Privacy Policy
Last updated: 2026-05-04
GiBSeS OÜ ("we", "us") is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Estonian Personal Data Protection Act. This policy describes what data we collect, why, how we use it, and the rights available to you.
1. Data Controller
GiBSeS OÜ — registry code [PLACEHOLDER: registry code], registered office Juhkentali 8, 10132 Tallinn, Estonia. Contact: info@gibses.com. A Data Protection Officer (DPO) is reachable at the same address — see section on rights.
2. Categories of Data Processed
Identification data (name, email, billing address); transaction data (orders, invoices, payment metadata — note: full payment card details are processed by Stripe and never stored on our servers); usage data (IP, browser, locale, pages visited via privacy-friendly analytics); communication data (support requests, marketing opt-in).
3. Purposes and Lawful Basis
Contract performance (Art. 6.1.b GDPR): account management, order fulfillment, customer support, invoicing. Legal obligation (Art. 6.1.c): tax retention (10 years for invoices under Estonian law), fraud prevention. Legitimate interest (Art. 6.1.f): security monitoring, abuse prevention, service improvement. Consent (Art. 6.1.a): marketing communications, non-essential cookies — withdrawable at any time.
4. Data Retention
Account data: until account deletion plus 30 days for backup recovery, then anonymized. Invoices and tax-related records: 10 years (Estonian Accounting Act). Marketing consent log: until withdrawal plus 5 years. Server logs: 90 days. Analytics: aggregated and pseudonymized; raw events 30 days. [PLACEHOLDER: confirm retention windows with legal counsel before publication]
5. Data Recipients
We share data with: Stripe (payment processing — EU/US; SCC in place), Resend (transactional email — EU/US; SCC in place), our hosting provider Contabo (Germany — EU), [PLACEHOLDER: any other processor]. We do not sell or rent personal data. Transfers outside the EU/EEA rely on Standard Contractual Clauses or equivalent safeguards.
6. Your Rights
Under GDPR you have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), object (Art. 21), withdraw consent at any time, and lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee). To exercise any right, contact info@gibses.com — we respond within 30 days.
7. Security
We implement appropriate technical and organizational measures including: encrypted transport (TLS 1.3), encrypted storage at rest, hashed passwords (bcrypt, future migration to argon2id), access control, audit logging of sensitive operations, regular backups, and security review of changes. No system is perfect; in case of a breach affecting your data, we notify you and the regulator within 72 hours as required by Art. 33-34 GDPR.
8. Cookies
See our dedicated Cookie Policy for details on cookies and similar technologies used. We rely on consent for non-essential cookies.
9. Children
Our Services are not directed at children under 16. We do not knowingly collect personal data from minors. If you believe we hold data of a minor without proper consent, contact us immediately for deletion.
10. Changes to this Policy
We may update this Privacy Policy. The current version is always available on this page with the "Last updated" date. Material changes are notified to active customers by email.
[PLACEHOLDER: copy reale da legal — DPO appointment confirmation, retention windows, processors list and SCC references all require legal review before publication]