Privacy Policy

PRIVACY POLICY
Last updated: 23 December 2025
This Privacy Policy explains how [Company Name], a company incorporated under the laws of the Republic of Estonia (Company, we, us, our), collects, uses, stores, and protects personal data when you access or use our website and services (the Service).
This Privacy Policy forms an integral part of the Terms of Service.
We value transparency and data protection. This Policy is intended to clearly explain what personal data is processed, for what purposes, on what legal basis, how long it is retained, and what rights you have under applicable data protection laws.
This Policy is drafted in accordance with:
● Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR);
● the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus);
● Directive 2002/58/EC (ePrivacy Directive), where applicable;
● other applicable EU and Estonian civil and consumer protection laws.
1. Data Controller
The data controller responsible for processing your personal data is:
[Company Name]
Registration number: [хххх]
Registered address: [хххх], Republic of Estonia
Email: privacy@yourdomain.com
2. Categories of Personal Data We Process
We process only personal data that is necessary for providing the Service.
2.1 Identification & Contact Data
● email address;
● name or business name (if provided);
● account credentials.
2.2 Account & Order Data
● selected services and order details;
● payment status and transaction references;
● invoices and billing information.
The Company does not store full payment card details.
2.3 Communication Data
● messages submitted via contact forms;
● emails exchanged with customer support or legal teams.
2.4 Technical & Usage Data
● IP address (anonymized or truncated where possible);
● browser type, device type, operating system;
● access logs, timestamps, and interaction data (aggregated).
3. Purposes of Processing
Personal data is processed strictly for the following purposes:
● providing and performing ordered Services;
● managing user accounts and order history;
● processing payments and refunds;
● responding to inquiries and support requests;
● ensuring platform security, integrity, and fraud prevention;
● complying with legal, accounting, and regulatory obligations.
The Company does not use personal data for advertising profiling, behavioral targeting, or resale.
4. Privacy-by-Design & Data Minimization
The Company applies the principles of privacy-by-design and privacy-by-default in accordance with Article 25 GDPR.
Personal data is:
● collected only where strictly necessary;
● processed only for clearly defined and legitimate purposes;
● limited in scope, access, and retention period.
Where technically feasible, data is anonymized, aggregated, or pseudonymized to reduce privacy risks.
5. Legal Bases for Processing (GDPR)
Personal data is processed on the following legal bases:
● Article 6(1)(b) GDPR – performance of a contract;
● Article 6(1)(c) GDPR – compliance with legal obligations;
● Article 6(1)(f) GDPR – legitimate interests (security, fraud prevention, service stability);
● Article 6(1)(a) GDPR – consent, where required (e.g. analytics cookies).
6. Payments
Payments are processed via certified third-party payment service providers (PSPs).
The Company:
● does not store or process full payment card data;
● receives only limited transaction metadata necessary for accounting and support.
Payment providers process personal data in accordance with their own privacy policies and applicable financial regulations.
7. Data Sharing & Disclosure
Personal data may be shared only with:
● payment service providers;
● IT, hosting, infrastructure, and security providers;
● professional advisors (legal, accounting), where required;
● public authorities, where legally required.
All third parties are bound by confidentiality and data protection obligations.
The Company does not sell, rent, or trade personal data.
7.1 Sub-processors
The Company maintains a rigorous selection and assessment process for all sub-processors.
Each sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures so that processing meets the requirements of the GDPR.
Sub-processors process personal data solely on documented instructions from the Company and only to the extent necessary to provide the Service.
8. International Data Transfers
Personal data is primarily processed within the European Economic Area (EEA).
Where personal data is transferred outside the EEA, including for technical infrastructure or cloud services, the Company ensures an adequate level of protection by relying on:
● the EU–U.S. Data Privacy Framework, where applicable; or
● Standard Contractual Clauses (SCCs) approved by the European Commission.
All transfers are subject to appropriate safeguards in accordance with Chapter V of the GDPR.
9. Data Retention
Personal data is retained only for as long as necessary:
● account and order data — for the duration of the contractual relationship and statutory retention periods;
● billing and tax data — as required by Estonian law;
● communications — as necessary to resolve inquiries or disputes;
● technical and security logs — in accordance with operational and legal requirements.
10. Data Security
The Company implements appropriate technical and organizational measures under Article 32 GDPR, including:
● encrypted connections and secure transmission protocols;
● access controls and role-based permissions;
● internal data minimization and segregation;
● monitoring for unauthorized access and misuse.
Security Transparency
All data transmissions are protected using TLS (Transport Layer Security) encryption.
Access to personal data, order information, and business briefs is strictly limited to authorized personnel on a need-to-know basis.
Internal controls ensure segregation of customer data within the production environment, preserving confidentiality of business strategies, briefs, and Deliverables.
11. Automated Decision-Making, Profiling & Right to Human Intervention
The Company does not use personal data for automated decision-making or profiling within the meaning of Article 22 GDPR.
While no automated decisions producing legal or similarly significant effects are made, the Company upholds the user’s right to human intervention.
All analytical reports, recommendations, and strategic Deliverables are reviewed, validated, and finalized by qualified expert personnel to ensure accuracy, contextual assessment, and professional accountability.
12. Personal Data Breach Handling
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, the Company will notify:
● the relevant supervisory authority; and
● affected users, where required, in accordance with Articles 33 and 34 GDPR.
13. User Rights (GDPR)
You have the right to:
● access your personal data;
● request rectification or erasure;
● restrict or object to processing;
● request data portability (where applicable);
● withdraw consent (where processing is based on consent);
● lodge a complaint with a supervisory authority.
Requests may be submitted to:
privacy@yourdomain.com
14. Cookies & Tracking
Cookies are used strictly in accordance with the Cookies Policy.
Non-essential cookies are used only after obtaining your consent.
15. Third-Party Links
The Website may contain links to third-party websites.
The Company is not responsible for the privacy practices or content of such websites.
16. Children’s Privacy
The Service is not intended for individuals under the age of 16.
The Company does not knowingly process personal data of minors.
If such data is identified, it will be promptly deleted.
17. Changes to This Privacy Policy
The Company may update this Privacy Policy from time to time to reflect legal, technical, or operational changes.
The latest version will always be available on the Website and becomes effective upon publication.
18. Supervisory Authority
You have the right to lodge a complaint with a competent supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
In Estonia, the competent supervisory authority is:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Address: Tatari 39, 10134 Tallinn, Estonia
Website: https://www.aki.ee
19. Contact
For privacy-related questions or requests, please contact:
📧 privacy@yourdomain.com