Black Silo Commodity Consulting Limited and Black Silo SRL
Effective date: 03.07.2026 · Version: 2.1 · Last reviewed: 03.07.2026
1. About this Policy
This Privacy Policy explains how Black Silo Commodity Consulting Limited (registered in Ireland at Annagharvey, Tullamore, Offaly, Ireland) and its Romanian subsidiary (together, "Black Silo," "we," "our," or "us") collect, use, and protect personal data when you use our website at https://black-silo.com (the "Site") and the subscription services made available through it (the "Service").
We take privacy seriously. This Policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Irish Data Protection Act 2018, the Romanian Law no. 190/2018, the ePrivacy Directive (2002/58/EC) and its national transpositions, and applicable equivalents under UK GDPR and other laws where you may be located.
If you have questions about this Policy or wish to exercise your privacy rights, please contact us at [email protected].
2. Joint Controllers
Black Silo operates through two corporate entities that jointly determine the purposes and means of processing your personal data under Article 26 GDPR:
- Black Silo Commodity Consulting Limited (Ireland) — our parent entity, responsible for product, technology, and Service delivery
- Black Silo SRL (Romania) — our subsidiary, responsible for certain operational, commercial, and administrative functions
We have a written joint controllership arrangement in place that allocates responsibilities between us. The essential elements are:
- The Irish entity acts as the primary point of contact for data subject requests and responds on behalf of both entities
- The Irish Data Protection Commission ("DPC") is our lead supervisory authority
- You may exercise your rights against either entity, but a single response will be provided
A summary of the joint controllership arrangement is available on request by writing to [email protected].
3. What Personal Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity data | Name, job title, company name, professional role | Provided by you at registration |
| Contact data | Business email address, telephone number, billing address | Provided by you at registration |
| Account credentials | Username, password (hashed and salted; we never store passwords in plain text) | Created by you |
| Usage and engagement data | Reports viewed, time spent reading, scroll depth, features used, search queries within the Service | Collected automatically as you use the Service |
| Technical data | IP address, browser type and version, operating system, device identifiers, approximate geographic location (derived from IP), session timestamps | Collected automatically |
| Marketing preferences | Subscription, opt-in and opt-out choices, communication history | Provided by you and recorded by us |
| Billing and invoicing data | Company VAT number, billing contact details, payment status, invoice history | Provided by you and recorded by us |
We do not store credit card or bank account numbers. Where invoicing is required, payment is handled directly between your organisation and ours via bank transfer or other agreed method, not through the Site.
We do not collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) and ask that you do not provide any such data to us.
4. How We Use Your Personal Data and Our Legal Basis
We use your personal data only for the purposes set out below, each of which is supported by an appropriate legal basis under Article 6 GDPR.
| Purpose | Personal data used | Legal basis |
|---|---|---|
| Creating and administering your account | Identity, contact, credentials | Performance of a contract (Art. 6(1)(b)) |
| Delivering the Service to you | Identity, contact, credentials, usage data | Performance of a contract (Art. 6(1)(b)) |
| Invoicing and processing payments | Identity, contact, billing data | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) — tax and accounting law |
| Customer support and dispute resolution | All categories as relevant | Performance of a contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) |
| Administrative communications (service updates, renewal notices, security alerts) | Identity, contact | Performance of a contract (Art. 6(1)(b)) |
| Marketing to existing and lapsed customers | Identity, contact, marketing preferences | Legitimate interest (Art. 6(1)(f)) and soft opt-in under the ePrivacy Directive |
| Marketing to prospects and new contacts | Identity, contact, marketing preferences | Consent (Art. 6(1)(a)) |
| Website analytics via cookies (Google Analytics 4, HubSpot) | Usage, technical | Consent (Art. 6(1)(a)) — collected via the cookie banner |
| Marketing and re-engagement via cookies (HubSpot) | Usage, technical, marketing preferences | Consent (Art. 6(1)(a)) — collected via the cookie banner |
| Security, fraud prevention, and protecting our rights | Technical, usage | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (regulatory requests, court orders, tax record-keeping) | As required | Legal obligation (Art. 6(1)(c)) |
| Establishing, exercising, or defending legal claims | As relevant | Legitimate interest (Art. 6(1)(f)) |
| Anonymised statistical analysis | Aggregated/anonymised | Not personal data once anonymised |
Where we rely on legitimate interests, we have carried out a balancing test to confirm that our interests are not overridden by your interests, rights, or freedoms. You may request a summary of any such assessment.
Where we rely on consent, you are free to refuse and to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. How We Share Your Personal Data
We share personal data only as set out below.
