Skip to content

Privacy Policy

Information about personal data processing by Deratix s. r. o.

Privacy Policy

Effective date: 21 May 2026

Deratix s. r. o. ("we") cares about your privacy. This policy explains how we process data of deratix.sk visitors and Deratix application users.

Controller

Deratix s. r. o.
Štúrova 1359/12, 900 28 Ivanka pri Dunaji, Slovak Republic
Company ID: 57512833
Contact: support@deratix.com

1. What data do we collect?

Registration data: Company name, business ID, contact person, email, phone (legal basis: performance of contract).

Technical data: IP address, browser type, login logs (legal basis: legitimate interest).

Application data: Data you enter into the app (your clients, protocols) – we process as a processor on your behalf.

Contact form and demo request: Name, email, company (optional), message, language.

Newsletter: Email, language (double opt-in, legal basis: consent).

2. Where is data stored?

Your data is safe within the European Union.

  • Primary servers: Germany (Hetzner Online GmbH, Falkenstein/Nuremberg).
  • Backup servers: Germany (Frankfurt region), managed by S.C. SFTPCLOUD S.R.L. (AES-256 encrypted backups).

We do not transfer your data to third countries without appropriate safeguards.

3. Cookies

We use only cookies essential for the application:

  • wordpress_logged_in_* – user session identification,
  • wp-settings-* – user interface preferences.

Analytics cookies (Matomo, self-hosted on our EU server) are used only with your explicit consent via the cookie banner.

See Cookie Policy for details.

4. Purposes and legal bases

  • Responding to inquiries: legitimate interest.
  • Demo request: contractual necessity.
  • Newsletter: consent.
  • Website analytics (Matomo): consent.
  • Website security: legitimate interest.

5. SaaS service data processing

When you register for Deratix, we additionally process:

  • Registration data: name, email, password hash, company name, subdomain, language.
  • Purpose: account management (Art. 6(1)(b) GDPR).
  • Hosting: EU servers (Hetzner, Germany). No transfers outside EEA.
  • Retention: duration of contract + 30 days for export.
  • Export and deletion: support@deratix.com.

6. Recipients / processors

Website: Emailit, Acumbamail, Matomo (self-hosted EU), Google LLC (USA) – Google Analytics 4 (cookies _ga, _ga_*, raw data retention 14 months; only with consent), Google Fonts. Consent withdrawal is per-domain — for full withdrawal visit each domain separately.

SaaS sub-processors:

  • Hetzner Online GmbH (Germany) – hosting and database servers.
  • S.C. SFTPCLOUD S.R.L. (Romania) – encrypted backups in Germany (Frankfurt).
  • MechanicWeb, LLC (USA) – infrastructure management, access to German servers.
  • cPanel/Softaculous – server management.
  • Emailit – transactional emails from the application.
  • Google LLC (USA) – Google Calendar API (optional synchronization of planned interventions with your Google Calendar; activated only if you connect your Google account in Integrations). Details in section 7.

Full list in our Data Processing Agreement (DPA).

7. Google Calendar synchronization

If you decide to connect Deratix with your Google account, you can automatically synchronize planned pest-control interventions with your Google Calendar. This feature is optional and is activated only after you enable it in the application. We, Deratix s. r. o., operate this integration through our own verified application registered in Google Cloud Console (internal project identifier deratix-487210).

7.1 Limited Use commitment

When handling data obtained from Google APIs, we adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we comply with the three requirements as defined by Google:

  1. Limit use of data – we use data obtained from Google APIs only to provide or improve user-facing features that are prominent in the Deratix application user interface (specifically synchronization of planned interventions with your Google Calendar).
  2. No transfer of data to third parties, except where the transfer is:
    1. necessary to provide or improve user-facing features that are prominent in the application interface,
    2. in accordance with this Privacy Policy and with the specific user's consent,
    3. necessary for security purposes (e.g., investigating abuse),
    4. required by law or in connection with a merger, acquisition or sale of assets (with prior notice to users).
  3. No human access to data, except where:
    1. we have the specific user's explicit consent for the specific data,
    2. it is necessary for security purposes (e.g., investigating abuse),
    3. it is required by law,
    4. it is aggregated anonymized data used for internal operational purposes.

