Background pic
Privacy Policy

Black Silo Commodity Consulting Limited and Black Silo SRL

Effective date: 03.07.2026 · Version: 2.1 · Last reviewed: 03.07.2026

1. About this Policy

This Privacy Policy explains how Black Silo Commodity Consulting Limited (registered in Ireland at Annagharvey, Tullamore, Offaly, Ireland) and its Romanian subsidiary (together, "Black Silo," "we," "our," or "us") collect, use, and protect personal data when you use our website at https://black-silo.com (the "Site") and the subscription services made available through it (the "Service").

We take privacy seriously. This Policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Irish Data Protection Act 2018, the Romanian Law no. 190/2018, the ePrivacy Directive (2002/58/EC) and its national transpositions, and applicable equivalents under UK GDPR and other laws where you may be located.

If you have questions about this Policy or wish to exercise your privacy rights, please contact us at [email protected].

2. Joint Controllers

Black Silo operates through two corporate entities that jointly determine the purposes and means of processing your personal data under Article 26 GDPR:

  • Black Silo Commodity Consulting Limited (Ireland) — our parent entity, responsible for product, technology, and Service delivery
  • Black Silo SRL (Romania) — our subsidiary, responsible for certain operational, commercial, and administrative functions

We have a written joint controllership arrangement in place that allocates responsibilities between us. The essential elements are:

  • The Irish entity acts as the primary point of contact for data subject requests and responds on behalf of both entities
  • The Irish Data Protection Commission ("DPC") is our lead supervisory authority
  • You may exercise your rights against either entity, but a single response will be provided

A summary of the joint controllership arrangement is available on request by writing to [email protected].

3. What Personal Data We Collect

We collect the following categories of personal data:

CategoryExamplesSource
Identity dataName, job title, company name, professional roleProvided by you at registration
Contact dataBusiness email address, telephone number, billing addressProvided by you at registration
Account credentialsUsername, password (hashed and salted; we never store passwords in plain text)Created by you
Usage and engagement dataReports viewed, time spent reading, scroll depth, features used, search queries within the ServiceCollected automatically as you use the Service
Technical dataIP address, browser type and version, operating system, device identifiers, approximate geographic location (derived from IP), session timestampsCollected automatically
Marketing preferencesSubscription, opt-in and opt-out choices, communication historyProvided by you and recorded by us
Billing and invoicing dataCompany VAT number, billing contact details, payment status, invoice historyProvided by you and recorded by us

We do not store credit card or bank account numbers. Where invoicing is required, payment is handled directly between your organisation and ours via bank transfer or other agreed method, not through the Site.

We do not collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) and ask that you do not provide any such data to us.

4. How We Use Your Personal Data and Our Legal Basis

We use your personal data only for the purposes set out below, each of which is supported by an appropriate legal basis under Article 6 GDPR.

PurposePersonal data usedLegal basis
Creating and administering your accountIdentity, contact, credentialsPerformance of a contract (Art. 6(1)(b))
Delivering the Service to youIdentity, contact, credentials, usage dataPerformance of a contract (Art. 6(1)(b))
Invoicing and processing paymentsIdentity, contact, billing dataPerformance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) — tax and accounting law
Customer support and dispute resolutionAll categories as relevantPerformance of a contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f))
Administrative communications (service updates, renewal notices, security alerts)Identity, contactPerformance of a contract (Art. 6(1)(b))
Marketing to existing and lapsed customersIdentity, contact, marketing preferencesLegitimate interest (Art. 6(1)(f)) and soft opt-in under the ePrivacy Directive
Marketing to prospects and new contactsIdentity, contact, marketing preferencesConsent (Art. 6(1)(a))
Website analytics via cookies (Google Analytics 4, HubSpot)Usage, technicalConsent (Art. 6(1)(a)) — collected via the cookie banner
Marketing and re-engagement via cookies (HubSpot)Usage, technical, marketing preferencesConsent (Art. 6(1)(a)) — collected via the cookie banner
Security, fraud prevention, and protecting our rightsTechnical, usageLegitimate interest (Art. 6(1)(f))
Complying with legal obligations (regulatory requests, court orders, tax record-keeping)As requiredLegal obligation (Art. 6(1)(c))
Establishing, exercising, or defending legal claimsAs relevantLegitimate interest (Art. 6(1)(f))
Anonymised statistical analysisAggregated/anonymisedNot personal data once anonymised

Where we rely on legitimate interests, we have carried out a balancing test to confirm that our interests are not overridden by your interests, rights, or freedoms. You may request a summary of any such assessment.

Where we rely on consent, you are free to refuse and to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5. How We Share Your Personal Data

We share personal data only as set out below.

