1. Introduction

GDPR Register OÜ provides software as a service, which allows managing privacy compliance documentation, such as records of processing activities, data processing agreements and data breaches. This policy explains the principles of how GDPR Register OÜ, registry code 14432795, address Rotermanni 8, Tallinn, Estonia, 10111, e-mail („GDPR Register“, „our“, „we“ or „us“) as the personal data controller collects and processes your (“you”) personal data when you visit the website (“Website”), connect with us via social media platforms, or in relation to invoicing and billing procedures; and as a processor, when you, as a representative of your company, subscribe and use our privacy compliance application (“Platform”) and and use our Services.

Capitalised terms used in this privacy policy are used in the meaning given to them in the Terms of Service unless otherwise expressly set out herein.

2. The information we collect about you and how we use it

We need to collect and use certain Personal Data to provide the Services to you, fulfil the promises we make to you in the Terms of Service and answer your inquiries before entering into Terms of Service:

Purpose of processingCategory of personal dataData we collect and process about you
To enable secure access to our Platform and resolve possible customer support issuesPersonal Identification InformationWhen using the Platform, name, e-mail address, telephone number, password, 2FA code, IP address, the language of your preference
Handling invoices and processing paymentsFinancial InformationWhen using the platform, name on card, last four digits of credit card, email address, payment date, the amount paid, details of company you work for.
Providing you with possibility to monitor activity of your users of the Platform and resolve possible issues.Activity dataWhen using the platform Platform, pages you visited and functions used, audit log data (including sign-in date and time, created, changed and deleted objects and object data).
To be able to respond your inquiries, provide you with high quality of the service and ensure high level of satisfactionPersonal Identification Information, Communication DataIn case you interact with us via our Website live chat, e-mails and sign-up forms, GDPR Register’s Facebook page, YouTube channel or LinkedIn page any other official social media account or book meetings with us, we process, in addition to Personal Identification Information (limited in case of contacting via social media), also the contents of your messages, date and time of online meeting sessions, meeting notes.

In addition, we have and rely on a legitimate interest in using your Personal Data as follows:

Purpose of processingCategory of personal dataData we collect and process about you
Diagnosing and repairing technical issues, ensuring security and prevent fraudulent actions related to Website and PlatformTechnical DataUpon visiting our Website or subscribing and using our Platform, we process technical diagnostics data related to your usage of the Website, including but not limited to date, time, access tokens, session key, operating system, amount and state of transferred data. Additionally, when you visit our Website, we also may collect your IP address, location data (down to city level), referring URL, browser type and version, browser language. This information can be related to you; therefore, Personal Identification Information can be processed as well.
Providing you with information in relation to the services and products you have previously sourced from usPersonal Identification Information, Purchased servicesWhen using the Platform, name, e-mail address, location (down to city level), preferred language, purchased services and usage statistics

We will only use your Personal Data to do the following if we have your consent:

Purpose of processingCategory of personal dataData we collect and process about you
Improving quality of our Website and Platform. Social media marketing.Cookie DataWe apply cookies on the Website, to optimise the Website and its functionalities. The cookies may collect your personal data. To learn more about the cookies we use, please read our Cookie Policy.
To send you newsletters and promotion materialsPersonal Identification InformationWhen you decide to subscribe to our newsletters, we may collect such information as your name and email address.

The personal data we process is collected from one of the following sources:

  • the data is disclosed by you directly to us;
  • we receive the data from social media service providers due to you registering or contacting us via your existing social media account;
  • we receive the data from the payment service provider due to you paying for the Subscription;
  • we receive Technical Data automatically from your browser, our servers and systems.
We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time, and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes or the new purpose is compatible with the original purpose brought out above.

3. Sharing your personal data

Any data you provide will not be publicly displayed or shared with other Website visitors or clients. Certain employees of the GDPR Register have access to personal data to the extent necessary for the performance of their work duties.

We use third-party processors and separate data controllers to help provide our service. They will have access to your personal data as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes.

We have set out in the table below the reasons why and with whom we share your personal data:

Categories of RecipientsReason for sharingType of the recipient
Service providersWe work with service providers that work on our behalf which may need access to certain personal data to provide their services to us. These companies include those we have hired to operate the technical infrastructure that we need to provide service, assist in protecting and securing our systems and services, and help market our service.
Most of the aforementioned service providers are located in the European Union or European Economic Area, however, some of those service providers are located in the United States. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer.
Data processors
Payment processorsWe will share your personal data with our payment processors as necessary to enable them to process your payments.
The aforementioned service providers are located in the United States. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer.
Data processors or separate controllers
Advertising partnersWe work with advertising partners to enable us to customize the advertising content you may receive. These partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising (also known as online behavioural advertising), contextual advertising, and generic advertising. We and our advertising partners process certain personal data to help us understand your interests or preferences so that we can deliver advertisements that are more relevant to you.
The aforementioned service providers are located in the United States. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer.
Data Processors
Professional advisors (legal advisors, accounting etc. bound to confidentiality)Our legitimate interests in conducting and supporting our regular business activities.Data Processors
Potential business acquirers and business transferee(s)If necessary and required for successfully transferring our business or for the purposes of mergers and acquisitions, your Personal Data may be disclosed to the specified acquirers and their representatives and/or legal counsels.
This is done based on our legitimate interests to sell and reorganise our business activities.
Separate data controllers
Law enforcement and data protection authoritiesWe disclose your personal data to law enforcement and data protection authorities only if we are under a duty to disclose or share these data in order to comply with legal obligations (for example, if required to do so under applicable law, by a court order or for the purposes of prevention of fraud or other crime).Separate data controllers

