1. Who we are (Data Controller)
Shakvaro (“we”, “us”, “our”) is the controller of personal data described in this policy. We're an engineering studio based at Chattogram, Bangladesh.
- General contact: support@shakvaro.com
- Privacy & data-subject requests: privacy@shakvaro.com
- Site: https://shakvaro.com
2. EU & UK representative (Art. 27 GDPR)
Because we're established outside the EU and UK, we appoint representatives so EU and UK residents have a local point of contact for data-protection matters.
- EU representative: TBD, to be appointed (Art. 27 GDPR)
- UK representative: TBD, to be appointed (Art. 27 UK GDPR)
You may also contact your local supervisory authority directly (see Section 10).
3. What we collect
- Contact details you submit through our forms, name, email, optional phone, message.
- Project information you share with us during scoping, delivery, and support engagements.
- Technical data automatically captured by our hosting and analytics providers, IP address, browser, referrer, pages viewed, approximate location.
- Cookies & similar storage, only strictly necessary by default; analytics and other categories load only after your consent (see Section 8).
- Consent records, choices you make in our cookie banner are stored in a first-party cookie and logged on our server (event, choices, hashed IP, country, user-agent) for 3 years to satisfy our Art. 7(1) burden of proof.
For our software products and the CatchLume service we also collect:
- Account email you use to sign up for a product account.
- License key checks, when a plugin or theme validates a Pro license, we receive the key and the site domain making the request.
- Anonymous install IDs, a random identifier some plugins and extensions generate so we can count active installs and deliver updates, not tied to your identity.
- Server logs, standard request logs (IP, timestamp, endpoint, response) kept for security and debugging.
What we do not collect. Sidekick lead data stays inside your own browser and is never sent to us. CatchLume does not sell verification data, and it never shares email lists or results between accounts, your list is yours alone. We do not store payment card details (see Section 6).
4. Why we use it (purposes & legal bases, Art. 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Reply to enquiries; deliver services you engage us for | Art. 6(1)(b), steps prior to a contract / contract performance |
| Optional analytics and session replay | Art. 6(1)(a), your consent (withdrawable at any time) |
| Provide product accounts and process orders via Paddle | Art. 6(1)(b), contract performance |
| Site security, anti-fraud, abuse prevention | Art. 6(1)(f), legitimate interests |
| Legal, accounting, and tax record-keeping | Art. 6(1)(c), legal obligation |
We do not sell personal data and do not use it for automated decisions that legally affect you.
5. Who else processes your data (Sub-processors)
We use a small set of vetted vendors to run the business. Each is bound by their own data-protection commitments (DPAs and Standard Contractual Clauses where applicable).
| Provider | Purpose | Location | Documents |
|---|---|---|---|
| Vercel Inc. | Website hosting, CDN, edge runtime, request logs, Sign in with Vercel | United States (global edge) | Privacy · DPA |
| Google LLC | Google Analytics 4, Google Workspace (email), Sign in with Google (One Tap) | United States | Privacy · DPA |
| LinkedIn Corporation | Sign in with LinkedIn (OIDC), identity capture for inquiries | United States | Privacy · DPA |
| Cal.com Inc. | Meeting scheduling and booking confirmations (EU-hosted via cal.eu) | European Union | Privacy · DPA |
| Microsoft Corporation | Microsoft Clarity (session replay & heatmaps) | United States | Privacy · DPA |
| Resend, Inc. | Transactional email delivery for contact form submissions | United States | Privacy · DPA |
| GitHub, Inc. | Source code hosting (no end-user personal data) | United States | Privacy · DPA |
| Paddle.com Market Ltd | Merchant of Record, payment processing, invoicing, tax, and refunds for paid plans | United Kingdom / United States | Privacy · DPA |
6. Payments (processed by Paddle)
Our order process is conducted by our online reseller Paddle.com, which acts as the Merchant of Record for all our orders. When you buy a plan, your payment details, such as card number and billing address, are collected and processed directly by Paddle under its own privacy policy. We never see or store your full card details. We receive only the information we need to fulfil the order, such as your email, plan, country, and the card brand or last digits for support. See Paddle's privacy policy for details. Refunds are handled per our Refund Policy.
7. International transfers
Our hosting and tooling vendors operate primarily in the United States and globally. Where we transfer EU/UK personal data outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by transfer impact assessments where appropriate. Bangladesh is not currently the subject of an EU adequacy decision.
8. Cookies & similar technologies
On your first visit you'll see a cookie banner. Until you make a choice, only strictly necessary cookies load and Google Consent Mode v2 signals all storage as denied. You can change your choices at any time using the “Cookie settings” link in the footer.
| Cookie | Provider | Category | Lifetime | Purpose |
|---|---|---|---|---|
| c15t-consent | Shakvaro | necessary | 1 year | Stores your cookie consent choices. |
| theme | Shakvaro | necessary | 1 year | Remembers your light/dark theme preference. |
| sk_session | Shakvaro | necessary | 30 days | Magic-link session for resource downloads. |
| _ga, _ga_* | Google LLC | measurement | 13 months | Google Analytics 4, distinguishes unique users. |
| _clck, _clsk, CLID | Microsoft | measurement | 1 year / session | Microsoft Clarity, session replay and heatmaps. |
| g_state | Google LLC | functionality | 1 year | Suppresses Google One Tap prompt after dismissal. |
We honour the Sec-GPC: 1 Global Privacy Control signal, when set, we treat marketing and analytics as denied unless you explicitly opt in.
9. How long we keep it
- Inquiry messages: 24 months from last interaction.
- Analytics data: 14 months (GA4 default), 13 months (Microsoft Clarity).
- Consent audit log: 3 years (Art. 7(1) GDPR burden of proof).
- Invoicing & contracts: 7 years (tax & accounting obligations).
10. Your rights
Under the GDPR / UK GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data (“right to be forgotten”, Art. 17).
- Restrict processing (Art. 18).
- Receive your data in a portable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal (Art. 7(3)).
- Lodge a complaint with your supervisory authority, for example the ICO (UK), the CNIL (France), or the EDPB members list.
To exercise any of these rights, email us at privacy@shakvaro.com. We respond within 30 days (extendable to 90 for complex requests, with notice).
11. Security
We use TLS for transport, role-based access controls for stored data, encryption at rest at our hosting providers, and patched dependencies. We minimise exposure by collecting only what we need.
12. Children
Our services are aimed at businesses. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Changes to this policy
We'll update this page when our practices change and revise the date at the top. Material changes will be flagged in the cookie banner and, where we have your address on file, by email.
14. Contact
Questions about this policy? privacy@shakvaro.com , we'll get back within one business day.

