Privacy Policy

  1. Home
  2. Privacy Policy

Privacy Policy for "WIN-VPS.COM"
dated March 07, 2019

Last updated on December 01, 2025

This Privacy Policy (the "Privacy Policy") is an official document of VMachines & Servers OÜ (the "Contractor" or "Operator") and is an annex to, and forms an integral part of, the Paid Services Agreement (the "Agreement") concluded between VMachines & Servers OÜ and the Customer. VMachines & Servers OÜ acts as the Contractor under the Agreement and as the Operator of the "WIN-VPS.COM" website (the "Website").

This Privacy Policy describes how the Contractor collects, uses, stores, discloses and protects personal data (the "Personal Data") of natural persons (the "Data Subjects") who visit or use the Website, register an account, order or use the Services, or otherwise interact with the Contractor as Customers or as representatives, employees or other contacts of Business Customers within the meaning of the Agreement.

For Customers who qualify as Consumers under applicable law, this Privacy Policy is subject to mandatory consumer protection and data protection provisions of the European Union and the Republic of Estonia. Nothing in this Privacy Policy shall be construed as limiting or excluding any mandatory statutory rights of Consumers.

For the purposes of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), the Contractor acts as the data controller in respect of the Personal Data processed in connection with the Website and the Services.

Capitalised terms used in this Privacy Policy have the meanings given to them in the Agreement and the Terms and Conditions, unless otherwise defined herein.

  1. General Provisions

    1. The collection, storage, use, disclosure and protection of Personal Data in connection with the Website and the Services are governed by:

      • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR");

      • the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus) and the Estonian Personal Data Protection Implementation Act;

      • other applicable data protection laws of the European Union and the Republic of Estonia; and

      • this Privacy Policy and other official documents of the Contractor.

    2. The Contractor is committed to protecting the privacy and security of Personal Data and has implemented appropriate technical and organisational measures to ensure compliance with the GDPR and other applicable data protection laws.

    3. This Privacy Policy provides information required under Articles 13 and 14 of the GDPR about the processing of Personal Data by the Contractor. By visiting or using the Website, creating an account, contacting the Contractor, or ordering or using the Services, Data Subjects do not provide consent to the processing of their Personal Data; rather, the Contractor processes Personal Data on the legal bases described in Section 2 of this Privacy Policy.

      Where the Contractor relies on the Data Subject's consent as a legal basis for specific processing activities (for example, for certain direct marketing communications), such consent is requested separately in a clear and specific manner and may be withdrawn at any time as described in this Privacy Policy.

    4. The Contractor generally relies on the Personal Data provided directly by the Data Subject or the Customer and does not independently verify its accuracy by separate means, except where such verification is:

      • necessary for the performance of the Agreement or the provision of the Services;

      • required for compliance with applicable law, including anti-money laundering, counter-terrorist financing, fraud prevention, sanctions screening, tax or other regulatory requirements; or

      • carried out in accordance with the KYC Customer Verification Policy, this Privacy Policy, the Agreement or the Terms and Conditions.

      Data Subjects and Customers are responsible for ensuring that the Personal Data they provide to the Contractor is accurate, complete and up to date, in accordance with Clause 4.2 of the Agreement. Data Subjects may request the correction or updating of their Personal Data and exercise other rights described in Section 8 ("Customer's rights regarding Personal Data") of this Privacy Policy.

    5. Contact Details

      The Contractor's contact details for questions, requests or complaints relating to this Privacy Policy or the processing of Personal Data are as follows:

      • Name: VMachines & Servers OÜ

      • Registry code: 14673197

      • VAT number: EE102152319

      • Registered address: Vesivärava tn 50-201, 10152 Tallinn, Estonia

      • Email: Email contact

      • Website: WIN-VPS.COM

      Data Subjects may also submit requests through the Client Area ticket system (for registered Customers) or via other communication channels published on the Website.

  2. Purposes and Legal Bases for Processing Personal Data

    1. The Contractor processes Personal Data in connection with the Website and the Services for the purposes and on the legal bases set out in this Section 2. For each processing activity, the Contractor relies on one or more of the following legal bases under Article 6(1) of the GDPR:

      • Contract performance (Article 6(1)(b)): processing is necessary for the performance of the Agreement or to take steps at the Data Subject's request prior to entering into the Agreement;

      • Legal obligation (Article 6(1)(c)): processing is necessary to comply with a legal obligation to which the Contractor is subject, including tax, accounting, anti-money laundering, counter-terrorist financing and regulatory requirements;

      • Legitimate interests (Article 6(1)(f)): processing is necessary for the purposes of the legitimate interests pursued by the Contractor or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject;

      • Consent (Article 6(1)(a)): where the Data Subject has given consent to the processing for one or more specific purposes, such as direct marketing communications; and

      • Vital interests (Article 6(1)(d)): processing is necessary in order to protect the vital interests of the Data Subject or of another natural person, in situations where the Data Subject is physically or legally incapable of giving consent.

