Privacy Policy

The Joint Controllers ensure that all personal data collected is used to fulfill obligations towards users. This information will not be disclosed to third parties, except in situations where:

• the data subjects have given their prior explicit consent to such action, or
• the obligation to transfer this data results or will result from applicable law, e.g., to law enforcement authorities.

A User whose personal data is being processed has the rights set out below. Each right is subject to the limitations and exceptions provided by GDPR itself — most notably the exceptions to the right of erasure under Article 17(3) (e.g. where retention is necessary for compliance with a legal obligation such as the 5-year retention of accounting records under the Polish Accounting Act, or for the establishment, exercise or defence of legal claims) and the carve-outs to the right of objection under Article 21(6). Where we cannot fully fulfil a request, we will explain the legal basis for the limitation within the 30-day response period mandated by Article 12(3) GDPR.

Cookies are IT data, in particular text files, stored on users' end devices (usually on a computer hard drive or mobile device) used by the user's browser to save specific settings and data for the purpose of using websites. These files allow the user's device to be recognized and the website to be displayed appropriately, ensuring comfort during its use. The storage of cookies therefore enables the website and its offer to be tailored to the user's preferences - the server recognizes and remembers, among other things, preferences such as visits, clicks, and previous actions.

Cookie Usage by Website

The Joint Controllers operate several websites within the MTA Group. The complete, always up-to-date list of cookies set on this website (zerofluff.digital) — including each cookie's name, provider, purpose, category and retention period — is generated automatically by the Cookiebot Consent Management Platform and is shown in the "Cookie Declaration" section below. The same disclosure mechanism is mirrored on the other MTA Group websites (e.g. mta.digital, anchor.team) with each site's own Cookiebot configuration.

Because the list refreshes automatically as we add or remove third-party services, the figures below are always current; we do not maintain a static count.

Cookie Types and Purposes

By using the website available at https://mta.digital/ or https://zerofluff.digital/, you consent to the installation of so-called essential cookies on the end device of the person using the Website. Consent to the installation of necessary cookies is a prerequisite for using the Joint Controllers' website. With regard to other categories of cookies, the user has the option of consenting to their use by the Joint Controllers, which, however, is not a prerequisite for using the Joint Controllers' website. With regard to cookies other than essential cookies, consent is given through the web browser settings. If the User does not agree to the use of cookies other than those that are necessary, they should change their browser settings accordingly or opt out of using the Website (more information below). However, this will not prevent the use of the Joint Controllers' website.

The table below shows the types of cookies used by the websites https://mta.digital/ and https://zerofluff.digital/, along with additional information about the purpose of each cookie.

Cookie Declaration

The following table lists all cookies used on this website:

Cookie Information and Usage

The information stored in cookies on websites is used by the Joint Controllers, with the exception of files specified as "third-party cookies." Third-party cookies are cookies used and managed by external entities to provide services required by us to improve our services and the User's experience when browsing our website. The main services for which third-party cookies are used are obtaining access statistics.

As part of cookie technology, Joint Controllers may use tracking pixels or clear GIF files to collect information about how you use their services and your response to marketing messages sent by email.

Joint Controllers may use web log files (which contain technical data such as the user's IP address) to monitor traffic within their services, resolve technical problems, detect and prevent fraud, and enforce the provisions of the User Agreement.

The controller does not use any cross-site tracking technologies, and the personal data collected about each user is not sold or shared for the purpose of advertising based on the collection of multi-contextual behavior from different websites.

The Joint Controllers inform that the website does not respond to DNT (Do Not Track) signals, but the user can disable certain forms of online tracking, including some analytics and personalized advertising, by changing the cookie settings in their browser or using our cookie consent tools (if applicable).

Detailed information on changing cookie settings and deleting cookies yourself in the most popular web browsers is available in the help section of your web browser and on the following pages (just click on the link):

Detailed information on managing cookies on your cell phone or other mobile device should be available in the user manual for that mobile device.

7.1. Why we contact you

We conduct business-to-business outreach for Zero Fluff Digital — an accountability-first growth marketing agency specialising in incrementality measurement, creative testing systems, and paid-media operations for direct-to-consumer e-commerce and business-to-business companies. We reach out to companies whose profile suggests a potential fit with these services.

The legal basis for processing is our legitimate interest under Article 6(1)(f) of the GDPR — conducting business-to-business direct marketing. Recital 47 of the Regulation explicitly cites direct marketing as an example of such legitimate interest. A formal Legitimate Interests Assessment (LIA) is on file and reviewed periodically.

7.2. What data we process in outreach

We process exclusively business-related data necessary to conduct outreach:

• First name and last name, if available in public sources
• Business email address
• Job title or role within the company
• Company name
• LinkedIn profile URL, if obtained from a public profile
• Communication history with us, including message content and timestamps
• Public information about your company (website content, press mentions, podcast appearances)
• For website-related campaigns, technical data about your public website (SSL certificates from crt.sh public Certificate Transparency logs, Lighthouse performance scores)

7.3. Where outreach data comes from (GDPR Article 14 disclosure)

Under Article 14 of the GDPR — applicable where personal data is obtained from sources other than the data subject — we disclose below the categories of sources from which we may have aggregated the business contact data used for outreach. In our outreach emails, this aggregation is summarised by the phrase "I ran deep research on your domain". This Section 7.3 is the substantive Article 14 source disclosure that the email phrase refers to.

