Contact us

Privacy Policy

Effective as of: July 9, 2025

This privacy policy applies to the website https://spectre-solutions.pro/, owned and operated by Castrum Labs d.o.o., Grošljeva ulica 6, 1000 Ljubljana, Slovenia (hereinafter referred to as the “Controller”).

This document informs you, in accordance with Regulation (EU) 2016/679 (GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2), how we collect, use, store, and protect your personal data. This privacy policy applies to all users of the website and to customers of products/services provided by Castrum Labs d.o.o. It also covers data processed by Castrum Labs during contract execution, order fulfillment, and technical support provision.

This privacy policy applies to the use of the website and the services related to Castrum OS, although Castrum OS as a system does not store personal data or links to the user. All data within the OS is stored locally and is not processed on company servers. Castrum OS does not collect, record, or process any personal data of the Customer or users, except in cases where legal obligations require mandatory customer identification, as stated in the General Terms and Conditions. All personal data (if disclosed within messages, contacts, etc.) of the Customer is stored locally on the device and is not accessible to the Company or third parties.

  1. DATA CONTROLLER
     Company name: Castrum Labs d.o.o.
    Registered address: Grošljeva ulica 6, 1000 Ljubljana, Slovenia
    Email: info@castrumlabs.xyz
  2. PURPOSE OF PERSONAL DATA PROCESSING
     We collect and process your personal data exclusively for the following purposes:
  • to respond to your message submitted via the contact form,
  • to communicate regarding your inquiry,
  • to improve website functionality (analytical cookies),
  • to identify the customer in case of purchases over EUR 10,000 (in accordance with ZPPDFT-2),
  • to process personal data of the legal representative of a legal entity when concluding a contract,
  • to fulfill contractual obligations, as this constitutes a legal basis under Article 6(1)(b) of the GDPR,
  • to manage warranty claims and provide technical support,
  • to maintain accounting records (in accordance with ZDavP-2),
  • to manage user accounts (if applicable),
  • to process claims related to material defects or complaints.
  1. LEGAL BASIS FOR PROCESSING
     We process your personal data based on:
  • your explicit consent (Article 6(1)(a) GDPR),
  • performance of a contract (Article 6(1)(b) GDPR),
  • legitimate interest (Article 6(1)(f) GDPR),
  • legal obligations (Article 6(1)(c) GDPR – ZPPDFT-2, ZDavP-2).
  1. DATA WE COLLECT

Through the contact form, we may collect the following data:

  • Full name (if provided),
  • Email address,
  • Message content,
  • IP address and submission time (automatically recorded for security purposes),
  • Cryptographic transaction hash (for proof of payment without personal identification).

In cases where customer identification is legally required, we collect the following personal data:

  • Full name,
  • Address,
  • Full name and address of the legal representative of a legal entity,
  • Email address,
  • Message content,
  • IP address and submission time (automatically recorded for security purposes),
  • Cryptographic transaction hash (for proof of payment without personal identification).

Other data:

  • Delivery address (if the order is physically delivered),
  • Order number/hash (if used for tracking),
  • Possibility of collecting cryptographic metadata for transaction verification purposes.
  1. DATA PSEUDONYMIZATION

As part of its operations, the company enables the use of pseudonymized identifiers (e.g., cryptographic hashes), where the buyer’s personal identity is not directly known or disclosed. This primarily applies in cases where the buyer pays using cryptocurrency and the data is not linked to their identity, unless required by law (e.g., ZPPDFT-2). Pseudonymized data is treated as personal data only if it can be linked to an identifiable person through additional information, which Castrum Labs does not store alongside the identifiers.

When a pseudonymized purchase is made (e.g., via cryptocurrency without disclosing personal identity), and in accordance with the General Terms and Conditions, only the cryptographic identifier (hash) is stored.

Pseudonymization refers to processing personal data in such a way that it can no longer be directly associated with an individual without the use of additional, separately stored and properly secured information. Pseudonymization differs from anonymization, as re-identification could still be possible with additional data—which Castrum Labs does not retain. Therefore, such data is still considered personal data under the GDPR.