    2. The Contractor processes Personal Data for the following purposes:

      • Account management and service provision: to register and manage Customer accounts, to process Orders, to provide the Services, and to communicate with the Customer in connection with the performance of the Agreement (legal basis: contract performance);

      • Identity verification: to verify the identity of the Customer or their representatives in accordance with the KYC Customer Verification Policy, including for fraud prevention, anti-money laundering, counter-terrorist financing and sanctions screening purposes (legal bases: contract performance, legal obligation, legitimate interests);

      • Billing and payments: to calculate, invoice and collect fees for the Services, to process payments and refunds, and to manage debt collection where necessary (legal bases: contract performance, legal obligation, legitimate interests);

      • Customer support: to respond to enquiries, complaints and support requests submitted through the Client Area, email, live chat or other communication channels (legal bases: contract performance or legitimate interests, in particular for pre-contract enquiries or other communications not strictly required by the Agreement);

      • Security and fraud prevention: to detect, prevent and investigate fraud, abuse, security incidents and violations of the Agreement, the Terms and Conditions or applicable law, and to protect the Contractor's infrastructure, other Customers and third parties (legal basis: legitimate interests);

      • Legal compliance and enforcement: to comply with applicable laws and regulations, to respond to lawful requests from competent authorities, to establish, exercise or defend legal claims, and to enforce the Agreement and the Terms and Conditions (legal bases: legal obligation, legitimate interests);

      • Compliance with the TCO Regulation: to comply with Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online, including the retention of removed content and related data as required by Article 6 of the TCO Regulation (legal basis: legal obligation);

      • Service improvement and analytics: to analyse the use of the Website and the Services for the purposes of improving their quality, functionality and security (legal basis: legitimate interests, without prejudice to any consent requirements under applicable e-privacy laws); and

      • Marketing and promotional communications: to send marketing communications, newsletters, promotional offers and information about new services, where the Data Subject has given consent or where permitted by applicable law under the soft opt-in exception for existing Customers (legal bases: consent, or legitimate interests where permitted by law and subject to applicable e-privacy rules).

    3. Where the Contractor relies on legitimate interests as a legal basis, the Contractor has carried out a balancing assessment to ensure that such interests are not overridden by the Data Subject's rights and freedoms. Data Subjects may request information about the Contractor's legitimate interests assessments by contacting the Contractor as described in Section 8 of this Privacy Policy.

    4. The Data Subject is free to decide whether to provide certain Personal Data to the Contractor. However:

      • where Personal Data is required for the performance of the Agreement or to comply with a legal obligation, failure to provide such data may result in the Contractor being unable to enter into or perform the Agreement, or to provide certain Services; and

      • where Personal Data is requested on the basis of consent (for example, for certain direct marketing purposes), the Data Subject is free to refuse to provide such Personal Data or to withdraw consent at any time, without affecting the provision of the Services.

    5. Where the Contractor relies on consent as the legal basis for processing, the Data Subject may withdraw such consent at any time by:

      • using the unsubscribe link in any marketing communication;

      • updating preferences in the Client Area; or

      • contacting the Contractor as described in Section 8 of this Privacy Policy.

      Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Withdrawal of consent does not affect processing carried out on other legal bases (such as contract performance or legal obligation) and does not, by itself, terminate the Agreement or the Services.

    6. The Contractor may disclose Personal Data to third parties where:

      • disclosure is necessary for the performance of the Agreement (for example, to payment service providers, data centre operators, KYC verification providers or other service providers engaged by the Contractor);

      • disclosure is required by applicable law or a binding order of a competent authority;

      • disclosure is necessary to establish, exercise or defend legal claims;

      • disclosure is necessary to protect the vital interests of the Data Subject or another person;

      • the Data Subject has given consent to such disclosure; or

      • disclosure is otherwise permitted under applicable data protection law.

      The Contractor does not sell Personal Data to third parties. Further information on recipients of Personal Data is provided in Section 5 of this Privacy Policy.

    7. The Contractor does not rely on consent as the legal basis for:

      • processing Personal Data that is necessary for the performance of the Agreement or the provision of the Services;

      • mandatory identity verification (KYC) required for the use of the Services, as described in the KYC Customer Verification Policy; or

      • processing required to comply with a legal obligation to which the Contractor is subject.

