Privacy Policy

Last Updated: 10 June 2026

1. Introduction

Forci Web Consulting Ltd. ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website https://forci.com (the "Website").

We process your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

We are the data controller for personal data collected through this Website. Our full contact details are provided at the end of this policy.

3. Personal Data We Collect

A. Information you provide directly

Contact Data: Name, email address, phone number (when you fill out contact forms)
Communication Data: Messages and inquiries you send to us
Marketing Data: Your preferences for receiving marketing communications

B. Information collected automatically

Technical Data: IP address, browser type and version, time zone setting, operating system
Usage Data: Information about how you use our website, pages viewed, click patterns
Location Data: Approximate geographic location based on IP address

We do not collect special categories of personal data (e.g., health, racial origin, political opinions).

4. How We Use Your Personal Data

Purpose	Data Categories	Legal Basis	Retention Period
To respond to your inquiries	Contact, Communication	Legitimate interest / pre-contractual steps (Art. 6(1)(b) and (f) GDPR)	Up to 5 years from last contact (aligned with the limitation period for potential claims)
To send marketing communications	Contact, Marketing	Consent (Art. 6(1)(a) GDPR)	Until consent withdrawn
To analyze website performance	Technical, Usage	Legitimate interests (Art. 6(1)(f) GDPR) for the analysis itself; cookie storage/access requires consent in the EU/EEA/UK/CH	Per analytics provider policies
To optimize marketing & advertising	Technical, Usage, Marketing	Consent (Art. 6(1)(a) GDPR) via cookie banner	Per provider policies
To ensure website security	Technical	Legitimate interests (Art. 6(1)(f) GDPR)	6 months
To comply with legal obligations	All categories	Legal obligation (Art. 6(1)(c) GDPR)	As required by law

5. Analytics, Marketing and Third-Party Services

We may use various third-party services to enhance our website functionality and user experience:

Categories of Services

Analytics Tools

Purpose: Understanding website usage, traffic patterns, and user behavior
Types of data: Page views, session duration, traffic sources, anonymous usage statistics
Providers: Google Analytics and Mouseflow (session replay & heatmaps), and similar analytics platforms we may use

Session Replay & Heatmap Services

Provider: Mouseflow ApS
Purpose: Recording anonymized user sessions (mouse movements, clicks, scrolls, form interactions) to understand usability issues and improve site experience
Types of data: Mouse movements, clicks, scroll depth, page interactions, anonymized form inputs
Important: Mouseflow automatically masks sensitive fields (passwords, credit cards). No keystrokes in password fields are recorded.
Privacy Policy: https://mouseflow.com/legal/privacy-policy/

Marketing & Automation Platforms

Purpose: Lead management, email marketing, customer relationship management
Types of data: Contact information submitted via forms, interaction history
Providers: HubSpot and Kit (ConvertKit), and similar marketing platforms we may use

Advertising & Retargeting Services

Purpose: Displaying relevant ads, measuring ad effectiveness, remarketing
Types of data: Browsing behavior, conversion events, anonymized identifiers
Providers: Meta Pixel (Facebook/Instagram), LinkedIn Insight Tag
Meta Pixel: Tracks page views and conversion events to measure ad effectiveness and enable retargeting on Facebook and Instagram. Privacy Policy: https://www.facebook.com/privacy/policy/
LinkedIn Insight Tag: Tracks conversions, retargets website visitors, and provides demographic insights about site traffic. Privacy Policy: https://www.linkedin.com/legal/privacy-policy

Visitor Identification Services

Purpose: Anonymous company identification to understand which businesses visit our website
Providers: Leadfeeder (Dealfront); RB2B (Retention.com) — person-level identification for US visitors only, excluded for EU/EEA visitors
Types of data: IP address, browsing behavior, company-level identification
Disclosure: When you visit our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or home address. We (or service providers on our behalf) may then send communications and marketing to these email or home addresses. You may opt out of receiving this advertising by visiting https://app.retention.com/optout
GDPR Opt-Out: https://www.rb2b.com/rb2b-gdpr-opt-out

Outreach & Prospecting (LinkedIn and public professional sources)

Purpose: Identifying and contacting potential business clients (B2B outreach)
Types of data: Name, job title, employer, and publicly available professional profile information
Source: Collected from LinkedIn and other publicly available professional sources — i.e. not obtained directly from you (Art. 14 GDPR)
Transparency: The information required under Art. 14 GDPR is provided through this section and this Privacy Policy, which is publicly available and linked from our website and professional profiles; we provide it directly on request and honour objections immediately
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in business development and B2B outreach
Your rights: You may object at any time under Art. 21 GDPR by emailing [email protected]; on objection we stop processing your data for outreach