Data is obtained exclusively from publicly available business sources, optionally enriched and cross-referenced by AI research agents (Google Gemini Deep Research, OpenAI ChatGPT Deep Research, Anthropic Claude — all on Business / Workspace tiers with signed DPAs as listed in § 3):

• Company websites, including contact sections and team pages
• LinkedIn public professional profiles
• B2B databases and email finder waterfall tools: Apollo.io, Clay, FindyMail, Prospeo — all EU-US DPF compliant (see § 7.6)
• Public podcasts and conference materials, if you or your company participated
• Public technical registers — in particular crt.sh, an ETSI-standard Certificate Transparency log
• Public industry directories, including madewithlovable.com for Lovable-built websites
• AI research agents aggregating the above sources: Google Gemini Deep Research, OpenAI ChatGPT (Deep Research mode), Anthropic Claude. These agents may surface email addresses that they retrieved from any of the publicly indexed sources above, or from their integrations with the B2B databases in this list. The AI providers themselves are processors of any personal data we share with them — see § 3 "AI Productivity & Research Tools" for their DPA basis.

If you would like to know which specific combination of the above sources surfaced your contact details for a given outreach email, please contact [email protected] and we will provide a per-record response within 30 days as required by Article 12(3) GDPR.

7.4. How long we keep outreach data

• Active leads (people we are in correspondence with, or who have not yet responded) — kept up to 24 months from last contact
• After opt-out, data is marked as suppressed and retained solely to ensure you are never contacted again
• Upon explicit request, data is deleted earlier — within a maximum of 30 days

7.5. How to opt out

You can opt out of our outreach in three ways:

1. Reply to any of our emails with the word STOP or the phrase "not interested". You will be immediately excluded from all our campaigns.
2. Click the unsubscribe link in the footer of each email.
3. Send an email to [email protected] requesting data deletion.

Opt-out requests are processed without undue delay — typically immediately upon receipt and at the latest within the thirty (30) day period mandated by Article 12(3) GDPR. We use commercially reasonable efforts to ensure suppression propagates immediately across all our active marketing channels; in the rare case of technical limitations of third-party platforms, the request remains effective and is logged for follow-up. Suppression is permanent — once added to our suppression list, your contact details are retained solely to prevent re-contact, and not for any further processing.

7.6. Outreach-specific sub-processors

In addition to the sub-processors listed in § 3, the following operate within outreach activities:

International transfers to US-based sub-processors occur under the EU-US Data Privacy Framework — Commission adequacy decision of 10 July 2023 — and Standard Contractual Clauses included in the processor agreements.

7.7. Email tracking

Outbound outreach emails may contain open-tracking pixels — a standard practice for cold-email platforms. Tracking data is used solely for campaign performance statistics and is not combined with external behavioural profiles, nor used to build individual profiles of recipients.

7.8. Automated profiling and qualification (Article 22 GDPR)

For some outreach campaigns we run a Catalyst pipeline that performs automated analysis combining (a) public podcast or conference transcripts of company representatives, (b) public LinkedIn profile data, and (c) public company website content to score the likely fit of your company with our service offering.

This is automated qualification, not an automated decision producing legal effects within the meaning of Article 22(1) GDPR — the only operational outcome is whether we send you an outreach email at all. No contractual or financial consequence is attached to the qualification.

Nonetheless, you retain the rights set out in Article 22 GDPR and may at any time:

• request human intervention in the qualification,
• express your view on the outcome,
• contest the result.

Send such requests to [email protected]. We respond within 30 days as required by Article 12(3) GDPR.

7.9. Polish Prawo Komunikacji Elektronicznej (PKE 2024)

For recipients who are individual entrepreneurs registered in the Polish CEIDG (sole traders — jednoosobowa działalność gospodarcza, "JDG"), Article 398 of the Polish Prawo Komunikacji Elektronicznej (PKE, 2024) applies in addition to GDPR. We address this in three ways:

• We rely on the legitimate-interest basis under Article 6(1)(f) GDPR for the initial business-to-business contact, where the recipient's contact details have been published by the recipient themselves in a business-to-business context (company website, professional LinkedIn profile, public business directories).
• Outreach to JDG recipients carries an enhanced opt-out statement referencing Article 398 PKE explicitly, so that the recipient understands and can exercise the PKE-specific objection in addition to the general GDPR right of objection.
• Our Data Protection Officer reviews the JDG outreach log on a quarterly cadence. Any complaint relating to PKE is treated as a hard signal and triggers an immediate review of the outreach approach for this audience, up to and including suspension of JDG outreach.

Where prior consent is the more appropriate basis (e.g. recipients who have not made their contact details publicly available in a business-to-business context, or where the offered service is unrelated to the recipient's registered activity), we will obtain consent before sending.

7.10. Contact for outreach matters

• Outreach campaigns specifically: [email protected]
• General data-protection matters (covered by §§ 1–6): [email protected]