Privacy
Policy.

ZIGZAG Creative Factory (hereinafter "ZIGZAG", "we", "us", or "our") is the data controller responsible for processing your personal data as described in this Privacy Policy.

We are committed to ensuring that your privacy is protected in compliance with Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — and applicable national data protection legislation of the Republic of Moldova.

We may collect and process the following categories of personal data, depending on how you interact with us:

• Identity data — your name, job title, and company name, provided when you contact us or submit a form.
• Contact data — your email address and phone number, provided directly by you through our contact form or email correspondence.
• Project data — details about your project, business challenge, or inquiry that you share with us voluntarily.
• Technical data — IP address, browser type, operating system, referring URL, and pages visited. This data is collected automatically when you visit our website.
• Usage data — information about how you interact with our website, including page views, time on page, and navigation paths.

We do not collect any special categories of personal data (such as data about race, ethnicity, religious beliefs, health, sexual orientation, or political opinions).

We use the personal data we collect for the following purposes:

• Responding to inquiries — to reply to your contact form submissions, emails, or phone calls and provide information about our services.
• Project delivery — to manage our business relationship, deliver services, and communicate about project progress.
• Website improvement — to analyze how visitors use our website so we can improve its content, structure, and performance.
• Legal compliance — to comply with legal obligations, resolve disputes, and enforce our agreements.
• Security — to detect and prevent fraud, abuse, or security incidents on our website and systems.

We will never use your data for automated decision-making or profiling that produces legal effects or similarly significant effects concerning you.

Under Article 6 of the GDPR, we process your personal data based on one or more of the following lawful bases:

• Consent (Art. 6(1)(a)) — when you voluntarily submit a contact form or subscribe to communications. You can withdraw consent at any time by contacting us.
• Contractual necessity (Art. 6(1)(b)) — when processing is necessary to perform a contract with you or to take pre-contractual steps at your request, such as preparing a project proposal.
• Legitimate interests (Art. 6(1)(f)) — when we have a legitimate business interest in processing your data (e.g., improving our website, ensuring security), provided this does not override your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — when processing is necessary to comply with a legal obligation to which ZIGZAG is subject, such as tax reporting or regulatory requirements.

We do not sell, rent, or trade your personal data to third parties. We may share your data only in the following limited circumstances:

• Service providers — trusted third-party providers who assist us with website hosting, email delivery, and analytics. These providers process data only on our behalf and under our instructions, subject to appropriate data processing agreements.
• Legal requirements — if required to do so by law, court order, or governmental authority.
• Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the business, with prior notification to you.

All third-party service providers are required to respect the security of your personal data and treat it in accordance with the GDPR.

ZIGZAG Creative Factory is based in Chisinau, Moldova. Some of our third-party service providers may process data in countries outside the European Economic Area (EEA).

When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:

• Adequacy decisions — transfers to countries recognized by the European Commission as providing adequate data protection.
• Standard Contractual Clauses (SCCs) — EU-approved contractual clauses that ensure data is protected to the same standard as within the EEA.
• Additional safeguards — supplementary measures such as encryption, pseudonymization, and access controls where required by the circumstances of the transfer.

You may request details about the specific safeguards applied to any international transfer of your data by contacting us.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention practices are:

• Contact form submissions — retained for up to 12 months from the date of submission, unless a business relationship is established.
• Client project data — retained for the duration of the business relationship and up to 5 years thereafter, in accordance with applicable commercial and tax legislation.
• Website analytics data — aggregated and anonymized data may be retained indefinitely. Identifiable technical data (e.g., IP addresses) is retained for no longer than 26 months.
• Legal and compliance records — retained for the period required by applicable law (typically 5-10 years for financial records).

When personal data is no longer needed, we securely delete or anonymize it so that it can no longer be associated with you.

Under the GDPR, you have the following rights regarding your personal data. You can exercise any of these rights by contacting us at contact@zigzag.md.

We aim to respond to all legitimate requests within 30 days. If your request is particularly complex, we may extend this by a further two months, with notification. You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

Our website uses minimal tracking technologies. Here is what we use and why:

• Essential cookies — strictly necessary for the website to function correctly (e.g., security tokens, session identifiers). These do not require consent under GDPR.
• Analytics — we may use privacy-respecting analytics tools to understand how visitors interact with our site. When analytics are in use, data is aggregated and anonymized wherever possible.
• Third-party fonts — we load fonts from Google Fonts. Google may collect limited technical data (IP address) when fonts are requested. Refer to Google's Privacy Policy for details.

We do not use advertising cookies, social media tracking pixels, or retargeting technologies. We do not build user profiles for marketing purposes.

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may affect website functionality.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make significant changes, we will update the "Effective date" at the top of this page.

We encourage you to review this policy periodically. Continued use of our website after changes are posted constitutes your acknowledgment of those changes.

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how we handle your personal data, please contact us: