Legal

Privacy Policy

How Segmio collects, uses, and protects your personal data, and the rights you have under GDPR, UK GDPR, CCPA/CPRA, LGPD, Quebec Law 25, the Australian Privacy Act, and the Swiss revFADP.

Last updated

This Privacy Policy explains how we collect, use, share, retain, and protect personal data when you visit our Website or join our waitlist. It also describes the rights you have over your data and how to exercise them.

This Privacy Policy (“Policy”) applies to personal data collected by Segmio SRL (“Segmio”, “we”, “us”, “our”) - a company registered in Romania - from individuals (“you”, “your”) who interact with https://www.segmio.com (the “Website”) and our products and services (collectively, “Services”). By using the Website or submitting any form, you confirm that you have read this Policy.

Key highlights

  • We never sell your personal data.
  • Segmio is ad-free.
  • We collect the minimum information needed to operate the Website and notify waitlist subscribers.
  • Your data is protected with industry-standard security measures.
  • You can ask us to access, correct, or delete your data at any time.

1. Who is the data controller

Segmio SRL is the data controller for personal data processed through the Website.

  • Company: Segmio SRL
  • Country of registration: Romania
  • Contact for privacy matters: our contact form

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the supervisory authority for Segmio is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).

2. Data we collect

We only collect what we need. The categories below cover everything that may reach our servers or our processors.

2.1 Information you provide

  • Waitlist sign-up data: your email address, plus the values you set on our interactive sliders on the homepage (age, total assets, total debt, monthly income, monthly expenses, planned retirement age) and the scenarios you preview while exploring the page. The slider values are aggregated into derived figures (estimated net worth, monthly savings, financial-independence number) before being stored.
  • Attribution context attached at sign-up: the page on which you first arrived in this browser session, the referring website (if any), and any UTM parameters present in the URL. We use this only to understand which entry points lead to sign-ups so we can improve our content and outreach. This information is held briefly in your browser’s session storage and is sent to us only if you submit the waitlist form.
  • Contact form submissions: when you use our contact form, we collect your name, email address, subject, and message. We use this information only to read and reply to your inquiry. The form is protected by Cloudflare Turnstile, which checks for automated submissions before your message is sent.
  • Direct communications: any information you include when you contact us through social channels.

You provide this information voluntarily. You can use the Website without creating an account or submitting any form, in which case only the automatic information described in section 2.2 is processed.

2.2 Information collected automatically

When you visit the Website, the following information may be collected by us or by our service providers:

  • Technical data: IP address, device type, operating system, browser type and version, browser language, screen and viewport dimensions, and approximate location derived from IP.
  • Usage data: pages visited, referrer URL, time spent on the page, sections scrolled into view, slider interactions, and other engagement signals related to the homepage experience.
  • Marketing attribution: UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) when present in the URL.

We use Cloudflare Web Analytics for aggregate, cookieless measurement only - no identifiers, no cross-site tracking, no advertising. We do not use Google Analytics or any other tool that profiles individual visitors.

2.3 Information we do not collect

We do not knowingly collect special categories of personal data (such as health, biometric, racial, religious, political, or trade-union information). We do not collect government identification numbers, payment-card data, or social-media login credentials. Segmio is currently a pre-launch product and does not store financial account credentials, transaction histories, balances, or holdings.

3. How we use your data

We process personal data only for the following purposes:

  1. Operate the Website: serve pages, prevent abuse, debug errors, and keep the service available.
  2. Manage the waitlist: add you to our launch list, contact you about Segmio’s release, send you the projection you saved while interacting with the homepage, and follow up on questions you submit.
  3. Improve the product: analyze how visitors use the Website so we can improve copy, layout, and functionality.
  4. Security and fraud prevention: detect and address malicious activity, abuse, and policy violations.
  5. Legal compliance: meet our obligations under applicable laws, respond to lawful requests from public authorities, and defend our legal rights.

We do not use your personal data to make decisions that produce legal or similarly significant effects on you without human involvement (no automated decision-making within the meaning of GDPR Article 22).