5.1 Service providers and processors
We use carefully selected third-party providers to deliver the Service. They process personal data on our instructions, under written data processing agreements that comply with Article 28 GDPR. The categories of recipients are:
- Cloud hosting providers — operating the infrastructure on which the Service runs
- Email and marketing platform providers — sending transactional emails and (where you have consented) marketing communications
- Customer relationship management (CRM) providers — managing customer records and engagement
- Analytics providers — measuring usage and improving the Service (subject to your cookie consent)
- Accounting and invoicing providers — supporting our finance function and statutory record-keeping
- Professional advisors — auditors, accountants, and legal counsel acting as independent controllers under their own confidentiality obligations
A current list of our specific subprocessors is available on request at [email protected].
5.2 Group companies
Personal data is shared between Black Silo Commodity Consulting Limited and Black Silo SRL as joint controllers for the purposes set out in this Policy.
5.3 Legal disclosures
We may disclose personal data:
- to comply with applicable law, regulation, court order, or other legal process
- to respond to lawful requests by public authorities (including for national security or law enforcement purposes)
- to enforce our agreements with you, including our Terms and Conditions
- to protect the rights, property, or safety of Black Silo, our customers, or others
- in connection with a corporate transaction (merger, acquisition, asset sale, restructuring), in which case continuity of this Policy will be required of the recipient
5.4 We do not sell personal data
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
6. International Transfers
Some of our service providers are based outside the European Economic Area ("EEA"), including in the United States. This means your personal data may be transferred to, stored in, or accessed from third countries.
Where this happens, we ensure that an appropriate transfer mechanism under Chapter V GDPR is in place:
- EU-US Data Privacy Framework ("DPF") — for transfers to U.S. providers that are DPF-certified. This includes our analytics provider (Google LLC) and CRM/marketing provider (HubSpot, Inc.). The European Commission's adequacy decision of 10 July 2023 (Decision (EU) 2023/1795) provides the legal basis for these transfers.
- Standard Contractual Clauses ("SCCs") — for transfers to providers that are not DPF-certified, we use the Commission's SCCs (Decision (EU) 2021/914) supplemented by additional safeguards where required.
- Adequacy decisions — for transfers to countries the European Commission has determined to provide adequate protection (e.g. the United Kingdom).
You can obtain a copy of the safeguards applicable to any specific transfer by writing to [email protected].
7. Cookies and Similar Technologies
The Site uses cookies and similar technologies (including web beacons, pixels, local storage, and JavaScript tags). We classify them into four categories:
- Strictly necessary — first-party cookies required to operate the Site (e.g. session management, authentication, security, recording your cookie consent choice, and language preference). These cannot be switched off.
- Functional — first-party cookies enabling enhanced features such as remembering your interface preferences and settings.
- Analytics — third-party cookies set by Google LLC (Google Analytics 4) and HubSpot, Inc., used to measure visitor numbers, traffic sources, engagement patterns, and page-level behaviour so we can improve the Site.
- Marketing — third-party cookies set by HubSpot, Inc., used to link visitor activity to our marketing campaigns and CRM records and to support personalised re-engagement.
When you first visit the Site, our cookie banner offers three choices: Accept all, Reject all, or Customise (to select categories individually). Non-essential cookies are not set before you have given consent, except for the cookie that records your consent choice itself. You can change your choice at any time via the "Cookie settings" link in the footer of the Site.
Analytics and marketing cookies from Google LLC and HubSpot, Inc. involve transfers of personal data to the United States. Both providers are certified under the EU-US Data Privacy Framework (see section 6). Google Analytics 4 data is retained for up to 14 months; HubSpot cookie data is retained for up to 13 months.
The full details, including specific cookie names, retention periods, and provider links, are set out in our Cookie Policy.
8. How Long We Keep Your Personal Data
We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with the storage limitation principle of Article 5(1)(e) GDPR.
| Data category | Retention period | Reason |
|---|---|---|
| Account profile (active subscribers) | Duration of the subscription relationship | Performance of the contract |
| Account profile (lapsed subscribers) | 24 months from subscription end, then deleted or anonymised | Enabling reactivation while complying with storage limitation |
| Marketing data (active and recently lapsed) | Up to 18 months from subscription end, then suppression | Soft opt-in under the ePrivacy Directive |
| Records of consent and opt-outs | Indefinitely (or until no longer required) | Proof of consent under Article 7 GDPR |
| Invoicing and accounting records | 10 years from issue | Romanian Accounting Law (Law no. 82/1991) and Irish Tax Consolidation Act 1997, applying the longer of the two |
| Records of disputes, claims, and significant correspondence | 6 years from resolution | Irish Statute of Limitations Act 1957 |
| Server and security logs | 12 months | Security and incident investigation |
| Usage analytics via Google Analytics 4 (identifiable) | 14 months | Google Analytics 4 default retention |
| Usage and marketing cookies via HubSpot (identifiable) | 13 months | HubSpot cookie default lifetime |
| Anonymised or aggregated data | Indefinitely | No longer personal data |
Where data is required to be retained for multiple purposes with different periods, the longer period applies. After expiry, data is securely deleted or fully anonymised.
