Legal
Digitalista ("Digitalista," "we," "us," or "our") operates the GTM Decision Engine, a web application that helps founders build go-to-market experiment plans based on their business context. The GTM Engine is accessible at digitalista-gtm-engine.onrender.com and digitalista.tech.
For the purposes of the EU General Data Protection Regulation (GDPR) and equivalent laws, Digitalista is the data controller responsible for your personal data.
You can reach us at any time using the contact information in Section 15 of this policy.
We collect personal data only when you actively provide it by using the GTM Engine. We do not use analytics, behavioural tracking, or third-party advertising on our platform.
| Category | Specific Data Points |
|---|---|
| Identity & Contact | First name, last name, email address |
| Business Information | Company website URL, product or service description, ideal customer profile (ICP), business stage, key competitors, primary business goals |
This data is submitted through the intake form when you use the GTM Engine to generate an experiment plan.
We collect minimal technical data as part of normal web server operations. This may include your IP address and browser type, retained briefly in server access logs for security and uptime purposes. We do not currently use cookies, pixel trackers, session replay, or analytics tools. See Section 8 for more detail.
We do not collect payment card details, government identification numbers, precise geolocation, biometric data, or any special categories of personal data as defined under GDPR Article 9.
We use the personal data we collect for the following specific purposes:
| Purpose | Data Used | Details |
|---|---|---|
| Generate your GTM plan | Business information you submitted | Your answers are passed to an AI language model (Anthropic's Claude) to produce a customised go-to-market experiment plan. |
| Deliver your plan by email | Name, email address, generated plan | We send you a transactional email containing your GTM plan via our email delivery partner, Resend. |
| Service communications | Name, email address | We may contact you about your submission if there is an issue with delivery or you request support. |
| Security and integrity | IP address, server logs | Brief retention for detecting abuse and maintaining platform uptime. |
| Legal compliance | As required | To comply with applicable law, respond to lawful government requests, or exercise or defend legal claims. |
We do not use your data for advertising, profiling, resale, or any purpose incompatible with those listed above.
If you are located in the EU, EEA, or United Kingdom, we are required under the GDPR (and UK GDPR) to identify a lawful basis for each processing activity. Our lawful bases are:
| Processing Activity | Lawful Basis | Explanation |
|---|---|---|
| Generating your GTM plan using AI | Contract (Art. 6(1)(b)) | Processing is necessary to perform the service you requested when you submitted the form. |
| Sending your GTM plan by email | Contract (Art. 6(1)(b)) | Delivering the output is the core fulfilment of the service you requested. |
| Service-related communications | Legitimate Interest (Art. 6(1)(f)) | We have a legitimate interest in communicating with you about your submission where reasonably expected, and this interest does not override your rights. |
| Security, fraud prevention, server logs | Legitimate Interest (Art. 6(1)(f)) | We have a legitimate interest in maintaining a secure and stable platform. |
| Legal compliance and claims | Legal Obligation (Art. 6(1)(c)) / Legitimate Interest (Art. 6(1)(f)) | Processing required to comply with law or to establish, exercise, or defend legal claims. |
Where we rely on Legitimate Interests, we have assessed that our interests are proportionate and do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 9.
Digitalista serves users globally. Our service providers — Resend, Anthropic, and Render — are based in the United States. If you access the GTM Engine from the EU, EEA, UK, or another jurisdiction with data-transfer restrictions, your personal data will be transferred to and processed in the United States.
For transfers of personal data from the EU/EEA or UK to the United States, we rely on the following transfer mechanisms:
By using the GTM Engine, you acknowledge that your data may be processed in the United States and other countries where data protection laws may differ from those in your country of residence. We take steps to ensure your data receives a level of protection consistent with applicable law.
We retain your personal data only for as long as necessary for the purposes described in this policy.
| Data Category | Retention Period | Reason |
|---|---|---|
| Form submission data (name, email, business inputs) | Up to 12 months from submission | To enable follow-up, service improvements, and potential support requests |
| Generated GTM plans | Up to 12 months from generation | Same as above; linked to the submission record |
| Email delivery logs (via Resend) | Per Resend's retention policy (typically 30 days) | Email delivery confirmation and troubleshooting |
| Server access logs (IP address, request data) | Up to 30 days | Security monitoring and abuse prevention |
| Data retained for legal compliance | As required by applicable law | Legal obligation or legitimate interest in establishing/defending claims |
After the applicable retention period, data is deleted or anonymised so that it can no longer be attributed to an identified individual. You may request earlier deletion — see Section 9 (EU users) and Section 10 (California users).
If you are located in the European Union or European Economic Area (or the United Kingdom under UK GDPR), you have the following rights regarding your personal data:
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data along with information about how it is used.
You have the right to request correction of inaccurate personal data or completion of incomplete personal data we hold about you.
You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, you withdraw consent (where consent was the basis), you object to processing and there are no overriding legitimate grounds, or the data has been unlawfully processed. This right may be limited by legal obligations requiring us to retain certain data.
You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have contested.
Where we process your data on the basis of contract or consent and by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to request that we transmit that data directly to another controller where technically feasible.
You have the right to object, at any time, to processing of your personal data that is based on our legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. The AI-generated GTM plan is a tool to assist you, not an automated decision in the legal sense.
Where we process data on the basis of consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority. In the EU, this is the data protection authority (DPA) in your country of residence or establishment. A full list of EU DPAs is available at the European Data Protection Board . UK residents may contact the Information Commissioner's Office (ICO) .
Response time: We will respond to all verifiable data subject requests within 30 days of receipt. Where requests are complex or numerous, we may extend this by up to an additional 60 days and will notify you accordingly.
To exercise any of these rights, please contact us using the details in Section 15.
If you are a resident of California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information.
In the last 12 months, we have collected the following categories of personal information as defined by the CCPA:
We have not collected sensitive personal information as defined under CPRA (e.g., Social Security numbers, financial account details, precise geolocation, biometric data).
You (or an authorised agent acting on your behalf) may submit a request to exercise your California rights by emailing us at go@digitalista.tech with the subject line "California Privacy Request." We will acknowledge your request within 10 business days and respond within 45 calendar days (extendable by an additional 45 days with notice).
We will verify your identity before processing your request. For email-based verification, we will confirm the email address matches our records.
We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
Digitalista does not sell personal data to third parties and never has. We do not disclose personal information to data brokers, advertising networks, or any third party in exchange for monetary or other valuable consideration. We do not share personal information for the purpose of cross-context behavioural advertising.
The only third-party disclosures we make are to service providers (Resend, Anthropic, Render) acting on our behalf, as described in Section 5. These are service provider relationships, not sales or sharing for advertising purposes.
Because we do not sell or share personal information, there is no opt-out necessary. However, if you have questions or want to confirm our practices, contact us at go@digitalista.tech.
We implement reasonable technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These include:
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.
The GTM Engine is intended for use by business founders and professionals. It is not directed to children under the age of 16 (or under 13 in the United States). We do not knowingly collect personal data from children under these ages.
If you believe we have inadvertently collected personal data from a child, please contact us immediately at go@digitalista.tech and we will promptly delete the data.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this policy periodically. Your continued use of the GTM Engine after changes become effective constitutes your acknowledgement of the updated policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
For GDPR-related enquiries, you may also contact us at the email above and include "GDPR Request" in the subject line. For California privacy requests, use the subject line "California Privacy Request."
If you are an EU/EEA resident and we do not resolve your concern to your satisfaction, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu . UK residents may contact the ICO.