4. Lawful bases for processing (EEA, UK, Switzerland)

Under the GDPR, the UK GDPR, and the Swiss revFADP, we rely on the following lawful bases:

  • Consent (Art. 6(1)(a) GDPR): for adding you to our waitlist and sending you launch updates and product communications when you submit the sign-up form. You may withdraw consent at any time by clicking the unsubscribe link in any email we send or by contacting us.
  • Performance of a contract (Art. 6(1)(b) GDPR): in the future, to deliver the Services you sign up for once Segmio launches.
  • Legitimate interests (Art. 6(1)(f) GDPR): to keep the Website secure, prevent abuse (including anti-spam checks on our contact form), understand aggregate usage, improve the product, and respond to inquiries you send us via the contact form. We balance these interests against your rights and freedoms before relying on this basis.
  • Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable laws (for example, tax, accounting, or responding to lawful requests from authorities).

Where we rely on legitimate interests, you have the right to object - see section 8.

5. Cookies and similar technologies

  • We don’t use cookies for tracking, marketing, or analytics. Cloudflare Web Analytics is cookieless.
  • Our hosting provider Cloudflare may set strictly-necessary first-party cookies (such as __cf_bm) for bot mitigation and abuse prevention. These are short-lived, do not identify you across sites, and are exempt from consent under ePrivacy Article 5(3).
  • When you use our contact form, Cloudflare Turnstile loads a small script from challenges.cloudflare.com and may set strictly-necessary cookies (such as cf_chl_*) to verify that the submission is not automated. These are short-lived and exempt from consent under ePrivacy Article 5(3).
  • We use your browser’s session storage to remember the page you first arrived on and any UTM parameters present in the URL, as described in section 2.1. This data lives only in your browser, is deleted when you close the tab, and is sent to us only if you submit the waitlist form.

6. Service providers and third parties

We share personal data only with carefully selected service providers acting on our instructions, and only to the extent necessary for the purposes set out above. We do not sell personal data, and we do not share it with third parties for their own marketing.

ProviderRoleData processedLocation
Cloudflare, Inc.Website hosting, CDN, edge functions, DDoS protection, cookieless aggregate analytics, anti-spam verification (Turnstile)IP address (processed momentarily, not retained), request metadata, waitlist payload in transit, contact form submissions in transitUnited States and global edge
Brevo (Sendinblue SAS)Waitlist contact list, transactional email (including contact form notifications), marketing emailEmail address, waitlist attributes (age band, asset/debt/income/expense values, derived figures, retirement age, scenario selections, which CTA was clicked, time on page, sections scrolled into view, slider interactions, landing page, referrer, UTM parameters, viewport dimensions, opt-in timestamp), contact form contents (name, email, subject, message)European Union (France)

We may also disclose personal data when we believe in good faith that disclosure is required to:

  1. Comply with a legal obligation, court order, or lawful government request.
  2. Protect our rights, property, or safety, or those of our users or others.
  3. Investigate, prevent, or take action against suspected fraud, security incidents, or violations of our terms.
  4. Complete a corporate transaction, such as a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor commitments made in this Policy and notify you before your data becomes subject to a different policy.

7. International data transfers

Some of our service providers are based outside the European Economic Area, the United Kingdom, or Switzerland. When we transfer personal data outside these regions, we use one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the UK Addendum and the Swiss-specific addendum where applicable.
  • EU-US Data Privacy Framework, UK Extension, and Swiss-US Data Privacy Framework for transfers to certified providers in the United States.
  • Adequacy decisions issued by the European Commission, the UK Government, or the Swiss Federal Council, where applicable.

You can request a copy of the safeguards we rely on via our contact form.

8. Your privacy rights

The rights you have depend on where you live. You can exercise any of them via our contact form. We will respond within the timeframe required by applicable law (typically 30 days, extendable in limited cases). To protect your data, we may need to verify your identity before processing the request.

You will not be discriminated against for exercising any privacy right. Submitting an authorized agent request requires written authorization signed by you and verification of your identity.

8.1 Rights available to everyone

  • Access to the personal data we hold about you and information about how we process it.
  • Rectification of inaccurate or incomplete data.
  • Erasure of your data (“right to be forgotten”) in the situations recognized by applicable law.
  • Portability of data you provided to us, in a structured, commonly used, machine-readable format.
  • Withdrawal of consent at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Opt-out of marketing communications by clicking the unsubscribe link in any email we send, or by emailing us.