      Such processing is carried out on the legal bases described in Clauses 2.1 and 2.2 of this Privacy Policy.

  3. Amendments to this Privacy Policy

    1. This Privacy Policy takes effect from the date of its publication on the Website (as indicated by the "Last updated" date at the top of this document) and remains in force until it is replaced by an updated version. Amendments to this Privacy Policy do not affect the lawfulness of any processing of Personal Data carried out on the basis of an earlier version of this Privacy Policy before the amendments took effect.

    2. The current version of this Privacy Policy is publicly available on the Website and may be accessed free of charge by any visitor. Where reasonably practicable, the Contractor may retain previous versions of this Privacy Policy for accountability purposes.

    3. The Contractor may amend, modify or update this Privacy Policy from time to time in accordance with Clause 2.11 of the Agreement. This includes, without limitation, amendments necessary to reflect:

      • changes in the Services or the Website;

      • changes in the categories of Personal Data processed, the purposes of processing, the legal bases or the categories of recipients;

      • changes in the Contractor's internal processes, security measures or third-party service providers; or

      • changes in applicable laws, regulatory requirements or guidance of supervisory authorities.

    4. Material changes to this Privacy Policy that may adversely or significantly affect Customers in connection with the Services shall be notified to such Customers in advance in accordance with Clause 2.11.1 of the Agreement (including, where applicable, via the Client Area as a durable medium). For other Data Subjects who are not parties to the Agreement, the Contractor will take appropriate measures, as required by applicable data protection law, to inform them of material changes in a timely and transparent manner, for example by displaying a prominent notice on the Website before the changes take effect. In all cases, the "Last updated" date at the top of this Privacy Policy will be adjusted to reflect the effective date of the changes.

    5. Where a proposed change relates to processing activities for which the Contractor relies on the Data Subject's consent as the legal basis, the Contractor shall request fresh consent from the relevant Data Subjects before such change takes effect, if required by applicable data protection law. The Contractor will not continue the specific processing operation that relies on consent in a materially changed form without obtaining such consent, without prejudice to any other lawful bases that may apply.

    6. For changes that do not require consent, continued use of the Services by the Customer after the effective date of the amended Privacy Policy shall constitute acceptance of the amended Privacy Policy, in accordance with Clause 2.11.2 of the Agreement. This does not affect any requirement under applicable data protection law to obtain explicit consent where consent is the legal basis for processing.

    7. Customers are advised to review this Privacy Policy periodically and in particular when receiving notices of intended changes. Customers who do not agree with an amended version of this Privacy Policy may exercise their rights in accordance with Clause 2.11.2 of the Agreement, including the right to terminate the affected Services before the changes take effect.

  4. Categories of Personal Data

    1. The Contractor obtains Personal Data directly from the Customer or other Data Subjects, for example when creating an account, ordering the Services, contacting the Contractor, or providing information required under the Agreement or applicable law. In some cases, providing certain Personal Data is necessary for the conclusion or performance of the Agreement or for compliance with legal obligations (for example, for billing, tax, accounting or anti-money laundering purposes). In other cases, the provision of Personal Data is optional and the Data Subject may choose whether to provide it. The legal bases on which the Contractor processes the categories of Personal Data listed in this Section are described in Section 2 of this Privacy Policy.

      1. Basic identification and contact details of the Customer and, where applicable, their authorised representatives, required for registration, communication and billing, such as given name, surname, postal address, telephone number, email address and similar information.

      2. Additional profile and communication details provided by the Customer on a voluntary basis, where reasonably necessary for communication with the Customer, for the performance of the Contractor's obligations under the Agreement or for improving the Services, such as preferred language, position or role within an organisation, alternative contact details or similar information. The Contractor applies the data minimisation principle and does not request additional Personal Data which is not relevant to the purposes described in this Privacy Policy or required by applicable law.

      3. Account and Service-related information associated with the Customer's account on the Website, such as the Services ordered from the Contractor, domain name registration information, the IP addresses or other network resources assigned to the Customer, Customer identifiers, configuration and usage information relating to the Services, charges owed and payments made, and other information related to the Customer's account and the fulfilment of the Agreement.

      4. Records of the Customer's communications with the Contractor, such as notes or recordings of telephone calls (where permitted by law and, where required, with appropriate notices), chat transcripts, emails, support tickets, letters and other records of interactions between the Customer and the Contractor.