AI-Powered Services

Purpose: Enhanced customer support, content recommendations, service optimization, and lead prioritisation — we may use automated tools to analyse the inquiries and business-contact data you provide and help us assess and prioritise prospective engagements
Types of data: Interactions and queries, and contact/communication data you submit via our forms
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in assessing and prioritising business opportunities
Your rights: You may object to this profiling at any time under Art. 21 GDPR by emailing [email protected]

Note on AI Processing:

AI tools are configured with privacy-preserving settings, and we disable the use of your data for model training where that option is available
We do not take decisions producing legal or similarly significant effects about you based solely on automated processing (Art. 22 GDPR) — a person is always involved in any decision that affects you
We maintain human oversight of all AI-assisted interactions

6. Data Recipients and Sub-processors

We may share your data with:

Service Providers (Sub-processors)

Cloudflare, Inc. - Website security and performance
Google Cloud EMEA Ltd. - Email services (Google Workspace)
Hetzner Online GmbH - Website hosting (EU-based)
Analytics & marketing providers - e.g. Google Analytics, Mouseflow, HubSpot, Meta, LinkedIn, Leadfeeder, RB2B (US visitors only)
AI-assisted tooling providers - e.g. Anthropic, OpenAI, Cursor

All sub-processors are bound by data processing agreements or equivalent safeguards. The complete, current list (with roles and transfer mechanisms) is published below.

Full list available at: https://forci.com/trust/subprocessors

7. International Data Transfers

Some of our service providers are located outside the EEA (primarily in the United States). Where data is transferred there, we rely on appropriate safeguards (EU-U.S. Data Privacy Framework or Standard Contractual Clauses). The providers and their transfer mechanisms are listed at https://forci.com/trust/subprocessors.

Safeguards in place:

EU-U.S. Data Privacy Framework
Standard Contractual Clauses
Technical measures (encryption)

8. Your Rights

Under GDPR, you have the right to:

Access your personal data (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data (Art. 17)
Restrict processing (Art. 18)
Data portability (Art. 20)
Object to processing (Art. 21)
Withdraw consent at any time (Art. 7)

To exercise these rights, email: [email protected]

Response time: Within 30 days (may extend to 60 days for complex requests).

9. Data Security

We implement appropriate technical and organizational measures:

SSL/TLS encryption
Access controls
Regular security assessments
Employee training on data protection
Incident response procedures

10. Cookies

We use cookies to enhance your experience. See our Cookie Policy for details.

Our cookie consent approach varies by your location:

EU/EEA, UK, and Switzerland: All non-essential cookies require your explicit consent before activation. A cookie consent banner is displayed on your first visit.
United States (California): Cookies are activated by default. You may opt out of cookies used for advertising purposes via the "Do Not Sell or Share My Info" link in the website footer, in accordance with the California Consumer Privacy Act (CCPA/CPRA).
Other regions: Cookies are activated by default. You may manage your preferences via your browser settings.

Your approximate location is derived from your IP address via Cloudflare's geolocation headers. This is personal data, processed transiently to operate the website, apply the correct regional privacy controls, and display your approximate position relative to our office on an interactive map in our footer; we do not build or store a persistent geolocation profile from it.

10a. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to Know what personal information we collect, use, disclose, and sell or share
Right to Delete your personal information
Right to Opt Out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising
Right to Correct inaccurate personal information
Right to Limit Use of sensitive personal information (we do not collect sensitive personal information)
Right to Non-Discrimination for exercising your privacy rights

What we "sell" or "share": We share personal information (as defined under CCPA/CPRA) with advertising partners through tracking technologies for ad measurement and cross-context behavioral advertising. This includes:

Meta Pixel (Facebook/Instagram) — browsing behavior, conversion events
LinkedIn Insight Tag — page views, demographic insights
RB2B / Retention.com (US visitors only) — person-level visitor identification and associated contact data

How to opt out: Click the "Do Not Sell or Share My Info" link in the website footer. This will allow you to disable marketing cookies, which stops data sharing with advertising partners.

Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser sends a GPC signal, we treat it as a valid opt-out request for the sale or sharing of your personal information.

To exercise any other California privacy rights, email: [email protected]

We will respond to verifiable consumer requests within 45 days.

11. Children's Privacy

Our Website is not intended for children under 16. We do not knowingly collect personal data from children.

12. Complaints

You have the right to lodge a complaint with the supervisory authority:

Bulgarian Commission for Personal Data Protection (CPDP)

Website: https://www.cpdp.bg
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Email: [email protected]

13. Changes to This Policy

We may update this policy periodically. Changes will be posted here with an updated revision date.

14. Contact Information

Data Controller:
Forci Web Consulting Ltd.

UIC: 201682762
Address: Bulgaria, Sofia 1517, zh.k. Suhata reka, bl. 52, vh. G, et. 6, ap. 18
Email: [email protected]
Phone: +44 20 3823 6724 (UK) | +1 212 470 8464 (US)
Managing Director: Grigor Yosifov