Privacy policy

Privacy Policy

How montana labs LTD handles personal data in line with European data protection expectations for website visitors, prospects, clients, and business contacts.

Company
montana labs LTD
Registered address
Vasili Michaelidi 9, Limassol 3026, Cyprus
Effective date
2 April 2026
Last updated
2 April 2026

Controller and scope

This Privacy Policy explains how montana labs LTD acts as controller for personal data processed through this website, business inquiries, and related service communications. It applies when you contact us, browse our website, request information about our services, or otherwise interact with our business in a professional context.

Who this policy applies to

This policy is relevant to website visitors, prospective clients, existing clients, supplier contacts, professional contacts, and any other individuals whose personal data may be processed in the course of our business communications, marketing, contracting, delivery, support, and operational administration.

Categories of personal data

  • Identity and contact data such as name, work email address, company name, job title, and business contact details.
  • Inquiry and correspondence data, including the information you submit through contact forms, email, calls, meetings, or project discovery conversations.
  • Technical and usage data such as IP address, browser type, device information, pages visited, timestamps, and cookie-related data where applicable.
  • Contractual or project-related information shared during service discussions, onboarding, or active delivery relationships.

Sources of personal data

We may collect personal data directly from you, automatically through your use of the website, from your employer or organization where you engage with us on behalf of a business, or from publicly available business sources such as company websites, professional networking sites, or introductions relevant to legitimate business development.

Purposes of processing and legal bases

  • To respond to inquiries, schedule discussions, and communicate with you before a contract exists. Our legal basis is our legitimate interest in operating and growing our business, and in some cases taking steps at your request before entering into a contract.
  • To prepare proposals, scopes, statements of work, and client delivery plans. The legal basis is legitimate interests and, where relevant, performance of a contract or pre-contractual steps.
  • To manage client relationships, service delivery, billing, compliance, and record-keeping. The legal basis may include contract performance, legal obligation, and legitimate interests.
  • To maintain the security, availability, and performance of the website and related systems. The legal basis is legitimate interests in protecting our services and infrastructure.
  • To use non-essential cookies or analytics where required, based on your consent.

Legitimate interests

Where we rely on legitimate interests, those interests may include running and improving our business, answering inquiries efficiently, protecting our systems, documenting commercial communications, managing client and supplier relationships, preventing misuse of the website, and maintaining records needed for governance and continuity. We seek to do this in a way that respects the rights and expectations of the individuals concerned.

Sensitive or special category data

We do not intend to collect special category personal data through the website unless it is necessary and lawfully supported. If you voluntarily provide information of that nature, please avoid sharing more than is reasonably necessary until an appropriate legal and contractual framework is in place.

Recipients and processors

We may share personal data with carefully selected service providers who help us operate the website, hosting, analytics, communications, productivity tools, infrastructure, and business operations. Those providers act under appropriate contractual safeguards where they process personal data on our behalf. We may also disclose information where necessary to comply with applicable law, enforce our rights, or protect the security of our business and systems.

Examples of service-provider functions

  • Website hosting, CDN, DNS, domain, and infrastructure providers.
  • Business communication, email, scheduling, and productivity tools.
  • Analytics, logging, monitoring, and technical performance services.
  • Professional advisers, accountants, auditors, insurers, or legal advisers where required.

International transfers

Where personal data is transferred outside the European Economic Area, we aim to use appropriate safeguards required under the GDPR, such as adequacy decisions, contractual protections, or other lawful transfer mechanisms appropriate to the service involved.

Data minimisation

We aim to collect only the information that is reasonably necessary for the relevant purpose and to avoid holding data longer or more broadly than needed. Inquiries and project discussions should, wherever possible, avoid unnecessary personal data and confidential material until a more formal engagement framework exists.

Retention

We keep personal data only for as long as it is reasonably necessary for the purpose for which it was collected, including managing inquiries, documenting business communications, fulfilling contracts, complying with legal obligations, resolving disputes, and protecting our legitimate business interests. Retention periods may vary depending on the nature of the relationship and the information involved.

Retention approach in practice

  • Inquiry and prospect communications may be retained for a reasonable period to manage follow-up and assess business relevance.
  • Client and supplier records may be retained for the life of the relationship and for an additional period where needed for legal, tax, accounting, or contractual reasons.
  • Technical logs and analytics may be retained in line with security, debugging, and operational needs, subject to proportionality and applicable law.

Security

We take reasonable technical and organizational measures designed to protect personal data against unauthorized access, misuse, loss, alteration, or disclosure. However, no transmission or storage system can be guaranteed to be completely secure.

Automated decision-making

We do not intend to use solely automated decision-making that produces legal effects or similarly significant effects on individuals through this website. If that changes, we would update this policy and provide the legally required information where applicable.

Children

Our website and services are intended for business and professional audiences. We do not knowingly seek to collect personal data from children through the website. If you believe that a child has submitted personal data to us in error, please contact us so we can review and address the issue appropriately.

Your rights under the GDPR

  • Right of access to the personal data we hold about you.
  • Right to request rectification of inaccurate or incomplete personal data.
  • Right to request erasure in circumstances provided by law.
  • Right to request restriction of processing in certain cases.
  • Right to object to processing based on legitimate interests, including direct marketing where applicable.
  • Right to data portability where processing is based on consent or contract and carried out by automated means.
  • Right to withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.

Exercising your rights

When you contact us to exercise your rights, we may ask for information necessary to verify your identity and understand the request. We may also need to clarify the scope of the request so we can respond accurately and lawfully. Certain rights are not absolute and may be limited where exemptions or conflicting legal obligations apply.

Complaints and contact

If you believe our processing of your personal data does not comply with applicable data protection law, you may lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus. You may also contact us first through our website or business contact channels so we can try to address the issue directly.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, guidance, services, website functionality, providers, or internal business practices. The latest version published on the website will apply from its effective date.