      5. Billing and payment information, such as information about the Customer's chosen payment method (for example, payment card type or partial card details for identification purposes, billing address, bank account number, tax or VAT numbers, details of payments made and payment status), as well as information received from payment service providers or financial institutions involved in processing the Customer's payments. The Contractor does not store full credit card numbers; payment card data is processed by third-party payment service providers in accordance with applicable payment card industry standards.

      6. Information provided by the Customer or third parties when notifying the Contractor of a (suspected) breach of the Contractor's acceptable use policies, the Terms and Conditions or other terms of the Agreement, including any information about the circumstances of the incident and the parties involved, to the extent necessary to investigate and resolve the issue and to protect the Contractor's and third parties' rights and legitimate interests.

      7. Documents and information that certify the identity of the Customer or their authorised representatives, including copies or photographs of government-issued identification documents and proof of address documents (with non-essential numbers or codes redacted where reasonably possible), where such documents are required under the Agreement, the KYC Customer Verification Policy or applicable anti-money laundering, counter-terrorist financing, tax or other regulatory requirements.

      8. Identity verification photographs, including photographs of the Customer (or their representative) holding a handwritten statement and an identification document, used solely for manual visual comparison and identity verification in accordance with the KYC Customer Verification Policy. Such photographs are not processed using automated facial recognition technology, are not used to create biometric templates and are not treated as biometric data within the meaning of Article 9 of the GDPR.

    2. Other information about Customers and other Data Subjects processed by the Contractor.

      1. Standard technical and usage data automatically received by the server and other systems when a user accesses and uses the Website or the Services, and during subsequent actions. This includes data such as the features of the Website or Services used, the web pages visited, the time spent on pages, search queries, and data about the user's devices and network, including IP addresses, device identifiers, operating system, browser type and version, regional and language settings and similar technical information. Such data may be collected in server logs and other technical logs for the purposes described in this Privacy Policy (including security, fraud prevention, diagnostics and analytics).

      2. Data automatically obtained by means of cookies and similar technologies when a user accesses the Website. Cookies are small text files that are stored on the user's device by the user's browser while browsing. The Contractor uses:

        • Essential cookies. These cookies are necessary to make the Website work and to enable basic functions such as page navigation, secure login, shopping cart functionality and access to secure areas of the Website. The Website cannot function properly without these cookies and they are used without requiring the user's consent, based on the Contractor's legitimate interests or the necessity to provide the requested service.

        • Preference and performance cookies. These cookies are used, where permitted by applicable law and, where required, with the user's consent, to remember choices made by the user and to provide enhanced, more personalised features and a better user experience. For example, these cookies can be used to remember the status of a shopping cart, previously visited pages, or the user's preferred language or region.

        • Analytics cookies. The Website may use web analytics services (for example, Google Analytics or similar tools), which place cookies on the user's device to help distinguish between different visitors and to analyse how the Website is used (such as the date and time of visits, the number of times a user has visited the Website, the pages visited and the referring website). Where required by applicable law, these cookies are only placed and used with the user's prior consent. More detailed information on the use of such tools can be found on the websites of the respective providers and, where applicable, in the Contractor's cookie notices.

        • Marketing cookies. The Contractor may use advertising and marketing services from search engines, ad networks and social media platforms, which can place cookies or similar technologies on the user's device to serve ads based on the user's prior visits to the Website or interactions with the Contractor's content. These cookies are used only where the user has given consent in accordance with applicable law. More information on the use of cookies by these services can be found in their respective privacy and cookie policies.

        • Social media cookies. Social media providers may place cookies through the Website in order to enable social media features (for example, social media buttons or embedded content). These cookies are set only where the user chooses to activate the relevant social media features and, where required by law, provides consent. The Contractor does not control these social media services and is not responsible for their use of cookies. Users are encouraged to consult the privacy and cookie policies of the relevant social media providers for more information.

        Users can view and manage cookies through the privacy and security settings in their browser and, where available, through the Contractor's cookie banner or preference centre. Users may also use browser add-ons, extensions or ad-blockers to control cookies and similar technologies. Please note that if the use of certain cookies is refused or disabled, some features of the Website or the Services may not function properly. Non-essential cookies (including analytics, marketing and social media cookies) are not used without the user's consent where such consent is required by applicable law, and users may withdraw their consent at any time as described in this Privacy Policy.

      3. Data obtained as a result of actions of the Customer or other users on the Website or in the Client Area, for example, when submitting forms, updating account details, changing Service configurations or managing domain names.

      4. Data obtained as a result of actions of other users on the Website or in the Services, where such actions relate to the Customer or another Data Subject (for example, when another user submits a complaint, abuse report or ticket that includes information about the Customer or another Data Subject).