9. Your Rights
Subject to the conditions set out in GDPR (and equivalent laws applicable to you), you have the following rights in relation to your personal data:
- Right of access (Article 15) — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data
- Right to rectification (Article 16) — to have inaccurate data corrected and incomplete data completed
- Right to erasure (Article 17) — to have your personal data deleted in certain circumstances
- Right to restriction of processing (Article 18) — to limit how we use your data in certain circumstances
- Right to data portability (Article 20) — to receive a copy of certain data in a structured, machine-readable format and to have it transmitted to another controller
- Right to object (Article 21) — to object to processing based on legitimate interests, and to object at any time to processing for direct marketing
- Right to withdraw consent (Article 7(3)) — where processing is based on consent
- Right not to be subject to solely automated decisions (Article 22) — we do not currently make such decisions in relation to subscribers
- Right to lodge a complaint with a supervisory authority (see section 12 below)
To exercise any of these rights, write to [email protected]. We will respond within one month of receipt, with the possibility of a two-month extension for complex requests (in which case we will inform you within the first month).
We do not charge a fee unless requests are manifestly unfounded or excessive.
We may need to verify your identity before responding to a request.
10. Direct Marketing and Re-Engagement of Lapsed Customers
If you are an existing or recently lapsed paying customer, we may send you limited marketing communications about our own similar products and services on the basis of legitimate interest and the "soft opt-in" exception under the ePrivacy Directive Article 13(2). This applies for up to 18 months from the end of your most recent subscription, after which marketing communications will cease automatically.
If you are not an existing customer, we will only send marketing communications with your prior consent.
Every marketing communication includes a one-click unsubscribe link. You may also opt out at any time by writing to [email protected].
11. Security
We implement appropriate technical and organisational measures designed to protect your personal data against unauthorised or unlawful access, accidental loss, alteration, or disclosure, including:
- Encryption of data in transit (TLS) and at rest where appropriate
- Strict access controls on a need-to-know basis
- Authentication and access logging
- Regular review of security practices
- Vendor due diligence on processors
- Incident response procedures, including notification to supervisory authorities and affected individuals where required under Articles 33 and 34 GDPR
No system is fully secure. If you suspect a security incident affecting your account, please contact us immediately.
12. Supervisory Authorities
You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is:
Data Protection Commission (Ireland)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
www.dataprotection.ie
If you are located in Romania, you may also contact:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania
www.dataprotectie.ro
If you are located elsewhere in the EU/EEA, you may contact your local data protection authority. A list is available at edpb.europa.eu.
13. Region-Specific Rights
13.1 United Kingdom
If you are located in the United Kingdom, your personal data is processed in accordance with the UK GDPR and the Data Protection Act 2018. Your rights mirror those set out in section 9. You may complain to the UK Information Commissioner's Office (ico.org.uk).
13.2 California, United States
If you are a California resident, the California Consumer Privacy Act ("CCPA") as amended by the CPRA may give you additional rights. These include the right to know what personal information we collect, to delete it, to correct it, to opt out of sale/sharing (we do not sell or share personal information for cross-context behavioural advertising), and to non-discrimination for exercising these rights. To exercise these rights, write to [email protected].
13.3 Other Jurisdictions
If applicable laws in your jurisdiction grant you specific rights, we will honour them to the extent required. Contact us at [email protected] to exercise such rights.
14. Children
The Service is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take steps to delete it.
15. Third-Party Links
The Site may contain links to third-party websites. We are not responsible for their privacy practices, and this Policy does not apply to them. Please review the privacy notices of those sites before providing them with personal data.
16. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- For material changes (such as new processing purposes, new categories of recipients, or new international transfers), we will notify you in advance by email or through a prominent notice on the Site, and where the legal basis is consent, we will obtain fresh consent before the change takes effect.
- For non-material changes (such as updates to contact details, clarifications, or formatting), we will publish the revised Policy on the Site with an updated "Effective date" above.
We do not treat continued use of the Service as automatic acceptance of material changes. We encourage you to review this Policy periodically.
17. Contact
For any questions, requests, or complaints about this Policy or our processing of your personal data:
Black Silo Commodity Consulting Limited
Annagharvey, Tullamore, Offaly, Ireland
Email: [email protected] (we recommend bookmarking this address for privacy-related communications)
We aim to respond to all privacy enquiries within 5 business days, and to formal data subject requests within the statutory one-month deadline.
This Privacy Policy is provided for informational purposes and does not constitute legal advice. Black Silo recommends that users seeking legal advice consult a qualified solicitor in their jurisdiction.