Privacy Policy
Last updated: 2026-05-21
GiBSeS OÜ ("GiBSeS", "we", "us") protects your personal data in compliance with EU Regulation 2016/679 (GDPR), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and applicable law. This policy describes what data we collect, why, how we use it, how long we retain it, and the rights you can exercise.
1. Data Controller
GiBSeS OÜ — Estonian registry code 17231761, registered office at Juhkentali tn 8, Kesklinna linnaosa, 10132 Tallinn, Estonia. Email: info@gibses.com. Phone: +372 537 05283. For data-protection requests: legal@gibses.com. No mandatory Data Protection Officer (DPO) is currently appointed under Art. 37 GDPR; requests are handled by the company's legal representatives.
2. Categories of Data Processed
Identification and contact data: first name, last name, email, billing address, and where applicable company name and VAT number for business customers. Transaction data: order history, invoices, payment metadata. NB: full card details neither transit through nor are stored on our servers — they are processed directly by Stripe Payments Europe Ltd. Usage data: IP address, user-agent, browser locale, pages visited, via privacy-friendly analytics tools. Communication data: support requests, email conversations, marketing preferences. Affiliate program data (where applicable): affiliate code, IBAN for commission payouts, tax documentation (invoices/receipts), activity and click reports.
3. Purposes and Lawful Basis
Contract performance (Art. 6.1.b GDPR): account management, order fulfillment, invoicing, SaaS service provision (RADAR, ECHO, MAIKE), affiliate program management, customer support. Legal obligation (Art. 6.1.c): accounting and tax record retention (7 years under Estonian Accounting Act §12), fraud prevention, AML/KYC where required. Legitimate interest (Art. 6.1.f): system security and abuse-monitoring, service improvement, dispute handling, service communications. You may object by writing to legal@gibses.com. Consent (Art. 6.1.a): newsletters and marketing communications, analytics and non-strictly-necessary cookies. Consent is withdrawable at any time without prejudice to the lawfulness of processing carried out before withdrawal.
4. Retention Period
Account data: for the duration of the contractual relationship and 30 days after cancellation (backup recovery), then anonymized. Invoices and tax records: 7 years from financial-year close (Estonian Accounting Act). Affiliate program data and commissions: for the duration of the relationship and 10 years after termination (statute of limitations + tax purposes). Marketing consent log: until withdrawal, then 5 years for evidentiary purposes. Server and security logs: 90 days. Analytics data: aggregated and pseudonymized; raw events 30 days. Support conversation data: 24 months from ticket closure.
5. Recipients and Processors
To provide our services we rely on the following data processors (Art. 28 GDPR), all bound by contract: • Stripe Payments Europe Ltd (Ireland) — payment processing. • Resend, Inc. (USA) — transactional email delivery — transfer based on EU Standard Contractual Clauses. • Contabo GmbH (Germany) — infrastructure hosting. • Group office and collaboration providers (e.g. Google Workspace) where applicable. We do not sell or rent your personal data to third parties. We may disclose data to public authorities only upon legitimate order and within the limits of the law.
6. Transfers Outside the EU
Some providers (e.g. Stripe, Resend) may process data outside the European Economic Area. Such transfers comply with Arts. 44-49 GDPR and are covered by Standard Contractual Clauses adopted by the EU Commission (Decision 2021/914), by adequacy decisions, or by supplementary measures where necessary. Copies of the safeguards are available on request to legal@gibses.com.
7. Data Subject Rights
You have the right to: a) access your personal data (Art. 15); b) rectify inaccurate data (Art. 16); c) erasure / right to be forgotten (Art. 17); d) restriction of processing (Art. 18); e) portability (Art. 20); f) object to processing (Art. 21), including direct marketing; g) withdraw consent at any time (Art. 7.3); h) not be subject to automated decisions under Art. 22; i) lodge a complaint with the competent Supervisory Authority: in Estonia the Andmekaitse Inspektsioon (www.aki.ee), or the Authority of your EU Member State of residence, work, or place of the alleged infringement. To exercise your rights write to legal@gibses.com. We respond within 30 days of the request (extendable by a further 60 days for complex requests, with reasoned notice).
8. Automated Decisions and Profiling
We do not use automated decision-making processes that produce legal effects concerning the data subject or significantly affect them under Art. 22 GDPR. The SaaS tools we provide to business customers (RADAR, ECHO, MAIKE) may include AI components, but they are governed by service contracts and the customer DPA, not by this notice.
9. Security
We adopt appropriate technical and organizational measures under Art. 32 GDPR, including: TLS 1.3 encrypted transport, encryption at-rest for sensitive data, password hashing (bcrypt, planned migration to argon2id), role-based access control, audit logs of critical operations (refunds, license revocations, account deletions), regular backups, environment segregation, code review and security review of changes, continuous monitoring. No system is impenetrable: in the event of a breach involving risk to your rights, we will notify you and the Authority within 72 hours under Arts. 33-34 GDPR.
10. Minors
Our services are not directed at minors under 16 and we do not knowingly collect personal data of minors. If you believe we have collected data of a minor without valid consent from the parental authority holder, contact us at legal@gibses.com for immediate deletion.
11. Cookies
For details on the use of cookies and similar technologies, see our Cookie Policy. For non-strictly-necessary cookies we rely on your explicit consent collected via banner.
12. Changes to this Notice
We may update this Privacy Notice. The current version is always available on this page with the "Last updated" date indicated at the top. Material changes are notified to active customers by email with at least 15 days' notice. Previous versions are archived and provided on request.
13. Contact
For any request relating to this Notice or the processing of your personal data: GiBSeS OÜ — Juhkentali tn 8, 10132 Tallinn, Estonia — legal@gibses.com — +372 537 05283. Estonian registry code: 17231761.
Last review: 21 May 2026. GiBSeS OÜ — registry no. 17231761 — Juhkentali tn 8, 10132 Tallinn, Estonia.