GDPR Compliance Statement

Last updated: October 2025

At Kontorva OÜ, we take data protection and privacy seriously.

This statement explains how we ensure that our Ärikaart platform and all related operations comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Estonian Personal Data Protection Act.

1. Our Role Under GDPR

  • Data Controller: Kontorva OÜ acts as the Data Controller for personal data of Ärikaart users (e.g., account details, billing data, communications).
  • Data Processor: When users upload or process data through the platform (e.g., importing contact lists, sending outreach campaigns), Kontorva acts as a Data Processor on behalf of those users.

We ensure GDPR compliance in both roles through strict contractual, technical, and organizational safeguards.

2. Lawful Basis for Processing

We process personal data only when we have a valid legal basis under Article 6 of the GDPR. These include:

Purpose of Processing Lawful Basis (GDPR Art. 6)
Providing platform access, account setup, and user support Contractual necessity
Processing payments and subscriptions Contractual necessity
Managing B2B business data for legitimate networking and transparency Legitimate interest
Sending service or marketing updates Consent (opt-in)
Security monitoring and fraud prevention Legitimate interest / Legal obligation

3. Data We Process

We collect and process the following categories of personal data:

  • User Data: name, company name, business email, phone number, billing details, and login credentials.
  • Usage Data: logs, IP addresses, browser types, and feature usage metrics.
  • B2B Public Data: company registration information, financial data, and publicly available contact details from verified Estonian sources.
  • Support Data: messages or communications sent to our team.

No sensitive personal data (as defined under Article 9 GDPR) is processed.

4. Data Sources

Ärikaart obtains business-related data from:

  • Official Estonian public registries (e.g., Äriregister).
  • Open government databases and legitimate data suppliers.
  • Licensed APIs for company and contact validation.
  • User-provided information (e.g., uploaded contact lists).

All data is processed under legitimate interest for B2B use and never for unsolicited personal marketing.

5. Data Storage and Security

We host our platform and databases on DigitalOcean EU data centers with:

  • Full TLS/SSL encryption in transit.
  • AES-256 encryption at rest.
  • Controlled access via secure credentials and 2FA.
  • Regular backups and vulnerability scans.

We also maintain:

  • A formal Information Security Management System (ISMS) aligned with ISO 27001 principles.
  • Data protection impact assessments (DPIAs) for relevant features.

6. International Data Transfers

All primary data is stored within the European Economic Area (EEA).
Where third-party subprocessors (e.g., email or analytics providers) are based outside the EEA, transfers occur only under:

  • EU Standard Contractual Clauses (SCCs), or
  • Adequacy Decisions issued by the European Commission.

7. Data Retention

  • User account data: retained for the lifetime of the account plus up to 6 months after termination for billing and compliance purposes.
  • Logs and analytics: retained for up to 24 months.
  • Public company data: retained as long as it remains available from its original source or relevant to the platform’s purpose.

Data no longer required is securely deleted or anonymized.

8. Your Rights Under GDPR

All data subjects whose information we process have the following rights:

  1. Right of Access – request a copy of personal data we hold.
  2. Right to Rectification – correct inaccurate or incomplete data.
  3. Right to Erasure (“Right to be Forgotten”) – request deletion of data under certain conditions.
  4. Right to Restrict Processing – limit how data is used.
  5. Right to Data Portability – obtain data in a machine-readable format.
  6. Right to Object – to processing based on legitimate interests or direct marketing.
  7. Right to Withdraw Consent – at any time, where processing relies on consent.

To exercise these rights, email us at privacy@kontorva.com.
We will respond within 30 days, as required by GDPR.

9. Subprocessors

We work only with trusted, GDPR-compliant subprocessors for hosting, analytics, and communications, including (but not limited to):

  • DigitalOcean (EU) – hosting and infrastructure
  • Google (Analytics) – website analytics
  • Stripe or Paddle – payment processing
  • MailerLite / SendGrid – email communication

All subprocessors are under written agreements ensuring GDPR-level data protection and security.

10. Data Breach Procedure

In the unlikely event of a personal data breach, Kontorva will:

  1. Identify and contain the breach.
  2. Notify the Estonian Data Protection Inspectorate within 72 hours (where required).
  3. Inform affected users promptly if the breach poses a high risk to their rights and freedoms.
  4. Maintain detailed breach logs and corrective action reports.

11. Data Protection Officer (DPO)

Kontorva has appointed a Data Protection Officer responsible for compliance oversight and user requests.

Contact:
Kontorva OÜ
Mäealuse tn 2/4, 12618 Tallinn, Estonia
Email: support [at] kontorva [dot] com

12. Updates to This Statement

We may update this GDPR Compliance Statement to reflect legal, technical, or organizational changes.
Revisions will be posted on this page with an updated “Last updated” date.
Material changes will be communicated to users by email or in-platform notice.

Registry-deep B2B sales intelligence for Estonia.

Quick links

  About us

  Features

  Data sources

  Pricing

  Blog

Solutions

  For sales teams

  For CRM teams

  For founders

Legal

 Privacy policy

 Terms of service

 Cookie policy

 GDPR compliance

Resources

 Help center

 Contact support

A product of Kontorva. Copyright © 2025. All rights reserved.

Made in Estonia 🇪🇪 with ❤️

Hey there! Ask me anything!