Any other transfers, uses, or sales of data obtained from Google APIs are prohibited – including any use for serving advertising, credit-worthiness assessment, or sale to third parties.

7.2 Permissions Google will request from you

When connecting your account, Google will request your consent for these two permissions:

  • https://www.googleapis.com/auth/calendar.events – create, update, and delete events in the Google Calendar you choose as the target. We also need this permission to remove events created by Deratix when you disconnect the account.
  • https://www.googleapis.com/auth/calendar.calendarlist.readonly – read the list of your Google Calendars so you can select the target calendar in Deratix settings.

7.3 What data from your Google account we store

We store:

  • a security key necessary to refresh the connection (so you don't need to log in for every synchronization);
  • the email address of your Google account's primary calendar – we display it in settings so you know which account is connected;
  • the list of your Google Calendars (name, identifier, access level) – so you can select the target calendar;
  • identifiers of events we created in your calendar – so we can update or remove them when a protocol changes or is cancelled.

We do not store:

  • the content of other events that you created in your Google Calendar outside of Deratix;
  • your Google password (authentication takes place exclusively via the OAuth 2.0 standard);
  • any other data from your Google account (contacts, emails, documents, photos, etc.).

7.4 Where access keys are stored

The security key for accessing your Google account is stored encrypted in the database of your dedicated Deratix instance in the EU (Germany). The encryption uses a modern standard with strong integrity protection; the encryption key is tied to your specific instance and Deratix has no direct server-level access to it.

The Google sign-in itself is processed through our central authorization endpoint at license.deratix.com, which keeps only a control fingerprint (cryptographic hash) of the access key bound to your license and domain – the key itself does not remain on the authorization endpoint. Customer instances are isolated from each other; you will never see other customers' data, and we do not access them.

7.5 What Deratix writes into your Google Calendar

Events created by Deratix contain: protocol number, client name, address of the intervention location, technician name, work type, protocol status, and optionally a note for the technician. These are your data – you are the controller of these data, Deratix is the processor under the DPA. They are not data we obtained from Google APIs.

7.6 Revoking access

You can revoke the Google Calendar connection at any time:

  • in the Deratix application under Integrations, on the Google Calendar card, by clicking the Disconnect button (optionally, by checking the relevant box before disconnecting, you can also remove the events that Deratix added to your calendar),
  • directly in Google at myaccount.google.com/permissions – where you can revoke the permission for the "Deratix" application.

When disconnecting in the Deratix application, we call the official Google revocation function and securely erase all stored access keys.

8. International transfers

Hosting is in the EU. MechanicWeb, LLC is a US company with access to servers in Germany – the relationship is covered by Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR.

Google LLC (USA) is the recipient of two categories of data: (1) technical data for Google Analytics 4 (IP address anonymized at Google's level, user agent, page URL); (2) event content for Google Calendar API that you knowingly write into your Google Calendar through the optional integration (see section 7). In both cases, transfer to the USA is covered by Google LLC's certification under the EU‑U.S. Data Privacy Framework (adequacy decision of the European Commission No. 2023/1795 of 10 July 2023 under Art. 45 GDPR). As a fallback mechanism in case the DPF is invalidated, we also apply Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR.

If any other transfer outside the EEA occurs, we will apply appropriate safeguards.

9. Retention

  • Contact inquiries: typically 12 months.
  • Newsletter: until unsubscribed.
  • Server logs: typically 6 months.
  • SaaS data: duration of contract + 30 days.
  • Google Calendar connection: until disconnected in the application or until permission is revoked in your Google account (see section 7.6); upon disconnection, access keys are erased immediately.

10. Your rights

Access, rectification, erasure, restriction, portability, objection, consent withdrawal. Complaints: Slovak data protection authority.

11. Contact

support@deratix.com

Cookie Policy