8.2 Additional rights for residents of the EEA, the UK, and Switzerland (GDPR / UK GDPR / revFADP)

  • Restriction of processing in the situations set out in Article 18 GDPR.
  • Objection to processing based on legitimate interests or for direct marketing.
  • Right not to be subject to automated decision-making that produces legal or similarly significant effects (Article 22 GDPR). We do not engage in such decision-making.
  • Right to lodge a complaint with a supervisory authority - in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP, www.dataprotection.ro). You may also contact the authority in your country of residence or place of work.

8.3 Additional rights for residents of California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we share it.
  • Delete personal information we have collected from you, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. We honor Global Privacy Control signals as opt-out requests.
  • Limit the use of sensitive personal information. We do not use sensitive personal information beyond the purposes permitted by the CPRA without your consent.
  • Non-discrimination for exercising your rights.
  • Shine the Light (Cal. Civ. Code § 1798.83): request information about disclosures of personal information to third parties for their direct-marketing purposes. We do not make such disclosures.

You may submit a request through our contact form. We will verify your identity using the email address on file or other reasonable means.

8.4 Additional rights for residents of Brazil (LGPD)

You have the right to confirmation of processing, access, correction, anonymization or deletion, portability, information about public and private entities with which we share data, the right to withdraw consent, and the right to lodge a complaint with the Brazilian Data Protection Authority (ANPD).

8.5 Additional rights for residents of Quebec, Canada (Law 25)

You have the right to access and correct your personal information, withdraw consent, request portability, and be informed of any decision based exclusively on automated processing. We will provide information in clear and simple language, and we have appointed a person responsible for the protection of personal information who can be reached via our contact form.

8.6 Additional rights for residents of Australia (Privacy Act 1988)

You have the right to access and correct your personal information held by us, and to complain to the Office of the Australian Information Commissioner (OAIC, www.oaic.gov.au) if you are not satisfied with how we handle your data.

8.7 Other jurisdictions

If you reside in another jurisdiction with applicable privacy laws (for example, Japan’s APPI, South Korea’s PIPA, South Africa’s POPIA, India’s DPDP Act, Singapore’s PDPA, or US state laws such as Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, or Texas’s TDPSA), we extend equivalent rights of access, correction, deletion, portability, and objection to direct marketing on request.

9. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

  • Waitlist data: until launch and for a reasonable period afterward to invite you to use Segmio, or until you ask to be removed - whichever comes first. After removal, we keep a minimal suppression record (email hash and opt-out date) to honor your unsubscribe request.
  • Analytics data: Cloudflare Web Analytics retains aggregate, non-identifying data only. No user-level retention.
  • Server and security logs: typically retained for up to 30 days, longer where required to investigate an incident or comply with legal obligations.
  • Records needed for legal, tax, or accounting obligations: retained for the periods required by applicable law (in Romania, typically up to 10 years for accounting records).

When we no longer need personal data, we delete it or anonymize it so that it can no longer be associated with you.

10. Security

We implement technical and organizational measures designed to protect your data, including HTTPS encryption in transit, access controls, the principle of least privilege for staff and contractors, infrastructure hosted by reputable providers (Cloudflare, Brevo) with their own ISO/SOC certifications, and regular review of our processing activities.

No system is perfectly secure. While we work to protect your data, we cannot guarantee absolute security. If we ever discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

11. Children’s privacy

The Website and Services are not directed to children. We do not knowingly collect personal data from anyone under the age of 16 (or the lower age threshold set by your local law, including 13 in the United States under COPPA). If you are under that age, please do not submit any information to us. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

The Website may contain links to third-party sites that operate under their own privacy policies. We are not responsible for the practices of those sites. We encourage you to read their policies before submitting any information.

13. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top of the page. Material changes will be highlighted on the Website or, where appropriate, communicated by email. Continued use of the Website after changes take effect constitutes acceptance of the revised Policy.

14. Contact us

If you have questions, concerns, or requests regarding this Policy or our handling of your personal data, contact us at: