Do Not Track Policy — Ctrl Alt Grow d.o.o. Effective Date: 2026-06-05 Policy URL: https://ctrlaltgrow.hr/.well-known/dnt-policy.txt Operator: Ctrl Alt Grow d.o.o., Šibenska 19, 21000 Split, Croatia OIB: 39423858334 Contact: info@ctrlaltgrow.hr Security contact: security@ctrlaltgrow.hr (RFC 9116, PGP clear-signed) This server commits to honoring the Do Not Track (DNT) preference signaled via the `DNT: 1` HTTP request header, AND the Global Privacy Control (GPC) preference signaled via the `Sec-GPC: 1` header. This commitment is part of a broader zero-tracking architecture declared via: - This DNT policy file (custom, EFF-DNT-Policy-2.0 inspired) - The GPC policy at https://ctrlaltgrow.hr/.well-known/gpc.json - The privacy policy at https://ctrlaltgrow.hr/privacy (HR) and https://ctrlaltgrow.hr/en/privacy (EN) ──────────────────────────────────────────────────────────────────────── 1. WHAT WE DO NOT DO We do not: - Set cookies for tracking, analytics, or advertising purposes - Use third-party analytics (Google Analytics, Plausible, Matomo, Mixpanel, Amplitude, Heap, or any equivalent service) - Load third-party scripts (advertising tags, social media pixels, fingerprinting libraries, A/B-testing widgets) - Share visitor data with advertising networks or data brokers - Build behavioral profiles or visitor segments - Implement device fingerprinting (canvas, WebGL, audio, font) - Use beacon, Fetch, or pixel calls for analytics - Operate retargeting or lookalike audiences 2. WHAT WE DO COLLECT (AND WHY) We process: - HTTP request metadata at the Cloudflare edge — IP address, User-Agent header, timestamp, requested URL, response status — for content delivery, DDoS protection, WAF, rate-limiting, and short-term operational diagnostics. This data is not used for tracking, profiling, or advertising. Retention per Cloudflare's own policy. - Cloudflare Network Error Logging (NEL) reports with `success_fraction: 0.0` — only network errors generate a report, never successful requests, with technical fields only (error type, IP, HTTP status). No user identifier, no cookies. - Contact form submissions (name, email, optional company, selected service, message text) delivered via the Gmail API to info@ctrlaltgrow.hr. Form data is not stored on our server — it transits the Pages Function and is delivered as email. 3. THIRD PARTIES (SUB-PROCESSORS) - Cloudflare, Inc. (United States) Role: edge delivery, DDoS protection, WAF, Pages Function runtime DPA: https://www.cloudflare.com/cloudflare-customer-dpa/ Sub-processors: https://www.cloudflare.com/gdpr/sub-processors/ EU transfer mechanism: Standard Contractual Clauses (Module 2, Commission Implementing Decision 2021/914) + EU-US Data Privacy Framework certification. - Google LLC (United States) Role: Gmail API for contact form email delivery; Google Workspace for info@, security@, tls-rpt@ inboxes. DPA: https://workspace.google.com/terms/dpa_terms.html EU transfer mechanism: Standard Contractual Clauses (Module 2) + EU-US Data Privacy Framework certification. 4. DURATION AND SIGNAL APPLICATION This policy applies uniformly to all visitors, regardless of whether the DNT or Sec-GPC header is present in the request. We do not alter behavior based on the signal because our default behavior already matches what these signals request. 5. REDRESS If you believe we have processed your personal data inconsistent with this policy or the linked privacy policy: - Email info@ctrlaltgrow.hr (general) or security@ctrlaltgrow.hr (security or privacy escalation, PGP clear-signed reply available) - File a complaint with the Croatian Personal Data Protection Agency (AZOP): https://azop.hr - File an EU-wide complaint under GDPR Article 77 with the supervisory authority of your habitual residence, workplace, or alleged infringement. 6. CHANGES Material changes to this policy: - Bump the Effective Date above - Bump `lastUpdate` in /.well-known/gpc.json - Append an entry to the version history of /privacy and /en/privacy - Are validated by scripts/check-gpc.mjs at every prebuild 7. VERSIONING This file is hand-authored and drift-validated by scripts/check-gpc.mjs at every prebuild. Drift between this file and the single source of truth (constants in the drift guard) fails the build. ──────────────────────────────────────────────────────────────────────── Signed: Ante Projić, CISO, Ctrl Alt Grow d.o.o. 2026-06-05, Split, Croatia