      5. Data which is required to identify and authenticate the Customer in order to access the Services of the Website and the Client Area, including login identifiers, authentication data, logs of successful and unsuccessful login attempts and similar information.

      6. Identity verification documents and photographs collected under the KYC Customer Verification Policy are retained for the duration of the contractual relationship with the Customer and for seven (7) years thereafter, or for such longer or shorter period as may be required or permitted by applicable Estonian tax, accounting, anti-money laundering and other regulatory requirements. Upon expiry of the applicable retention period, such documents are securely deleted or anonymised in accordance with the Contractor's data retention procedures.

    3. Personal Data from other sources

      1. The Contractor may receive Personal Data from third parties, including:

        • payment service providers (transaction confirmations, fraud alerts, chargeback notifications);

        • identity verification, fraud prevention and sanctions screening services;

        • public registers and databases (for Business Customer verification, VAT validation and similar purposes); and

        • third parties who submit abuse reports, legal notices or complaints concerning the Customer's use of the Services.

      2. Where Personal Data is obtained from sources other than the Data Subject, the Contractor will provide the Data Subject with the information required under Article 14 of the GDPR within a reasonable period and in any event within one month, unless an exemption under Article 14(5) of the GDPR applies.

  5. Processing of Personal Data

    1. The Contractor processes Personal Data in accordance with the following principles set out in Article 5 of the GDPR:

      • Lawfulness, fairness and transparency — the Contractor processes Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, as described in this Privacy Policy.

      • Purpose limitation — the Contractor collects Personal Data only for specific, explicit and legitimate purposes and does not further process such data in a manner that is incompatible with those purposes, unless permitted by applicable law.

      • Data minimisation — the Contractor ensures that Personal Data processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

      • Accuracy — the Contractor takes reasonable steps to ensure that Personal Data is accurate and, where necessary, kept up to date, and to rectify or erase Personal Data that is inaccurate having regard to the purposes of the processing. Data Subjects have the right to request rectification or erasure of inaccurate data in accordance with Section 8 of this Privacy Policy.

      • Storage limitation — the Contractor retains Personal Data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed, subject to any mandatory retention periods under applicable law, as further described in this Section 5 and in other sections of this Privacy Policy.

      • Integrity and confidentiality — the Contractor implements appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage, as further described in Section 7 of this Privacy Policy.

      • Accountability — the Contractor is responsible for, and able to demonstrate compliance with, the above principles and other applicable requirements of the GDPR and Estonian data protection law.

    2. Recipients of Personal Data

      1. The Contractor does not sell Personal Data to third parties. Personal Data may be disclosed to third parties only where:

        • disclosure is necessary for the performance of the Agreement or the provision of the Services;

        • disclosure is required by applicable law or a binding order of a competent authority;

        • disclosure is necessary to establish, exercise or defend legal claims;

        • the Data Subject has given consent to such disclosure; or

        • disclosure is otherwise permitted under applicable data protection law.

        In all cases, the Contractor will ensure that such disclosures are carried out on one or more of the legal bases described in Section 2 of this Privacy Policy and that appropriate safeguards are applied.

      2. In addition to the categories of recipients described in Section 2.6 of this Privacy Policy, the Contractor may share Personal Data with the following categories of recipients, to the extent necessary for the purposes set out in Section 2:

        • Service providers and processors: third parties engaged by the Contractor to assist in providing, operating, supporting or improving the Services, including data centre operators, infrastructure and network providers, customer support tools, email and SMS delivery providers, identity verification and fraud prevention services, and other IT and professional service providers engaged by the Contractor. These third parties generally act as data processors on behalf of the Contractor.

        • Payment service providers and financial institutions: for processing payments, managing refunds and chargebacks, performing fraud prevention checks and complying with applicable payment and financial regulations. Such entities may act as independent data controllers in respect of certain processing activities.

        • Domain name registries and registrars: when registering, renewing or managing domain names on the Customer's behalf, including the disclosure of registration data required by the relevant registry or registrar in accordance with their policies and applicable law.

        • Professional advisers: legal, accounting and auditing advisers, to the extent necessary for the Contractor to obtain professional advice or to establish, exercise or defend legal claims.

        • Debt collection agencies and similar service providers: where necessary for the recovery of overdue payments and the enforcement of contractual rights, subject to applicable law.

        • Law enforcement agencies, regulatory authorities, tax authorities and courts: where required by applicable law, a binding order or request from a competent authority, or where necessary to protect the Contractor's legal rights or to comply with legal proceedings.

