We use cookies and analytics (Google Analytics and Microsoft Clarity, including session replay) to understand how visitors use our site and improve it. Tracking starts only if you accept.

Start a project
Legal · Sfida.PRO

Privacy Policy

How we collect, use and protect your personal data.
⚠ Draft pending legal review. This policy has been prepared for the agency’s dual-entity structure and is awaiting final sign-off by a qualified attorney before it becomes binding. Some entity registration details and processor specifics are still being confirmed.

Last updated: June 2026

Who we are

Sfida.PRO is operated by two legal entities. The data controller for your personal data is the entity you contract with, which depends on where you are based:

  • Clients in Albania: the controller is Elvis Plaku, sole proprietorship (person fizik), registered in Albania, NIPT L819040428I, Rr. Sulejman Pasha, Pall. 104, Apt. 14, Tirana.
  • Clients outside Albania (EU, USA and worldwide): the controller is Sfida Pro LLC, a limited liability company incorporated in the State of Wyoming, United States of America.

Both entities are under common ownership, operate under the Sfida.PRO brand, and apply the data-protection standards described here. The controller responsible for your data is also identified on your order confirmation and invoices. Our principal place of operations is Tirana and Durrës, Albania.

For any data-protection enquiry, email [email protected] with “DATA PROTECTION” in the subject line.

What data we collect

We collect personal data that you provide to us directly and data generated automatically when you use our website and services:

  • Contact & account data — your name, email, phone, company and the details you submit through our forms.
  • Project & service data — information you share so we can deliver a service (e.g. your website URL, hosting details, requirements).
  • Billing data — invoicing and payment records (processed through our invoicing system and payment providers).
  • Usage & technical data — IP address, browser, pages visited and analytics, collected via cookies and similar technologies (see our Cookie Policy).

How we use your data & our legal bases

We use your personal data to provide and manage our services, respond to your enquiries, send service communications, issue invoices, improve our website, and — where you have agreed — send you relevant updates. We rely on the following legal bases under the GDPR: performance of a contract, legitimate interests (running and improving our business in a way that does not override your rights), consent (e.g. marketing emails and non-essential cookies), and legal obligation (e.g. tax and accounting records).

Cookies & analytics

We use cookies and similar technologies for three purposes: essential site functionality, analytics, and (only where you opt in) marketing. Analytics and tracking technologies load only after you accept them through our cookie consent banner. You can decline, or change or withdraw your consent at any time through the banner; declining does not affect your ability to use the site.

When you consent to analytics cookies, we use the following platforms to understand how visitors find and use our website so we can improve it:

ToolProviderWhat it does
Google Analytics 4 (GA4)Google LLC (USA)Measures traffic, pages viewed, traffic sources and aggregated behaviour, to help us understand our audience and improve content.
Microsoft ClarityMicrosoft Corporation (USA)Heatmaps and session recordings that capture interactions such as clicks, scrolls, page navigation and mouse movement, to show how real visitors use the site. Text you type and sensitive fields are masked by default.
Google Tag ManagerGoogle LLC (USA)Loads the analytics tools above, only after you have given consent.

These providers are based in the United States, so consenting to these cookies may involve transferring limited usage data outside Albania and the EEA, under safeguards provided by those companies. We do not use this data to personally identify you, and we do not sell it.

You can review how each provider handles data and opt out here: Google Privacy Policy (and the Google Analytics opt-out) and the Microsoft Privacy Statement.

How long we keep your data

We only keep your personal data for as long as necessary for the purpose it was collected, or as required by law:

Type of dataRetention periodReason
Account & contact detailsDuration of the contract + 3 yearsContract administration & legal claims
Invoice & payment records7 years from the invoice dateTax, accounting & fiscalization obligations
Support & email correspondence3 years from the last interactionService quality & dispute resolution
Website analytics (GA4)14 monthsPerformance analysis
Server & security logs90 daysSecurity incident investigation
Backups of hosted client sites30 days after termination (or per plan)Service delivery & recovery
FluentCRM contact recordsActive relationship + 2 yearsClient communications

After the applicable period, we securely delete or anonymize your data.

When we process data on your behalf

When we provide services such as managed WordPress hosting, email hosting, FluentCRM management or digital marketing, we may process personal data belonging to your customers, users or subscribers on your behalf. In these situations you are the data controller and we are the data processor — we process that data only on your documented instructions. We do not use your clients’ personal data for our own purposes, sell it, or share it except as necessary to deliver the services. Where required, a Data Processing Agreement (DPA) governs this processing and is available on request at [email protected].

Your rights

Subject to applicable law, you have the right to access, correct, delete or restrict the processing of your personal data, to object to processing, to data portability, and to withdraw consent at any time. To exercise any of these rights, email [email protected].

Right to lodge a complaint

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a supervisory authority:

  • EU: your member-state data protection authority (list at edpb.europa.eu).
  • UK: the Information Commissioner’s Office (ico.org.uk).
  • Albania: the Information and Data Protection Commissioner (idp.al).

We would appreciate the chance to resolve your concern first, so please contact us before approaching a supervisory authority.

Data breaches

We use technical and organizational measures to protect your data. In the event of a personal data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority without undue delay (within 72 hours where feasible, per GDPR Article 33) and notify you directly where the breach is likely to result in a high risk. If you believe your data may have been compromised, contact us immediately at [email protected].

Third-party services & processors

To deliver our services we work with trusted third-party processors, each subject to their own privacy policies and, where required, data processing agreements:

ProcessorPurpose
StripeCard payment processing
WiseBank-transfer payments
Google (GA4, Workspace)Analytics & email
Microsoft (Clarity)Website analytics & session replay (consent-based)
Amazon Web Services (SES)Transactional email delivery
HetznerEU hosting infrastructure
CloudflareDNS, CDN & security

We do not sell your personal data, and we do not share it with third parties for their own marketing purposes.

Changes to this policy

We may update this policy from time to time. The “last updated” date above reflects the latest version. Material changes will be communicated where appropriate.

Contact us

For any question about this policy or your personal data, contact us at [email protected] or via our contact page.

Scroll to Top