:
- Browser type and version
- Operating system
- Pages visited within the platform
- Date and time of access
- Referring URL
This data is used to maintain, improve, and secure the Service, processed on the legal basis of legitimate interest (GDPR Article 6(1)(f)).
1.5 Content You Create
When you use the Service, you may upload or create content including website pages, invoices, bookings, contacts, documents, and other business data. This content is stored on our servers to provide the Service to you. We do not access, review, or use Your Content except as necessary to operate the Service or as required by law.
As a business platform, Pivlu processes data that you collect from your own customers, including:
- Booking customer details (name, email, phone)
- Invoice client information
- Website visitor registrations
- Contact and CRM records
- Form submissions
- E-commerce order details
In this context, you are the data controller and we are the data processor. We process this data solely on your instructions and for the purpose of providing the Service. You are responsible for obtaining appropriate consent from your customers and complying with applicable data protection laws regarding their data.
We recommend that you maintain your own privacy policy informing your customers about how their data is processed.
We use the data we collect to:
- Provide, operate, and maintain the Service.
- Process your subscription and billing.
- Send transactional emails (account confirmations, password resets, invoice notifications).
- Respond to your support requests and inquiries.
- Detect, prevent, and address security issues and abuse.
- Improve and develop new features for the Service.
We do not use your data for advertising. We do not send marketing emails.
The Service includes AI-powered features (AI Writer, AI Image Studio) that use the Anthropic Claude API to generate content. When you use these features:
- The text prompts and instructions you provide are sent to Anthropic's servers for processing.
- Anthropic processes this data to generate the requested content and returns it to us.
- Anthropic does not use your prompts to train their models (per their Privacy Policy for API usage).
- Generated content is stored on our servers as part of your account data.
You should avoid including sensitive personal data in AI prompts. AI features are optional and you can use the Service without them.
We use only essential cookies required for the Service to function:
- Session cookie — maintains your login session. Expires when you close your browser or after inactivity.
- CSRF token — protects against cross-site request forgery attacks. Essential for security.
- Preferences — stores your interface preferences (e.g., dark mode). Persistent.
We do not use advertising cookies, tracking cookies, or third-party cookies. Our built-in analytics (Pivlu Analytics) operates without cookies.
We share data with the following third-party service providers, strictly for the purpose of operating the Service:
Stripe, Inc. (San Francisco, USA)
Purpose: Payment processing
Data shared: Payment information you provide during checkout
Privacy Policy: stripe.com/privacy
GDPR compliance: EU-US Data Privacy Framework certified
Postmark (ActiveCampaign) (USA)
Purpose: Transactional email delivery
Data shared: Recipient email address, email content
Privacy Policy: postmarkapp.com/privacy-policy
Anthropic, PBC (San Francisco, USA)
Purpose: AI content generation (AI Writer, AI Image Studio)
Data shared: Text prompts you submit to AI features
Privacy Policy: anthropic.com/privacy
Note: API usage data is not used for model training
ClickHouse, Inc.
Purpose: Analytics data storage and processing
Data shared: Aggregated, non-personally-identifiable analytics data
Note: Self-hosted on our infrastructure, no IP addresses stored
We do not sell, rent, or share your personal data with any other third parties.
Your data is stored on servers operated by Akamai (Linode), located in the European Union (France and Germany). All data remains within the EU.
We implement the following security measures:
- Encryption in transit (TLS/SSL) for all connections.
- Encryption at rest for sensitive data (credentials, API keys).
- Isolated databases per tenant (multi-tenant architecture with separate databases).
- Regular security updates and patches.
- Access controls and authentication for administrative access.
- Automated backups with secure storage.
We retain your data for the following periods:
- Active accounts: Data is retained for the duration of your subscription.
- After cancellation: Data is retained for 30 days to allow for reactivation or export, then permanently deleted.
- After trial expiration: Data is retained for 30 days, then permanently deleted.
- Transactional records: Invoice and payment records may be retained for up to 10 years to comply with Romanian tax and accounting regulations.
- Analytics data: Aggregated analytics data is retained for the life of the account and deleted upon account termination.
As a data subject in the European Union, you have the following rights:
Right of access — You can request a copy of all personal data we hold about you.
Right to rectification — You can request correction of inaccurate or incomplete data. You can also update your information directly in your account settings.
Right to erasure ("right to be forgotten") — You can request deletion of your personal data. We will comply unless we have a legal obligation to retain it.
Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
Right to restriction of processing — You can request that we limit how we use your data in certain circumstances.
Right to object — You can object to processing based on legitimate interest.
Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, contact us at office@pivlu.com. We will respond within 30 days as required by GDPR.
Your data is primarily stored within the European Union. When data is transferred to service providers outside the EU (Stripe, Postmark, Anthropic — all based in the USA), these transfers are protected by:
- The EU-US Data Privacy Framework, where applicable.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- The service providers' own GDPR compliance commitments.
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours of becoming aware of the breach.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Document the breach, its effects, and the remedial actions taken.
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you via email or an in-app notification at least 14 days before the changes take effect.
Your continued use of the Service after the changes take effect constitutes your acknowledgment of the updated Privacy Policy.
If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority. The relevant authority for Romania is:
ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
Website: www.dataprotection.ro
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania
For any questions or requests regarding this Privacy Policy or your personal data, contact us:
Host Server SRL
Data Protection Contact: office@pivlu.com
VAT ID: RO46725988
Website: https://pivlu.com