        • Competent authorities under the TCO Regulation: for the purposes of receiving, processing and executing removal orders and other requests issued under Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online (the "TCO Regulation").

        • Third parties in connection with abuse reports and legal notices: where the Customer or another person notifies the Contractor of a suspected violation of the Agreement, the Terms and Conditions or applicable law, or submits a legal notice or complaint alleging that the Customer's use of the Services infringes applicable law or the rights of third parties, the Contractor may disclose relevant information to the complainant, the Customer or other affected parties to the extent necessary to investigate and resolve the matter, to establish, exercise or defend legal claims or as required by law. Any such disclosure will be limited to what is strictly necessary and will be carried out subject to appropriate safeguards.

      3. Where the Contractor engages data processors or other service providers to process Personal Data on the Contractor's behalf, the Contractor ensures that such processors are bound by written agreements that impose data protection obligations no less protective than those set out in this Privacy Policy and in accordance with Article 28 of the GDPR.

    3. International transfers of Personal Data

      1. The Contractor is established in Estonia and primarily processes Personal Data within the European Economic Area (EEA). Where Personal Data is transferred to recipients outside the EEA, the Contractor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as:

        • transfers to countries that have been recognised by the European Commission as providing an adequate level of data protection;

        • transfers subject to Standard Contractual Clauses approved by the European Commission; or

        • other appropriate safeguards permitted under the GDPR.

      2. Data Subjects may request additional information about the safeguards applied to international transfers by contacting the Contractor as described in Section 8 of this Privacy Policy.

    4. Retention of Personal Data

      1. The Contractor retains Personal Data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, tax, reporting or regulatory requirements, or for as long as otherwise required or permitted by applicable law. The specific retention period for each category of Personal Data depends on the nature of the data and the purposes of processing, as further described in this Section 5 and in other sections of this Privacy Policy.

      2. Without prejudice to Section 4.2.6 of this Privacy Policy and any specific retention periods set out elsewhere, the following general retention periods apply:

        • Account and billing information: retained for the duration of the contractual relationship and for at least seven (7) years thereafter, in accordance with Estonian tax, accounting and commercial law requirements.

        • Communication records (support tickets, emails, chat transcripts): retained for the duration of the contractual relationship and for a reasonable period thereafter (typically up to three (3) years) to enable the Contractor to respond to enquiries, to establish or defend legal claims and for quality assurance purposes, unless a longer period is required in connection with specific disputes or legal proceedings.

        • Technical and usage data (server logs, access logs and similar data): retained for a period necessary for security, fraud prevention, diagnostics and analytics purposes, typically not exceeding twelve (12) months, unless longer retention is required for ongoing security investigations, abuse investigations or legal proceedings.

        • Identity verification documents and photographs (KYC): retained for the duration of the contractual relationship and for seven (7) years thereafter, or for such longer or shorter period as may be required or permitted by applicable Estonian tax, accounting, anti-money laundering and other regulatory requirements, as further described in Section 4.2.6 of this Privacy Policy.

        • Marketing consent records and opt-out records: retained for as long as the consent remains valid and for a reasonable period thereafter to demonstrate compliance with applicable law and to respect any opt-out requests.

      3. The Contractor is obliged to retain certain Personal Data (including the Customer's name, email address, billing address, order and payment history and invoice details) for a minimum of seven (7) years after the end of the relevant financial year, in order to comply with Estonian tax, accounting and commercial law requirements, unless a longer period is required by specific legislation.

      4. Upon expiry of the applicable retention period, or upon a valid request from the Data Subject to exercise the right to erasure under Article 17 of the GDPR (where no exemption applies), the Contractor will securely delete or anonymise the relevant Personal Data in accordance with the Contractor's data retention procedures. Where anonymisation is used, the data will be processed in such a way that it can no longer be linked to an identified or identifiable natural person.

      5. Notwithstanding the above, where the Contractor removes or disables access to content that is considered "terrorist content" within the meaning of the TCO Regulation, the Contractor will retain the removed or disabled content and related Personal Data (including logs, timestamps, identifiers and account information necessary to comply with the TCO Regulation) for a period of six (6) months from the date of removal or disabling, or for such longer period as may be specifically requested by a competent authority or court.

        The processing of such data is carried out on the legal basis of compliance with a legal obligation under Article 6(1)(c) of the GDPR (specifically, compliance with the TCO Regulation).

        Access to such retained content and Personal Data is strictly limited to:

        • competent authorities and courts acting within their legal powers; and

        • a limited number of authorised employees or contractors of the Contractor who require access strictly for the purposes of:

          • executing and documenting removal orders and other legal requests;

          • handling complaints submitted by Customers in accordance with Section 7.7 of the Terms and Conditions; or

          • complying with statutory obligations under applicable law.

