Privacy Policy - User First

1. Controller Information

This Privacy Policy is issued by User First SRL, a company incorporated under the laws of the Republic of Moldova, with its principal place of business in Chisinau, Republic of Moldova ("Company", "we", "us", or "our").

The Company operates under the trade name "User First". References to "User First LLC" in marketing materials refer to the same entity.

The Company is the data controller responsible for the processing of personal data described in this Privacy Policy. For all privacy-related inquiries, data subject requests, or complaints, the Company may be contacted at: [PRIVACY-EMAIL-PLACEHOLDER]

2. Scope and Application

This Privacy Policy governs the collection, use, storage, disclosure, and transfer of personal data obtained through the Company's website located at user-first.com (the "Website") and any associated services offered therein.

This Policy applies to all individuals who access or use the Website, including visitors, newsletter subscribers, demo requestees, and prospective clients ("Data Subjects").

3. Personal Data We Collect

The Company collects personal data through the following channels:

3.1 Newsletter Subscription Form

When a Data Subject subscribes to the Company's newsletter, the following data is collected: first name and email address.

3.2 Demo Stack Request Form

When a Data Subject requests access to the Demo Stack (a Figma design file), the following data is collected: first name and email address.

3.3 Project Brief Form (Typeform)

When a Data Subject elects to submit a project brief via the third-party platform Typeform, the following categories of data are collected: first name, email address, and information related to the Data Subject's Shopify store and design project requirements as specified in the form.

3.4 Automatically Collected Data

When a Data Subject visits the Website, the following technical data is automatically collected through cookies and similar tracking technologies: IP address, browser type and version, device type and operating system, pages visited and time spent on each page, referral source, and behavioral data including mouse movements, clicks, and scroll patterns (collected via Microsoft Clarity, as described in Section 7).

4. Purposes and Legal Bases for Processing

The Company processes personal data for the following purposes and on the following legal bases:

Sending the requested Demo Stack via email - Performance of a pre-contractual measure (GDPR Art. 6(1)(b)).

Sending newsletter communications - Consent (GDPR Art. 6(1)(a); CAN-SPAM Act).

Processing project brief submissions - Consent (GDPR Art. 6(1)(a)).

Website analytics and performance measurement - Legitimate interests (GDPR Art. 6(1)(f)).

Session recording and behavioral analysis - Legitimate interests (GDPR Art. 6(1)(f)).

Legal compliance and record keeping - Legal obligation (GDPR Art. 6(1)(c)).

Where processing is based on consent, the Data Subject has the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. Withdrawal of consent may be exercised as described in Section 9.

Where processing is based on legitimate interests, the Company has assessed that such interests are not overridden by the rights and freedoms of the Data Subject.

5. How We Use Personal Data

The Company uses collected personal data exclusively for the purposes identified in Section 4. The Company does not sell, rent, trade, or otherwise transfer personal data to third parties for their own marketing or commercial purposes.

6. Disclosure to Third Parties

The Company discloses personal data to the following categories of third-party processors strictly for the purposes identified in this Policy:

6.1 Mailchimp (The Rocket Science Group LLC, an Intuit company)

Personal data disclosed: first name and email address.

Purpose: management of newsletter subscriptions and delivery of email communications, including the Demo Stack delivery email.

Privacy Policy: mailchimp.com/legal/privacy.

6.2 Typeform S.L.

Personal data disclosed: first name, email address, and project brief information.

Purpose: collection and processing of project brief submissions.

Privacy Policy: typeform.com/help/a/typeform-privacy-policy.

6.3 Vercel Inc.

Personal data disclosed: IP address and technical data processed as part of website hosting.

Purpose: website hosting and content delivery.

Privacy Policy: vercel.com/legal/privacy-policy.

6.4 Google LLC (Google Analytics)

Personal data disclosed: anonymized usage data, IP address (truncated), and behavioral data.

Purpose: website traffic analysis and performance measurement.

Privacy Policy: policies.google.com/privacy.

6.5 Microsoft Corporation (Microsoft Clarity)

Personal data disclosed: session recordings including mouse movements, clicks, scroll behavior, and IP address.

Purpose: user experience analysis and website optimization.

Privacy Policy: privacy.microsoft.com/en-us/privacystatement.

The Company does not disclose personal data to any other third parties except where required by applicable law or court order.

7. Cookies and Tracking Technologies

The Website uses the following categories of cookies and tracking technologies:

Strictly Necessary Cookies: Required for the Website to function. Cannot be disabled.

Analytics Cookies (Google Analytics): Used to collect anonymized information about how visitors use the Website, including pages visited, time on site, and traffic sources. IP addresses are truncated prior to processing.

Behavioral Tracking (Microsoft Clarity): Used to record user sessions including mouse movements, clicks, and scrolling behavior for the purpose of identifying usability issues and improving the Website. Session recordings may contain information you type into forms. The Company has configured Clarity to mask sensitive input fields.

Upon implementation of the Company's cookie management system, Data Subjects will be provided with granular consent controls. Until such time, continued use of the Website constitutes acknowledgment of the use of cookies as described herein.