In addition to the information provided in the table above, in some cases, we may transfer your personal data outside the European Union or European Economic Area if the recipient is located outside the European Union or European Economic Area. We shall opt to use special personal data protection safeguards, in order to ensure the safety of your personal data. For obtaining further information on the processors and recipients engaged by us or if you wish to get acquainted with or obtain information on the transferring of your personal data outside the European Union or European Economic Area and the safeguards implied thereof by contacting us using the contact information specified in this privacy policy.

4. Ensuring the security of personal data

We have taken necessary technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, abuse or other processing in violation of applicable law.

5. Retention and deletion of personal data

Your personal data (all data categories mentioned in Section 2) shall be stored insofar as reasonably necessary to attain the objectives stated in Section 3 above, or until the legal obligation stipulates that we do so. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the personal data, we take into account the viable need to resolve disputes and enforce the contract between us or anonymize your personal data and retain this anonymized information indefinitely.

In case you are Client, as a general rule, we will retain all your data for 30 days after the termination of the Client Agreement in a manner that would allow you to re-activate the Client Account. Otherwise, please see the following non-exhaustive summary on storing your personal data:

  • For accounting purposes, we retain Financial Data, Transaction Data and Personal Identification Information connected to it for a period of seven years from the end of the financial year when the respective business transaction took place;
  • Data connected to the Client Account, which is first and foremost Personal Identification Information, is retained for the whole period when the respective agreement is in force and at least three years from the moment of termination of the respective agreement under our legitimate interests to protect ourselves against potential disputes or enforce claims. In case we have a reasonable doubt that a party has acted in bad faith, has breached any obligations intentionally or has threatened us with a dispute, we may prolong such retention period for a maximum of 10 years.
  • Technical Data will be retained for one year as of the collection of such data;
  • Communication Data, unless clearly connected to the Client Account, will be retained for a period of three years from the moment the respective communication flow has been closed.

In case any of the data stipulated in Section 2 above is needed for purposes of protection against ongoing or threatened disputes, we shall retain the related data as long as the dispute is solved.

After the expiry of the retention period determined above or the termination of the legal basis for processing purposes, we may retain the materials containing the personal data in the backup systems, from which the respective materials will be deleted after the end of the backup cycle. We ensure that during the backup period, appropriate safeguards are applied and the backed-up materials are put beyond use.

6. Your rights and preferences

Under data protection law, you have rights including

  1. Right to be informed and to access. You may get information regarding your personal data processed by us.
  2. Right to data portability. You have the right to receive your personal data from us in a structured, commonly used and machine-readable format. Moreover, you may request that the personal data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible.
  3. Right to erasure. You have the right to have personal data we process about you erased from our systems if the personal data are no longer necessary for related purposes.
  4. Right to object and restrict. You have the right to object to the processing of your personal data and restrict it in certain cases.
  5. Right to rectification. You have the right to make corrections to your personal data.
  6. Right to withdraw consent. When you have given us consent to process your personal data, you may withdraw said consent at any time.
  7. Right to contact the supervisory authority. If you are not satisfied with our response to your request in relation to Personal Data or you believe we are processing your Personal Data not in accordance with the law, you can submit your claim with the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) at (

To exercise any of the abovementioned rights, please contact our customer support team via e-mail indicated in Section 7 below.

7. Other important information

Newsletter, notifications and direct marketing campaigns

With your explicit consent, you may be subject to direct marketing campaigns or we may send you our newsletter. You may opt out of the direct marketing campaigns and newsletters by clicking on the unsubscribe link located at the bottom of each message. We may also provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information. We may also send you service-related notifications which are directly related to your ordered Subscription for purpose of providing you with timely information about important changes in our Services, changes in laws related to content you manage on the Platform or information about outages and service disruptions.

Dispute resolution

If you have questions, please feel free to contact us at Disputes relating to the processing of personal data are settled through our customer support. We may amend or modify this notice from time to time to reflect changes in the way we process personal data. In case of material changes, we will notify you, as required under applicable laws.

Age limitations

We do not knowingly collect any information from individuals under 18 years of age. If we discover a user of being younger than 18 years old, we will require the user to close their account and we will take steps to delete any collected information as soon as possible

The above summary of how we collect, use and share Personal Information describes our practices currently and for the 12 months preceding the effective date of this Notice.

This Privacy Policy was updated on 26.06.2023 and provided on the Website.