  6. Personal Data Hosted by Customers

    1. This Section 6 applies to Personal Data that is hosted, transmitted, stored or otherwise processed by the Customer or the Customer's end users on infrastructure provided by the Contractor as part of the Services (such as virtual servers, dedicated servers, cloud storage or other hosting services).

    2. In relation to such Personal Data:

      • the Customer (or, where applicable, the Customer's own customers or end users) acts as the data controller within the meaning of Article 4(7) of the GDPR and is responsible for determining the purposes and means of the processing of such Personal Data;

      • the Contractor acts as a data processor within the meaning of Article 4(8) of the GDPR to the extent that the Contractor has access to or processes such Personal Data on behalf of the Customer; and

      • the Contractor's processing of such Personal Data is governed by the Agreement, any applicable data processing agreement between the Contractor and the Customer in accordance with Article 28 of the GDPR, and applicable data protection law.

    3. The Customer is responsible for:

      • ensuring that the Customer has a valid legal basis under the GDPR and other applicable data protection laws for the collection and processing of Personal Data hosted on the Contractor's infrastructure;

      • complying with applicable data protection laws in relation to such Personal Data, including providing any required notices to Data Subjects and responding to Data Subject requests;

      • ensuring that any Personal Data transferred to or processed on the Contractor's infrastructure is collected and transferred in accordance with applicable law; and

      • implementing appropriate technical and organisational measures to protect Personal Data within the Customer's own environment and applications, to the extent that such measures are within the Customer's control.

    4. Where the Contractor processes Personal Data on behalf of the Customer as a data processor, the Contractor will:

      • process such Personal Data only in accordance with the Customer's documented instructions, unless required to do otherwise by applicable law;

      • ensure that persons authorised to process such Personal Data are bound by appropriate confidentiality obligations;

      • implement appropriate technical and organisational measures to protect such Personal Data in accordance with Article 32 of the GDPR and Section 7 of this Privacy Policy;

      • assist the Customer, to the extent reasonably practicable and subject to the terms of the Agreement, in responding to Data Subject requests and in meeting the Customer's obligations under the GDPR; and

      • delete or return such Personal Data to the Customer upon termination of the Services, unless retention is required by applicable law.

    5. Further details of the Contractor's obligations as a data processor may be set out in a separate data processing agreement between the Contractor and the Customer, where required by Article 28 of the GDPR or by the Customer.

  7. Security Measures

    1. The Contractor implements appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft or disclosure, in accordance with Article 32 of the GDPR and applicable data protection laws.

    2. These measures include, as appropriate to the nature of the Personal Data and the risks of processing:

      • physical security measures to protect data centre facilities and infrastructure;

      • access controls to limit access to Personal Data to authorised personnel on a need-to-know basis;

      • authentication and authorisation mechanisms to verify the identity of users and control access to systems;

      • encryption of Personal Data in transit and, where appropriate, at rest;

      • network security measures, including firewalls, intrusion detection and prevention systems, and regular security monitoring;

      • regular backups and disaster recovery procedures to protect against data loss;

      • policies and procedures for the secure disposal or deletion of Personal Data;

      • staff training and awareness programmes on data protection and information security; and

      • regular review and testing of security measures to ensure their continued effectiveness.

    3. The Contractor regularly reviews and updates its security measures to address new threats and vulnerabilities and to help ensure ongoing compliance with applicable data protection and security standards. The Contractor maintains internal procedures for responding to Personal Data breaches in accordance with applicable data protection law. Where required by the GDPR, the Contractor will notify the competent supervisory authority and, where appropriate, the affected Data Subjects without undue delay.

    4. Notwithstanding the above, the Customer acknowledges that no method of transmission over the Internet or method of electronic storage is completely secure, and the Contractor cannot guarantee the absolute security of Personal Data. The Customer is responsible for implementing appropriate security measures within the Customer's own environment and for maintaining secure access credentials, as described in the Terms and Conditions.

  8. Data Subject Rights

    1. Data Subjects (including Customers and other natural persons whose Personal Data is processed by the Contractor) have the following rights under the GDPR and applicable data protection laws, subject to the conditions and limitations set out in those laws:

      • Right of access (Article 15 GDPR): the right to obtain confirmation as to whether Personal Data is being processed and, where that is the case, to obtain access to the Personal Data and certain information about the processing.

