Privacy Notice
govlox.ai · Last updated: 28 April 2026 · Version 1.1
Summary
This is a static marketing website. It sets no cookies of its own. It runs no analytics. It uses no tracking pixels or fingerprinting scripts. The site loads fonts and styles from files hosted on our own server. The only personal data we collect via this site is what you send us voluntarily by email. Your visit to this site does not result in any profiling, advertising, or data sharing with third parties. The scorecard at /scorecard runs entirely in your browser; your answers are never transmitted, stored, or shared. If you are signed in to the GovLoX platform at acme.govlox.ai, your browser also holds one authentication cookie scoped to .govlox.ai which is sent on requests to govlox.ai by domain attribute; this marketing site does not read or act on it. For the full technical specification of every storage entry used across our domains, see our Cookie Policy.
1. Who we are
This website is operated by Data Privacy Analytics, a consultancy registered in Geneva, Switzerland, trading as GovLoX.
Controller: Barry Cook, Data Privacy Analytics
Address: Geneva, Switzerland
Contact: privacy@dataprivacyanalytics.com
Role: Data Controller for this website
2. What data we collect and why
2.1 Server access logs
Like all web servers, our nginx server automatically records access logs when you visit this site. These logs contain your IP address, the page you requested, the date and time of the request, your browser type, and the referring page if applicable.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP address | Security, abuse prevention, server diagnostics | Legitimate interest (Art. 6(1)(f) GDPR) | 14 days |
| Requested URL | Server diagnostics | Legitimate interest (Art. 6(1)(f) GDPR) | 14 days |
| Browser user agent | Server diagnostics | Legitimate interest (Art. 6(1)(f) GDPR) | 14 days |
| Timestamp | Server diagnostics | Legitimate interest (Art. 6(1)(f) GDPR) | 14 days |
Server logs are not shared with third parties and are not used for profiling, advertising, or any purpose beyond security and diagnostics. After 14 days, logs are automatically deleted.
2.2 Email enquiries
If you contact us via the email addresses on this site, we will receive and store your email address and the content of your message. We use this solely to respond to your enquiry. We do not add you to any mailing list without your explicit consent. We do not share your enquiry details with third parties.
Legal basis: Legitimate interest in responding to your enquiry (Art. 6(1)(f) GDPR)
Retention: Email correspondence is retained for as long as necessary to manage the business relationship, typically no longer than 3 years from last contact.
2.3 What we do NOT collect
- No cookies of any kind are set by this website
- No analytics platform (Google Analytics, Plausible, Matomo, etc.) is used
- No advertising networks or tracking pixels
- No social media buttons or embeds that report back to third-party platforms
- No browser fingerprinting or device identification
- No Google Fonts API calls -- fonts are served from our own server
2.4 Scorecard at /scorecard
The EU AI Act Readiness Scorecard at /scorecard is a self-assessment tool that runs entirely in your browser. Your answers are not transmitted, stored, persisted, or shared - they exist only in your active browser tab and are lost on refresh, close, or navigation away. We do not log scorecard answers (no form submission occurs), do not run analytics on the page, and do not set cookies, localStorage, sessionStorage, or IndexedDB. The "Talk to us about your results" call-to-action opens a separate page on sovereign.govlox.ai (a GovLoX-operated booking system) in a new tab; no scorecard answers or scores are passed in the URL.
3. Hosting and infrastructure
This website is hosted on a dedicated virtual private server (VPS) located in a European data centre. All static assets including fonts and stylesheets are served from our own server. No content delivery network (CDN) or third-party hosting service is used that would result in your IP address being shared with a third party.
Our server infrastructure provider processes IP addresses as a technical necessity of hosting. Our hosting provider acts as a data processor under a data processing agreement. We will disclose the name of our hosting provider on request.
4. Your rights under GDPR
As a data subject under the GDPR, you have the following rights in relation to any personal data we hold about you:
Right of access (Art. 15)
Request a copy of the personal data we hold about you.
Right to rectification (Art. 16)
Request correction of inaccurate personal data.
Right to erasure (Art. 17)
Request deletion of your personal data where no legal basis for retention exists.
Right to restrict processing (Art. 18)
Request that we limit how we use your personal data.
Right to object (Art. 21)
Object to processing based on legitimate interest, including server log retention.
Right to data portability (Art. 20)
Receive your personal data in a structured, machine-readable format.
To exercise any of these rights, contact us at privacy@dataprivacyanalytics.com. We will respond within one month as required by Article 12 GDPR. There is no charge for making a request.
5. Supervisory authority and complaints
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a supervisory authority. As we are based in Switzerland, the relevant authority is:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, CH-3003 Bern, Switzerland
If you are based in the EU, you may also lodge a complaint with the data protection authority in your country of residence.
6. Cookies and client-side storage
This marketing site (govlox.ai) sets no cookies of its own.
We have deliberately designed this static marketing site to set no cookies of any kind -- no session cookies, no functional cookies, no analytics cookies, and no advertising cookies. You can verify this using your browser's developer tools.
The GovLoX platform at acme.govlox.ai sets one strictly-necessary HTTP cookie (__Secure-authjs.session-token) when you sign in. Because the cookie's Domain attribute is scoped to .govlox.ai, your browser sends it on every request to govlox.ai, chat.govlox.ai, and any other govlox.ai subdomain while you are signed in. The cookie is HttpOnly, Secure, and SameSite=Lax; it is tied to your authenticated user session and is required to provide the platform service. This marketing site does not read or act on it.
The embedded GovLoX Chat widget (a separate service at chat.govlox.ai) uses one strictly-necessary sessionStorage entry after you accept its consent prompt, to avoid re-prompting you within the same browsing session. The entry is per-tab, contains no personal data, is never transmitted to our servers, and is cleared automatically when you close the tab.
The full technical specification for both storage entries is published in our Cookie Policy.
7. Changes to this notice
We may update this privacy notice from time to time. The date at the top of this page will reflect the date of the most recent revision. We will not notify you of changes by email unless those changes materially affect how we process your personal data and we hold your email address.
8. Contact us
For any privacy-related questions, requests, or concerns, contact our Data Protection Officer directly:
Barry Cook
Data Protection Officer, Data Privacy Analytics
Geneva, Switzerland