Privacy Policy (vinterstrom.com)

Privacy Policy — vinterstrom.com

Skeleton policy for the marketing/holding site only. Product privacy policies (e.g. SignalBee) are separate and live with each product.

This Privacy Policy explains how Vinterstrom OÜ collects, uses, and safeguards personal data in connection with the vinterstrom.com website. It does not cover SignalBee, the Tower Defense game, or any client engagement — those have their own policies and processing terms.

Who we are

Vinterstrom OÜ ("we", "us", "our") — a Private Limited Company organised under the laws of Estonia, registry code 17505744 (registered 2026-05-12), registered office at Tornimäe tn 5, 10145, Tallinn linn, Harju maakond, Estonia.

For data-protection enquiries: {privacy-email — e.g. privacy@vinterstrom.com}.

The supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI) at aki.ee.

What we collect on this site

Visiting the site

  • Server logs (handled by DigitalOcean and Cloudflare): IP address, user-agent, referrer, requested URL, timestamp, response status. Retained 30 days. Lawful basis: legitimate interest in operating and securing the site (Article 6(1)(f) GDPR).
  • Cookies: see the Cookie Policy (/cookies) for the full list and what each does.
  • Analytics (consent-gated): when you accept the analytics category in the cookie banner, we use Google Analytics 4 with Consent Mode v2 to understand aggregate site usage (page views, referral sources, broad geography). Without consent, GA4 runs in the privacy-preserving aggregated mode that does not set identifying cookies. Lawful basis: consent (Article 6(1)(a) GDPR) for the cookie-set variant; legitimate interest (Article 6(1)(f)) for the cookieless aggregated variant.

Submitting the contact form

  • Personal data you provide: your name, email address, and message.
  • Why: to respond to your enquiry. Lawful basis: legitimate interest in receiving and responding to business enquiries (Article 6(1)(f) GDPR). If your enquiry leads to a signed engagement, Article 6(1)(b) (performance of contract) attaches to the engagement record going forward.
  • Spam protection: contact-form submissions are gated by Cloudflare Turnstile to prevent automated abuse. Turnstile uses browser / behavioural signals to distinguish humans from bots (no identifying cookies in the privacy-preserving managed mode). Lawful basis: legitimate interest in keeping the form free of automated spam (Article 6(1)(f) GDPR).
  • Booking (Calendly): when you click "Book a call" in the contact section, your browser loads Calendly's popup widget and you may book a 30-minute intro call. Calendly collects the booking details (name, email, company, topic, selected slot) directly — no copy reaches our servers. The Calendly script is loaded only after you click; we set no Calendly cookies for visitors who do not initiate a booking. Lawful basis: pre-contractual measures at your request (Article 6(1)(b) GDPR).
  • Retention: 24 months from the last interaction, unless your enquiry leads to a client engagement, in which case the data is retained per the engagement's data-processing agreement (typically engagement term + 7 years for tax records).

How we use your data

  • To respond to your enquiries.
  • To operate, secure, and improve the site.
  • To meet legal and tax record-keeping obligations (Estonian Accounting Act).

We do not sell your data. We do not use your data for automated decision-making with legal or similarly significant effect.

Who else gets your data

Service providers acting on our instructions and bound by data-processing agreements:

  • Hosting / CDN / DNS: DigitalOcean, LLC (US — Droplet hosting), Cloudflare, Inc. (US — DNS / TLS / WAF).
  • Spam protection: Cloudflare, Inc. — Turnstile product (US).
  • Analytics (consent-gated): Google LLC (US — Google Analytics 4 with Consent Mode v2).
  • Email delivery (transactional, when we reply to your contact-form submission): Mailgun Technologies, Inc. (US, with EU region available).
  • Booking (when you initiate one): Calendly LLC (US — meeting scheduling).

International transfers to the US are covered by Standard Contractual Clauses and / or adequacy decisions in force at the time of transfer (the EU–US Data Privacy Framework applies to DPF-certified recipients including Google LLC). The current list of sub-processors is at /legal/sub-processors (when published) or available on request.

Your rights

Under the EU General Data Protection Regulation, you have the right to:

  • access your personal data;
  • correct inaccurate data;
  • have your data erased ("right to be forgotten") subject to legal retention rules;
  • restrict processing;
  • portability;
  • object to processing based on legitimate interests;
  • complain to a supervisory authority — primarily AKI in Estonia.

To exercise any of these, email {privacy-email}. We respond within one month (Article 12(3) GDPR), extendable by up to two further months for complex or numerous requests, with notice to you within the first month.

Children

This site is not directed at children. We do not knowingly collect personal data from anyone below the applicable age of digital consent. In Estonia, that age is 13 (Personal Data Protection Act §8); other jurisdictions may set it as high as 16 under Article 8 GDPR. If you believe a child has submitted data, contact us and we will delete it.

Security

We implement reasonable technical and organisational measures: TLS in transit, access controls, audit logging, dependency hygiene, and incident-response procedures. No system is fully secure; we do our best.

Changes

We may update this policy. Material changes will be announced on the site. The version date below indicates the current version.

Contact

{privacy-email} — Vinterstrom OÜ, Tornimäe tn 5, 10145, Tallinn linn, Harju maakond, Estonia.

Version 0.1-draft — effective TBD.