Privacy Policy

1. Data Controller and Contact Information

2Rdesign OÜ ("we," "our," or "us") is the data controller responsible for your personal data. You can contact us at:

• Email: [email protected]
• Phone: +372 5663 4422
• Address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia
• Registration Number: 17224293
• VAT Number: EE102685016

2. Information We Collect and Legal Basis

We collect and process personal data based on the following legal grounds under Article 6 of the GDPR:

2.1 Information You Provide to Us

Data Category	Purpose	Legal Basis (Article 6 GDPR)	Retention Period
Contact information (name, email, phone, address)	Service delivery, communication	Contract performance (Art. 6(1)(b))	Duration of contract + 3 years
Company information and job title	Business relationship management	Legitimate interests (Art. 6(1)(f))	Duration of business relationship + 2 years
Project requirements and specifications	Service delivery, portfolio development	Contract performance (Art. 6(1)(b)), Consent (Art. 6(1)(a)) for portfolio use	Contract duration + 7 years (tax purposes)
Payment information	Transaction processing	Contract performance (Art. 6(1)(b)), Legal obligation (Art. 6(1)(c))	7 years (tax and accounting obligations)
Communications and correspondence	Customer support, relationship management	Contract performance (Art. 6(1)(b)), Legitimate interests (Art. 6(1)(f))	3 years from last communication

2.2 Information We Collect Automatically

Data Category	Purpose	Legal Basis	Retention Period
Technical data (IP address, browser, device info)	Security, functionality	Legitimate interests (Art. 6(1)(f))	13 months
Usage data (pages visited, session duration)	Website optimization	Consent (Art. 6(1)(a)) for analytics cookies	26 months
Marketing preferences	Direct marketing	Consent (Art. 6(1)(a))	Until consent withdrawn

3. Data Processing Purposes and Legal Basis

We process your personal data for the following purposes, each with a specific legal basis:

• Service delivery and contract performance - Legal basis: Contract performance (Art. 6(1)(b))
• Payment processing and invoicing - Legal basis: Contract performance (Art. 6(1)(b)) and legal obligations (Art. 6(1)(c))
• Customer support and communication - Legal basis: Contract performance (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f))
• Website security and fraud prevention - Legal basis: Legitimate interests (Art. 6(1)(f))
• Marketing communications - Legal basis: Consent (Art. 6(1)(a)) - you can withdraw consent at any time
• Website analytics and improvement - Legal basis: Consent (Art. 6(1)(a)) for non-essential cookies
• Legal compliance and tax obligations - Legal basis: Legal obligations (Art. 6(1)(c))
• Portfolio and case study development - Legal basis: Consent (Art. 6(1)(a)) - separate consent required

4. Data Sharing and Third-Party Processors

We may share your personal data with the following categories of recipients, all subject to appropriate data processing agreements and safeguards:

4.1 Service Providers and Processors

Processor	Service	Data Transferred	Location	Safeguards
Payment processors (Stripe, PayPal)	Payment processing	Payment and billing data	EU/US (adequacy decision)	Standard Contractual Clauses, PCI DSS compliance
Email service providers	Communication management	Contact information, communications	EU	Data Processing Agreement, GDPR compliance
Cloud hosting providers	Website and data hosting	All website data	EU	EU-based servers, ISO 27001 certification
Analytics providers (with consent)	Website analytics	Anonymized usage data	EU/US	Data anonymization, consent-based processing

4.2 Legal Disclosure

We may disclose personal data when required by law, court order, or when necessary to:

• Comply with legal obligations under Estonian or EU law
• Protect our rights, property, or safety, or those of our users
• Investigate potential violations of our terms of service
• Respond to lawful requests from public authorities

4. Data Security

We take reasonable measures to help protect information about you from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. However, no internet or electronic storage system is 100% secure.

5. Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Contract and project data: Duration of contract plus 3 years for warranty claims
• Financial and payment records: 7 years (Estonian accounting law requirements)
• Tax-related information: 7 years (Estonian tax law requirements)
• Marketing communications: Until consent is withdrawn or 3 years of inactivity
• Website analytics data: 26 months maximum (with your consent)
• Security logs: 13 months for fraud prevention
• Customer support communications: 3 years from last contact
• Portfolio materials: Until specific consent is withdrawn

After the retention period expires, we securely delete or anonymize your personal data unless longer retention is required by law.

6. International Data Transfers

2Rdesign OÜ is based in Estonia. If you are accessing our services from outside Estonia, please be aware that your information may be transferred to, stored, and processed in Estonia where our servers are located.

7. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

7.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and receive a copy of your data.

7.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure (Article 17)

You may request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent and no other legal basis exists
• The data has been unlawfully processed
• Legal obligations require erasure

7.4 Right to Restrict Processing (Article 18)

You can request limitation of processing in certain circumstances.

7.5 Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format and transfer it to another controller.

7.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time by:

• Emailing us at [email protected]
• Using the unsubscribe link in marketing emails
• Adjusting cookie preferences in our cookie banner

7.8 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within one month. We may request verification of your identity for security purposes.

7.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate:

• Website: www.aki.ee
• Email: [email protected]
• Phone: +372 627 4135
• Address: Tatari 39, 10134 Tallinn, Estonia

8. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or significantly affects you. All decisions regarding our services are made by human review.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies with your consent where required. Essential cookies for website functionality are used based on legitimate interests. For detailed information about our cookie practices, consent management, and your choices, please see our Cookie Policy.

9. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

10. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the "Last updated" date.

11. Data Protection Officer

For data protection matters, you can contact our designated representative:

12. Contact Information

For questions about this privacy policy or our privacy practices, contact us at: