Privacy policy
Last updated: 4 February 2026
This privacy policy explains how First>thing (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our website and related services. We process your data in line with the EU General Data Protection Regulation (GDPR) and applicable national law.
1. What data we collect and why
We only collect data that is necessary for the purposes described below.
| Data | Purpose | Legal basis |
|---|---|---|
| Website usage | To understand how the site is used and to improve it. Used only when you have given cookie consent for analytics. | Your consent (Art. 6(1)(a) GDPR) |
| Contact / booking | To respond to your request, schedule a call (e.g. via Calendly), or send materials you asked for. | Consent or performance of contract (Art. 6(1)(a) or (b) GDPR) |
| Client data | To deliver advisory services (e.g. Snapshot, 90-day program, retainer), as set out in our proposal and contract. | Performance of contract (Art. 6(1)(b) GDPR); legitimate interest (Art. 6(1)(f) GDPR) where applicable |
| Technical and security | To ensure security and prevent abuse of our systems. | Legitimate interest (Art. 6(1)(f) GDPR) |
We do not sell your personal data. We do not use your data for automated decision-making or profiling that has legal or similarly significant effects.
2. How we collect data
- When you use the website: We use cookies and similar technologies (see section 5). With your consent, we use Google Tag Manager and Google Analytics (GA4) to analyse usage. You can change your choices at any time via .
- When you book a call or get in touch: If you use a Calendly (or similar) link or a contact form, the data you enter is processed by us and, where relevant, by the booking provider (Calendly). Their privacy policy applies: Calendly Privacy Policy.
- When you become a client: We process data necessary to perform the contract (proposals, reports, communications, materials you share), as described in our proposal and terms of service.
3. Who we share data with
We may share your data only with:
- Service providers that help us run the website and business (e.g. hosting, email, booking, analytics), under strict data-processing terms. These may include:
- Cookiebot (consent management): Cookiebot Privacy Policy
- Google (Tag Manager, Analytics, if you consented): Google Privacy Policy
- Calendly (scheduling): Calendly Privacy Policy
- Authorities when required by law (e.g. court order, regulatory request).
We do not share your data with third parties for their own marketing.
4. International transfers
Some of our service providers (e.g. Google, Calendly) may process data outside the European Economic Area (EEA). When we do so, we rely on an adequacy decision (e.g. EU–US Data Privacy Framework where applicable), Standard Contractual Clauses (SCCs) approved by the European Commission, or other mechanisms permitted under GDPR Chapter V. You can ask us for more detail on the safeguards we use for a specific transfer.
5. Cookies and similar technologies
We use cookies and similar technologies only as follows:
- Strictly necessary: Required for the site to function (e.g. security, load balancing). These do not require consent under EU ePrivacy rules.
- Analytics / marketing (only with your consent): We use Google Tag Manager and Google Analytics (GA4) to understand how visitors use our site. These run only after you have given consent via our cookie banner (managed by Cookiebot).
You can withdraw or change your consent at any time via the link in the footer. For more detail on the cookies we use, see our cookie notice or Cookiebot’s declaration.
6. How long we keep your data
| Purpose | Retention |
|---|---|
| Website analytics | As per our analytics configuration (e.g. up to 14 months for GA4); you can withdraw consent anytime. |
| Contact / booking (no contract) | Until your request is resolved, plus a short period for follow-up (e.g. 12–24 months), unless you ask for erasure earlier. |
| Client data (contract and deliverables) | For the duration of the contract and as required by law (e.g. tax, legal claims). Typically at least 6–7 years for business records where required by national law. |
| Security logs | As long as necessary for security (e.g. a few months), unless a longer period is required by law. |
After the retention period, we delete or anonymise your data.
7. Your rights under the GDPR
You have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | You can ask for a copy of the personal data we hold about you. |
| Rectification (Art. 16) | You can ask us to correct inaccurate or incomplete data. |
| Erasure (Art. 17) | You can ask us to delete your data in certain situations (e.g. no longer necessary, consent withdrawn). |
| Restriction (Art. 18) | You can ask us to limit how we use your data in certain situations. |
| Data portability (Art. 20) | Where we process your data by automated means on the basis of consent or contract, you can ask for your data in a structured, machine-readable format. |
| Object (Art. 21) | You can object to processing based on legitimate interest. We will stop unless we have overriding legitimate grounds. |
| Withdraw consent | Where we rely on your consent (e.g. cookies, optional contact), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Complain (Art. 77) | You have the right to lodge a complaint with a supervisory authority in your country (e.g. Slovak Office for Personal Data Protection if you are in Slovakia, or the authority of your EU/EEA country of residence or place of work). |
To exercise any of these rights, contact us at privacy@exceed.sk. We will respond within one month (or explain why an extension is needed). We may ask you to verify your identity.
8. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These include secure hosting, access controls, and confidentiality obligations for anyone who processes data on our behalf.
9. Children
Our website and services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.
10. Changes to this policy
We may update this privacy policy from time to time (e.g. when we add new services or when the law changes). The “Last updated” date at the top will be revised when we do. We encourage you to review this page periodically. If we make changes that materially affect how we use your data, we will notify you where required by law (e.g. by email or a notice on the website).
11. Contact
For any question about this privacy policy or our use of your personal data:
Email: privacy@exceed.sk
Data controller: Alexander Ivan, Slovakia
For cookie preferences and to manage consent, use the link in the footer of our website.