5.1 Service providers and processors

We use carefully selected third-party providers to deliver the Service. They process personal data on our instructions, under written data processing agreements that comply with Article 28 GDPR. The categories of recipients are:

  • Cloud hosting providers — operating the infrastructure on which the Service runs
  • Email and marketing platform providers — sending transactional emails and (where you have consented) marketing communications
  • Customer relationship management (CRM) providers — managing customer records and engagement
  • Analytics providers — measuring usage and improving the Service (subject to your cookie consent)
  • Accounting and invoicing providers — supporting our finance function and statutory record-keeping
  • Professional advisors — auditors, accountants, and legal counsel acting as independent controllers under their own confidentiality obligations

A current list of our specific subprocessors is available on request at [email protected].

5.2 Group companies

Personal data is shared between Black Silo Commodity Consulting Limited and Black Silo SRL as joint controllers for the purposes set out in this Policy.

5.3 Legal disclosures

We may disclose personal data:

  • to comply with applicable law, regulation, court order, or other legal process
  • to respond to lawful requests by public authorities (including for national security or law enforcement purposes)
  • to enforce our agreements with you, including our Terms and Conditions
  • to protect the rights, property, or safety of Black Silo, our customers, or others
  • in connection with a corporate transaction (merger, acquisition, asset sale, restructuring), in which case continuity of this Policy will be required of the recipient

5.4 We do not sell personal data

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

6. International Transfers

Some of our service providers are based outside the European Economic Area ("EEA"), including in the United States. This means your personal data may be transferred to, stored in, or accessed from third countries.

Where this happens, we ensure that an appropriate transfer mechanism under Chapter V GDPR is in place:

  • EU-US Data Privacy Framework ("DPF") — for transfers to U.S. providers that are DPF-certified. This includes our analytics provider (Google LLC) and CRM/marketing provider (HubSpot, Inc.). The European Commission's adequacy decision of 10 July 2023 (Decision (EU) 2023/1795) provides the legal basis for these transfers.
  • Standard Contractual Clauses ("SCCs") — for transfers to providers that are not DPF-certified, we use the Commission's SCCs (Decision (EU) 2021/914) supplemented by additional safeguards where required.
  • Adequacy decisions — for transfers to countries the European Commission has determined to provide adequate protection (e.g. the United Kingdom).

You can obtain a copy of the safeguards applicable to any specific transfer by writing to [email protected].

7. Cookies and Similar Technologies

The Site uses cookies and similar technologies (including web beacons, pixels, local storage, and JavaScript tags). We classify them into four categories:

  • Strictly necessary — first-party cookies required to operate the Site (e.g. session management, authentication, security, recording your cookie consent choice, and language preference). These cannot be switched off.
  • Functional — first-party cookies enabling enhanced features such as remembering your interface preferences and settings.
  • Analytics — third-party cookies set by Google LLC (Google Analytics 4) and HubSpot, Inc., used to measure visitor numbers, traffic sources, engagement patterns, and page-level behaviour so we can improve the Site.
  • Marketing — third-party cookies set by HubSpot, Inc., used to link visitor activity to our marketing campaigns and CRM records and to support personalised re-engagement.

When you first visit the Site, our cookie banner offers three choices: Accept all, Reject all, or Customise (to select categories individually). Non-essential cookies are not set before you have given consent, except for the cookie that records your consent choice itself. You can change your choice at any time via the "Cookie settings" link in the footer of the Site.

Analytics and marketing cookies from Google LLC and HubSpot, Inc. involve transfers of personal data to the United States. Both providers are certified under the EU-US Data Privacy Framework (see section 6). Google Analytics 4 data is retained for up to 14 months; HubSpot cookie data is retained for up to 13 months.

The full details, including specific cookie names, retention periods, and provider links, are set out in our Cookie Policy.

8. How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with the storage limitation principle of Article 5(1)(e) GDPR.

Data categoryRetention periodReason
Account profile (active subscribers)Duration of the subscription relationshipPerformance of the contract
Account profile (lapsed subscribers)24 months from subscription end, then deleted or anonymisedEnabling reactivation while complying with storage limitation
Marketing data (active and recently lapsed)Up to 18 months from subscription end, then suppressionSoft opt-in under the ePrivacy Directive
Records of consent and opt-outsIndefinitely (or until no longer required)Proof of consent under Article 7 GDPR
Invoicing and accounting records10 years from issueRomanian Accounting Law (Law no. 82/1991) and Irish Tax Consolidation Act 1997, applying the longer of the two
Records of disputes, claims, and significant correspondence6 years from resolutionIrish Statute of Limitations Act 1957
Server and security logs12 monthsSecurity and incident investigation
Usage analytics via Google Analytics 4 (identifiable)14 monthsGoogle Analytics 4 default retention
Usage and marketing cookies via HubSpot (identifiable)13 monthsHubSpot cookie default lifetime
Anonymised or aggregated dataIndefinitelyNo longer personal data

Where data is required to be retained for multiple purposes with different periods, the longer period applies. After expiry, data is securely deleted or fully anonymised.