      • Right to rectification (Article 16 GDPR): the right to request the correction of inaccurate Personal Data and the completion of incomplete Personal Data. Customers may correct certain Personal Data directly in the Client Area where such functionality is available.

      • Right to erasure (Article 17 GDPR): the right to request the deletion of Personal Data in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected or where the Data Subject withdraws consent, subject to the limitations set out in Section 5.4 of this Privacy Policy and applicable law.

      • Right to restriction of processing (Article 18 GDPR): the right to request the restriction of processing in certain circumstances, such as where the accuracy of the Personal Data is contested or where the processing is unlawful and the Data Subject opposes erasure.

      • Right to data portability (Article 20 GDPR): the right to receive Personal Data provided to the Contractor in a structured, commonly used and machine-readable format and to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means.

      • Right to object (Article 21 GDPR): the right to object, on grounds relating to a particular situation, to processing of Personal Data based on legitimate interests, including profiling. Where the Contractor processes Personal Data for direct marketing purposes, the Data Subject has the right to object at any time to such processing, in which case the Personal Data will no longer be processed for such purposes.

      • Right not to be subject to automated decision-making (Article 22 GDPR): the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the Data Subject, except in certain circumstances permitted by law.

      • Right to withdraw consent: where processing is based on consent, the Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

      • Right to lodge a complaint: the right to lodge a complaint with a supervisory authority, in particular in the Member State of the Data Subject's habitual residence, place of work or place of the alleged infringement. In Estonia, the competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

    2. Exercising Data Subject Rights

      1. Data Subjects may exercise their rights by submitting a request to the Contractor using one of the following methods:

        • through the Client Area ticket system (for Customers with an active account);

        • by email to the contact address published on the Website; or

        • by post to the Contractor's registered address.

      2. The Contractor may request information reasonably necessary to verify the identity of the Data Subject and to locate the relevant Personal Data. The Contractor will not charge a fee for responding to requests, except where requests are manifestly unfounded or excessive, in which case the Contractor may charge a reasonable fee or refuse to act on the request, in accordance with the GDPR.

      3. The Contractor will respond to Data Subject requests without undue delay and in any event within one (1) month of receipt of the request, unless the request is complex or the Contractor has received a large number of requests, in which case the response period may be extended by a further two (2) months. The Contractor will inform the Data Subject of any such extension within one (1) month of receipt of the request.

    3. Limitations on Data Subject Rights

      1. The rights described in this Section 8 may be limited or subject to exceptions where:

        • the Contractor is required to retain certain Personal Data in order to comply with a legal obligation (such as tax, accounting or anti-money laundering requirements);

        • the processing is necessary for the establishment, exercise or defence of legal claims;

        • the Contractor is required to comply with binding requests from competent authorities, including obligations arising under Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online (the TCO Regulation);

        • an exemption or derogation applies under applicable data protection law; or

        • responding to the request would adversely affect the rights and freedoms of others.

      2. Where the Contractor is unable to comply with a request, or is able to comply only in part, the Contractor will inform the Data Subject of the reasons and of any available remedies, unless applicable law prohibits such disclosure.

    4. Contact for Data Protection Matters

      For questions, requests or complaints relating to data protection or the processing of Personal Data, Data Subjects may contact the Contractor using the contact details published on the Website or through the Client Area, as described in Section 1 of this Privacy Policy.

  9. Limitations of this Privacy Policy

    1. This Privacy Policy applies to the processing of Personal Data by the Contractor in connection with the Website and the Services. It does not apply to:

      • Personal Data processed by third parties that operate independently of the Contractor, including third-party websites, applications or services that may be linked to or accessible from the Website;

      • Personal Data processed by Customers or their end users on infrastructure provided by the Contractor, where the Customer acts as the data controller, as described in Section 6 of this Privacy Policy; or

      • actions of third parties who are not acting on behalf of or under the instructions of the Contractor.

    2. The Contractor is not responsible for the privacy practices or the content of third-party websites, applications or services. Data Subjects are encouraged to review the privacy policies of any third-party services before providing Personal Data to them.

    3. Notwithstanding the above, the Contractor remains responsible for:

      • the processing of Personal Data by data processors engaged by the Contractor in accordance with Article 28 of the GDPR, as described in Section 5 of this Privacy Policy; and

      • ensuring that appropriate safeguards are in place for any international transfers of Personal Data, as described in Section 5.3 of this Privacy Policy.

    4. Data Subjects are advised to take appropriate precautions when sharing Personal Data online, including through the Website, and to review the Contractor's Terms and Conditions for information on the Customer's responsibilities regarding account security and the use of the Services.