Data Subjects may disable cookies at any time through their browser settings. Disabling certain cookies may impair Website functionality.

8. International Data Transfers

The Company is based in the Republic of Moldova. Certain third-party processors identified in Section 6 are based in the United States. Transfers of personal data from the European Economic Area (EEA) or the United Kingdom to the United States are carried out pursuant to the following safeguards:

Mailchimp is certified under the EU-US Data Privacy Framework and incorporates Standard Contractual Clauses (SCCs) approved by the European Commission into its Data Processing Addendum.

Typeform incorporates Standard Contractual Clauses for international data transfers.

Google LLC and Microsoft Corporation are certified under the EU-US Data Privacy Framework.

Vercel Inc. incorporates Standard Contractual Clauses for international data transfers.

9. Data Retention

The Company retains personal data for no longer than necessary for the purposes for which it was collected:

Newsletter subscriber data is retained for the duration of the active subscription. Upon unsubscription, data is permanently deleted within 30 calendar days.

Demo Stack request data (name and email) is retained for a period of 12 months from the date of submission, after which it is permanently deleted.

Project brief data submitted via Typeform is retained for a period of 24 months from the date of submission for legitimate business record-keeping purposes, after which it is permanently deleted.

Automatically collected technical data is retained in accordance with the retention policies of the applicable third-party processor.

Upon receipt of a verified deletion request pursuant to Section 10, the Company will delete the relevant personal data within 30 calendar days, subject to any applicable legal retention obligations.

10. Data Subject Rights

10.1 Rights of EEA and UK Residents (GDPR / UK GDPR)

Data Subjects located in the EEA or UK have the following rights under the GDPR and UK GDPR:

Right of Access (Art. 15): the right to obtain confirmation of whether personal data concerning them is being processed and, if so, to receive a copy of such data.

Right to Rectification (Art. 16): the right to obtain correction of inaccurate personal data without undue delay.

Right to Erasure (Art. 17): the right to obtain deletion of personal data where one of the grounds set out in Art. 17(1) applies.

Right to Restriction of Processing (Art. 18): the right to obtain restriction of processing in the circumstances set out in Art. 18(1).

Right to Data Portability (Art. 20): the right to receive personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.

Right to Object (Art. 21): the right to object to processing based on legitimate interests.

Right to Withdraw Consent: where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint: the right to lodge a complaint with the competent supervisory authority in the Member State of habitual residence, place of work, or place of the alleged infringement.

10.2 Rights of California Residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to Know: the right to request disclosure of the categories and specific pieces of personal information collected, the purposes of collection, and the categories of third parties with whom it is shared.

Right to Delete: the right to request deletion of personal information collected, subject to applicable exceptions.

Right to Correct: the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing: the Company does not sell or share personal information as defined under the CCPA.

Right to Non-Discrimination: the right not to receive discriminatory treatment for exercising CCPA rights.

10.3 How to Exercise Rights

To exercise any of the rights set out in this Section, Data Subjects must submit a written request to [PRIVACY-EMAIL-PLACEHOLDER]. The Company will verify the identity of the requestor prior to processing any request. Verification may require the Data Subject to confirm information previously provided to the Company. The Company will respond to all verified requests within 30 calendar days of receipt. Where requests are complex or numerous, this period may be extended by a further 60 days, in which case the Data Subject will be notified of the extension and the reasons therefor within the initial 30-day period.

11. Email Communications and Unsubscribe

All marketing and newsletter emails sent by the Company include a clearly visible unsubscribe mechanism in the email footer. Unsubscribe requests are processed within 10 business days in accordance with the requirements of the CAN-SPAM Act. Following unsubscription, the Data Subject will receive no further marketing communications from the Company.

12. Children's Privacy

The Website is not directed at individuals under the age of 13. The Company does not knowingly collect personal data from children under the age of 13. If the Company becomes aware that personal data has been collected from a child under the age of 13 without verifiable parental consent, such data will be deleted promptly. If a parent or guardian believes their child has provided personal data to the Company, they should contact us at [PRIVACY-EMAIL-PLACEHOLDER].

13. Data Security

The Company implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include access controls, encrypted data transmission via HTTPS, and reliance on third-party processors who maintain industry-standard security certifications. However, no method of transmission over the internet or electronic storage is completely secure, and the Company cannot guarantee absolute security.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Moldova. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts of the Republic of Moldova, without prejudice to the rights of EEA and UK residents to bring proceedings before their local supervisory authorities.

15. Changes to This Policy

The Company reserves the right to amend this Privacy Policy at any time. Material changes will be indicated by an updated "Last Updated" date at the top of this page. Data Subjects are encouraged to review this Policy periodically. Continued use of the Website following the posting of changes constitutes acceptance of such changes. Where required by applicable law, the Company will provide prior notice of material changes.

16. Contact Information

All privacy-related requests, inquiries, and complaints should be directed to:

User First SRL

Chisinau, Republic of Moldova

Email: [PRIVACY-EMAIL-PLACEHOLDER]