9. Your Rights

Subject to the conditions set out in GDPR (and equivalent laws applicable to you), you have the following rights in relation to your personal data:

  • Right of access (Article 15) — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data
  • Right to rectification (Article 16) — to have inaccurate data corrected and incomplete data completed
  • Right to erasure (Article 17) — to have your personal data deleted in certain circumstances
  • Right to restriction of processing (Article 18) — to limit how we use your data in certain circumstances
  • Right to data portability (Article 20) — to receive a copy of certain data in a structured, machine-readable format and to have it transmitted to another controller
  • Right to object (Article 21) — to object to processing based on legitimate interests, and to object at any time to processing for direct marketing
  • Right to withdraw consent (Article 7(3)) — where processing is based on consent
  • Right not to be subject to solely automated decisions (Article 22) — we do not currently make such decisions in relation to subscribers
  • Right to lodge a complaint with a supervisory authority (see section 12 below)

To exercise any of these rights, write to [email protected]. We will respond within one month of receipt, with the possibility of a two-month extension for complex requests (in which case we will inform you within the first month).

We do not charge a fee unless requests are manifestly unfounded or excessive.

We may need to verify your identity before responding to a request.

10. Direct Marketing and Re-Engagement of Lapsed Customers

If you are an existing or recently lapsed paying customer, we may send you limited marketing communications about our own similar products and services on the basis of legitimate interest and the "soft opt-in" exception under the ePrivacy Directive Article 13(2). This applies for up to 18 months from the end of your most recent subscription, after which marketing communications will cease automatically.

If you are not an existing customer, we will only send marketing communications with your prior consent.

Every marketing communication includes a one-click unsubscribe link. You may also opt out at any time by writing to [email protected].

11. Security

We implement appropriate technical and organisational measures designed to protect your personal data against unauthorised or unlawful access, accidental loss, alteration, or disclosure, including:

  • Encryption of data in transit (TLS) and at rest where appropriate
  • Strict access controls on a need-to-know basis
  • Authentication and access logging
  • Regular review of security practices
  • Vendor due diligence on processors
  • Incident response procedures, including notification to supervisory authorities and affected individuals where required under Articles 33 and 34 GDPR

No system is fully secure. If you suspect a security incident affecting your account, please contact us immediately.

12. Supervisory Authorities

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is:

Data Protection Commission (Ireland)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
www.dataprotection.ie

If you are located in Romania, you may also contact:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania
www.dataprotectie.ro

If you are located elsewhere in the EU/EEA, you may contact your local data protection authority. A list is available at edpb.europa.eu.

13. Region-Specific Rights

13.1 United Kingdom

If you are located in the United Kingdom, your personal data is processed in accordance with the UK GDPR and the Data Protection Act 2018. Your rights mirror those set out in section 9. You may complain to the UK Information Commissioner's Office (ico.org.uk).

13.2 California, United States

If you are a California resident, the California Consumer Privacy Act ("CCPA") as amended by the CPRA may give you additional rights. These include the right to know what personal information we collect, to delete it, to correct it, to opt out of sale/sharing (we do not sell or share personal information for cross-context behavioural advertising), and to non-discrimination for exercising these rights. To exercise these rights, write to [email protected].

13.3 Other Jurisdictions

If applicable laws in your jurisdiction grant you specific rights, we will honour them to the extent required. Contact us at [email protected] to exercise such rights.

14. Children

The Service is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take steps to delete it.

15. Third-Party Links

The Site may contain links to third-party websites. We are not responsible for their privacy practices, and this Policy does not apply to them. Please review the privacy notices of those sites before providing them with personal data.

16. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

  • For material changes (such as new processing purposes, new categories of recipients, or new international transfers), we will notify you in advance by email or through a prominent notice on the Site, and where the legal basis is consent, we will obtain fresh consent before the change takes effect.
  • For non-material changes (such as updates to contact details, clarifications, or formatting), we will publish the revised Policy on the Site with an updated "Effective date" above.

We do not treat continued use of the Service as automatic acceptance of material changes. We encourage you to review this Policy periodically.

17. Contact

For any questions, requests, or complaints about this Policy or our processing of your personal data:

Black Silo Commodity Consulting Limited
Annagharvey, Tullamore, Offaly, Ireland
Email: [email protected] (we recommend bookmarking this address for privacy-related communications)

We aim to respond to all privacy enquiries within 5 business days, and to formal data subject requests within the statutory one-month deadline.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. Black Silo recommends that users seeking legal advice consult a qualified solicitor in their jurisdiction.

Background pic
Interested in learning more about our offerings?
Check
See how our offerings help your business in real-world scenarios
Check
Discuss your requirements and use cases
Check
Understand timelines, pricing, and next steps
Check
Get clear answers — no sales pressure
Please Fill Out the Form
First Name
Last Name
Business Email
Company
What Are You Interested In?
Your Message