In the context of Castrum Labs operations, pseudonymization is applied in the following cases:

  • When a purchase is made using cryptocurrency, and the buyer does not provide personal data, the transaction is recorded only via a cryptographic identifier (transaction hash), which alone does not enable identification of the individual.
  • Customer support and communication can be conducted via encrypted channels without requiring personal identification. If the customer does not wish to disclose their identity, the Company allows handling of requests (e.g., technical support), as long as this does not exceed legal obligations (e.g., ZPPDFT-2).

Note: While pseudonymized purchases provide a high level of privacy, this approach is not legally anonymous, as in certain cases (e.g., transactions over EUR 10,000), the Company is legally required to identify the customer.

  1. DATA RETENTION
     We retain personal data as follows:
  • 1 year from the receipt of your message or until you withdraw your consent (for contact form inquiries),
  • 10 years after contract fulfillment, if the data is part of a contractual relationship or tax-relevant records, in accordance with the Tax Procedure Act (ZDavP-2) and the Accounting Act (ZR),
  • 5 years after the conclusion of a business relationship or transaction, in cases of customer identification under ZPPDFT-2 (including recorded data of the legal representative or beneficial owner of a legal entity).

After the retention periods expire, the data is securely and permanently deleted or anonymized, unless further storage is required due to legal proceedings or the controller’s legitimate interest (e.g., dispute resolution).

Data on transactions conducted in cryptocurrency is retained in pseudonymized form (hash), without any link to personal identifiers, except where required by law (e.g., for amounts exceeding EUR 10,000).

  1. DISCLOSURE OF DATA TO THIRD PARTIES
    We do not share your data with third parties unless required by law or when processed by our contractual partners (e.g., website hosting providers), who are bound by a Data Processing Agreement (DPA) to protect your data. This includes payment processors (e.g., Stripe or crypto payment gateways), eSIM or VPN service providers when necessary to fulfill an order, all of whom are contractually obligated to ensure data protection under a personal data processing agreement.
  2. YOUR RIGHTS
     In accordance with the GDPR, you have the following rights:
  • The right to access your personal data,
  • The right to rectify incorrect or incomplete data,
  • The right to erasure (“right to be forgotten”),
  • The right to restrict processing,
  • The right to data portability,
  • The right to object to processing,
  • The right to lodge a complaint with the supervisory authority (Information Commissioner of the Republic of Slovenia).

Regardless of exercising the right to erasure (Article 17(1) GDPR), the Company may not delete certain personal data if continued storage is necessary to fulfill legal obligations or to assert legal claims, as outlined in Article 6 of this Policy.

To exercise your rights, contact us at: info@castrumlabs.xyz
A list of data processors is available upon request.

  1. DATA PROTECTION
    Data is secured using modern technical and organizational measures, including:
  • encrypted transmission (SSL),
  • server protection, and
  • restricted access to data.

The company regularly reviews its security policies,uses audit logs, and applies anonymization or pseudonymization where possible.

  1. DATA TRANSFER OUTSIDE THE EU
     Your personal data is not transferred to countries outside the European Union or the European Economic Area, unless we use external services that comply with secure transfer frameworks (e.g., the EU-U.S. Data Privacy Framework).
  2. COOKIES

What are cookies?
 Cookies are small text files that a website stores on your device. They are used to enhance the user experience, analyze website usage, and in some cases, for advertising purposes.

Which cookies may we use?
 The following types of cookies may be used on our website:

  • Strictly necessary cookies – enable core functionality of the website (e.g., session memory),
  • Analytical cookies – collect anonymized data about website usage (e.g., Google Analytics),
  • Functional cookies – remember your preferences (e.g., language selection),
  • Marketing cookies – used to track users for displaying relevant advertisements.

Managing cookies
 Upon your first visit to the site, you will be prompted to choose which cookies you allow. You can always delete cookies or change your settings in your browser.

  1. CONTACT AND SUPERVISORY AUTHORITY


If you believe that your data is not being handled in accordance with the law, you may contact:

Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, 1000 Ljubljana, T: +386 1 230 97 30, E: gp.ip@ip-rs.si W: www.ip-rs.si

13. CHANGES TO THIS POLICY

We reserve the right to update this privacy policy at any time.
Last updated: July 10, 2025

Redefining Security for the Most Demanding Users
©2025 Spectre Solutions. All rights reserved.