Last updated: 2026-05-12.
Who we are
Corvalys is an AI strategy and implementation consultancy. This page describes what personal data we collect through our website and tools, why we collect it, the legal basis we rely on, and the rights you have under the EU General Data Protection Regulation (GDPR) and the ePrivacy directive.
What we collect, when, and why
Contact form submissions
When you fill in the contact form at /contact/, we store: name, optional company, email, optional phone, optional service of interest, optional timing, your message, and the consents you tick. Your submission IP and user-agent are also stored on the submission record for audit. Legal basis: GDPR Art. 6(1)(a), your explicit consent. Retention: indefinite for active commercial conversations; deleted on request.
Cookie-less analytics
When you accept the "Analytics" category in the cookie banner, we record one row per page-view in our own database. We do NOT store: your IP address, your full user-agent string, your email, or any device fingerprint. We DO store the following short-lived, hashed and minimised fields:
- visitor_hash: a 32-char SHA-256 derived from a daily-rotated salt + browser family + Accept-Language header + a /24 IP prefix. The salt rotates at midnight UTC and is never persisted across days, so re-identifying a visitor across two calendar days is impossible by design.
- session_hash: derived from visitor_hash + the current calendar hour. Resets every hour.
- page_path, page_title, locale
- referrer host + path (self-referrers stripped)
- utm_source / utm_medium / utm_campaign / utm_term / utm_content: only when present in the URL
- landing_path: the first page of your tab session
- device_class: one of: mobile, tablet, desktop, bot
- browser_family: one of: Chrome, Edge, Firefox, Safari, Opera, Other
- country_code: two-letter ISO code, only when our CDN passes the CF-IPCountry header; otherwise NULL
- visited_at, is_new_session, consent_analytics
We also log custom events you trigger by interacting with the site (e.g. clicking the "AI Assessment" button, submitting the contact form, opening Calendly). The event row stores: event name, optional value, page path, placement, and the same hourly session_hash. Nothing more.
Legal basis: GDPR Art. 6(1)(a). Your explicit consent (Analytics cookie category). Retention: 14 months. Rows older than that are auto-deleted by a daily cron. Minimisation rationale: No IP, no UA, no email = no individually-identifiable data per GDPR Art. 5; the hashes are deliberately one-way and short-lived.
Strictly-necessary technical cookies
WordPress login session, the cookie-consent record itself, and the language switcher cookie. No consent required (ePrivacy "strictly necessary" exemption).
Marketing cookies (off by default)
Calendly's booking widget loads only when you accept the "Marketing" category. Calendly is a US-based processor; their privacy policy is at https://calendly.com/privacy.
Your rights under GDPR
You can ask us, at any time and free of charge, for: access to your data (Art. 15), correction (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and withdrawal of consent (Art. 7). You can also lodge a complaint with your national supervisory authority.
To exercise any right relating to data we hold about you (contact submissions, future client records), email hello@corvalys.eu.
Delete my analytics data
Because we never store your IP, email or UA, we cannot match analytics rows to "you" by name. Only by the visitor_hash that was computed for you on the day(s) you visited. If you accepted analytics, the form below auto-fills your current visitor_hash from /wp-json/corvalys/v1/me. Note: the hash rotates daily (the salt is replaced at midnight UTC), so to erase older rows you must run the form on each day you visited, or contact us.
Contact
For any privacy question write to hello@corvalys.eu. Our internal Data Processing Record (Art. 30) is available to supervisory authorities on request.