Skip to content

Legal

Privacy Policy

How the Gebbora marketing website handles personal data: what we collect when you visit gebbora.com, why we collect it, how long we keep it, and the rights you have over it. Payment data is handled by Paddle, and Gebbora Greenhouse Simulator product data is covered by a separate Gebbora Greenhouse Simulator Privacy Policy — see Section 1.

Last updated:

1. Introduction

This Privacy Policy applies to personal data collected through the Gebbora marketing website at gebbora.com (the "Site") and through any future Gebbora platform-level account. It does not cover:

  • Payment data. Processed by Paddle.com Market Ltd ("Paddle") as Merchant of Record and an independent data controller for payment processing, under Paddle's own privacy notice. The Operator does not receive or store card details.
  • Gebbora Greenhouse Simulator product data. Simulation inputs, results, and credit records are covered by the separate Gebbora Greenhouse Simulator Privacy Policy at sim.gebbora.app/legal.

2. Who we are

The Site is operated by an individual residing in the United Arab Emirates, trading under the brand name "Gebbora" (the "Operator", "we", "us", "our"). No legal entity is currently incorporated.

A formal Data Protection Officer is not required for an operation of this size and data-processing footprint. The dpo@ alias is provided as a recognisable contact for data-protection requests; it routes to the same person as privacy@.

3. Personal data we collect via the Site

3.1 Contact-form submissions

When you use the contact form at /contact, we collect your name, your email address, a subject category (for example General, Partnership, Support), and the content of your message. This data is sent to the Operator's inbox by email via Resend (see Section 6) and is stored only in that inbox.

3.2 Server logs

The Site is hosted on Cloudflare Pages. Cloudflare automatically records standard web-request logs — IP address, user-agent, request path, response status, and timestamp — for security, anti-abuse, and debugging purposes. These logs are held by Cloudflare on the Operator's behalf.

3.3 Analytics

The Site uses Cloudflare Web Analytics — Cloudflare’s cookieless, privacy-preserving analytics product — to measure aggregated traffic patterns. We use this data to understand which pages are read, how people arrive at the Site (referrer), and approximate visitor counts, so that we can judge whether the Site is useful to its audience.

What is measured:

  • Page view events (path, referrer, user-agent, approximate location derived from IP at request time).
  • Aggregated visitor counts per page and per day.

How visitors are distinguished without tracking them. Cloudflare Web Analytics does not set cookies, does not assign persistent identifiers, and does not follow visitors across websites. Same-day deduplication is performed by hashing the visitor’s IP address together with a daily rotating key and the user-agent; the hash is used only to estimate unique visitors for that day, is not stored beyond the aggregation window, and cannot be reversed into an IP address.

No cross-site tracking. No advertising identifiers, no fingerprint profiles, and no data is sold or shared with third parties.

Processor. Cloudflare is already listed as a processor in Section 6 for hosting, CDN, and DNS; Web Analytics is part of the same data-controller relationship. Request-level data collected by the beacon is processed by Cloudflare on the Operator’s behalf under Cloudflare’s Data Processing Addendum.

Opt-out posture. Because no personal data is stored long-term and no cross-site profile is built, there is no individual opt-out mechanism — there is no profile to opt out of. We honour Global Privacy Control (GPC) and Do Not Track (DNT) browser signals where Cloudflare Web Analytics technically supports them; see the Cookie Policy for details.

Server-log data described in Section 3.2 is collected independently of Web Analytics and is covered by that section.

PostHog (product analytics). The Site also uses PostHog as a privacy-respecting product analytics tool, configured without cookies or persistent identifiers, to measure aggregate site usage and the journey from the marketing site into the Gebbora Greenhouse Simulator product. PostHog requests are routed through a first-party reverse proxy at posthog.gebbora.app, and the SDK is configured to keep its session identifier in memory only — no cookies and no localStorage entries are set in your browser. Session replay is disabled. PostHog Inc. acts as a data processor on the Operator’s behalf; see Section 6.

3.4 Cookies

The Site does not set any first-party cookies. The analytics product described in Section 3.3 is cookieless — it performs same-day deduplication using a non-reversible hash rather than a persistent identifier stored in your browser. See the Cookie Policy for a complete account of what is and is not set.

3.5 Platform accounts

Gebbora does not currently offer a platform-level account. If that changes, this Policy will be updated to describe account data (email, authentication tokens, account-creation timestamp) before any such account is offered.

3.6 Newsletter subscriptions

When you subscribe to the Gebbora newsletter via the “Get updates” form on the Site, or express interest in an upcoming product via a “Notify me” form, we collect your email address. This data is stored in our email audience list hosted by Resend (see Section 6) for the sole purpose of sending you product updates and announcements.

  • Data collected: email address only.
  • Purpose: sending periodic product updates, new feature announcements, and Gebbora team news. No third-party marketing.
  • Legal basis: consent — you actively submit your email address via the subscription form.
  • Unsubscribe: every email includes an unsubscribe link. You can also email privacy@gebbora.tech to request removal at any time.
  • Retention: your email address is retained in the audience list until you unsubscribe or request deletion.
  • Source: when a newsletter subscription arrives from a cross-product source — for example, a Gebbora Greenhouse Simulator signup with the optional opt-in box checked — we record a short source identifier (such as ggs-signup) and the locale you signed up in alongside your email address. This is used for analytics and segmentation only; the categories of use listed above already cover everything we do with it.

4. How we use your data

We use personal data collected via the Site to:

  • Respond to enquiries you submit through the contact form.
  • Send product updates and announcements to newsletter subscribers who have opted in via the subscription form (see Section 3.6).
  • Maintain the security and integrity of the Site — for example, using server logs to detect abuse or troubleshoot issues.
  • Comply with any applicable legal obligations.

We do not:

  • Use your data to train machine-learning models.
  • Sell your data to third parties for any purpose.
  • Send marketing communications to contact-form enquirers. The newsletter is a separate, voluntary opt-in.

5. Legal basis for processing (GDPR)

If you are located in the EEA or the United Kingdom, we process your personal data on the following legal bases:

  • Contract / pre-contract (Article 6(1)(b)). Responding to a contact-form enquiry is processing necessary to take steps at the data subject's request prior to entering into a contract, or to provide information that you have requested.
  • Legitimate interests (Article 6(1)(f)). Server logs are retained for security, abuse prevention, and operational debugging. These interests are not overridden by the data subject's privacy rights given the limited nature of the data and its short retention period.
  • Consent (Article 6(1)(a)). Newsletter subscriptions are based on your explicit consent when you submit your email address via the subscription form. You may withdraw consent at any time by unsubscribing.
  • Legal obligation (Article 6(1)(c)). We may retain certain records where required by applicable law.

6. Third-party processors and services

We rely on the following third parties to operate the Site. Each processes limited personal data strictly on our instructions, or as a separate data controller where indicated.

Party Role Data involved Location
Cloudflare, Inc. Hosting, CDN, DNS, and Web Analytics; data processor for the Operator Request logs (IP, user-agent, request path); aggregated page-view data via the Web Analytics beacon (hashed for same-day deduplication, no cross-site tracking) Global CDN; Operator’s account preferred in an EU data region where available
PostHog Inc. Product analytics; data processor for the Operator Aggregated page-view and event data (no persistent identifier; no cookies; in-memory session id only). Routed via the first-party reverse proxy at posthog.gebbora.app. PostHog EU Cloud (Frankfurt, Germany)
Resend, Inc. Transactional email delivery for contact form; newsletter audience hosting and delivery; data processor Contact form: name, email, subject, message content. Newsletter: email address and subscription status eu-west-1 (Ireland)
Google LLC (Google Workspace) Hosting of the Operator’s staff mailboxes (privacy@, legal@, hello@, and others); data processor Any personal data you include in email to the Operator EU region
Paddle.com Market Ltd Merchant of Record and independent data controller for payment transactions on Gebbora products Payment data (card, billing address, tax data) — collected and held by Paddle, not by the Operator Global; see Paddle’s privacy notice
Gebbora Greenhouse Simulator Linked product operated by the Operator under a separate Privacy Policy Gebbora Greenhouse Simulator account email, simulation inputs, analysis results See Gebbora Greenhouse Simulator Privacy Policy

Paddle is a data controller in its own right for payment data; it is not our processor. The Operator does not receive or store payment-card details.

7. International data transfers

Our hosting (Cloudflare) uses a global content-delivery network; request logs may be stored and processed in multiple regions. Where personal data is transferred outside the EEA or the United Kingdom, we rely on one or more of: (a) an adequacy decision of the European Commission; (b) Standard Contractual Clauses incorporated into the processor's Data Processing Agreement; or (c) another lawful transfer mechanism.

8. Retention

  • Contact-form submissions: retained for up to 24 months from the date of receipt, unless the enquiry is part of an active legal matter, in which case it is retained for the period necessary for that matter.
  • Server logs (Cloudflare): retained for 30 days by default, then automatically deleted.
  • Newsletter subscriber data: retained in the Resend audience list until the subscriber unsubscribes or requests deletion, whichever comes first.
  • Google Workspace mailboxes: retained for the operational life of the Operator’s email account, subject to periodic clean-up.

9. Your rights

Depending on your location, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data, subject to legal retention obligations.
  • Portability — request your data in a portable, machine-readable format, where technically feasible for the small dataset involved.
  • Restriction — request that we restrict processing of your data in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdrawal of consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

If you are located in California (USA), you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete it, and the right to opt out of any sale of personal information. We do not sell personal information.

10. How to exercise your rights

To exercise any of the rights above, email privacy@gebbora.tech (or dpo@gebbora.tech) from the email address associated with your enquiry. We may ask you to verify your identity before acting on a request, and we will respond within 30 days of receipt of a verified request.

If you are located in the EEA or the United Kingdom and you believe we have not handled your request appropriately, you have the right to lodge a complaint with your local data-protection supervisory authority. A list of EU supervisory authorities is published at edpb.europa.eu.

11. Children’s privacy

The Site is not directed at children. We do not knowingly collect personal data from anyone under 16 (if located in the EEA or the United Kingdom) or under 18 (elsewhere). If you believe a minor has submitted personal data through the Site, please contact privacy@gebbora.tech and we will delete it promptly.

12. Cookies

The Site does not set any first-party cookies for analytics, advertising, or user-profile tracking. Analytics is handled via a cookieless Cloudflare Web Analytics beacon (see Section 3.3). See the Cookie Policy for the full current list of cookies that may be set by hosting infrastructure and the statement of what may be added in future.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes — for example, the introduction of a platform-level account, a change of analytics provider, or any change that would introduce personal-data-setting cookies — will be announced on the Site’s homepage for at least 14 days before taking effect.

14. Contact

15. Effective date

This Privacy Policy is effective as of .