Legal
Privacy policy
Effective Date: September 20, 2025
Last Updated: September 20, 2025
1. SCOPE AND CONTROLLERIDENTIFICATION
This Privacy Policy describeshow Stergios & Dimitris Pappos OÜ("Company," "we," "us," or "our"), acompany incorporated under Estonian law with its registered office at Sepapaja 6, 15551 Tallinn, Estonia, VATnumber EE102609752, operating thewebsite https://stergiospappos.me/ (the "Website"),collects, uses, processes, stores, transfers, and protects your personalinformation in compliance with all applicable data protection laws andregulations.
As the Data Controller under the General Data Protection Regulation (EU)2016/679 ("GDPR") and the Estonian Personal Data Protection Act, weare committed to ensuring the highest standards of privacy protection andtransparency regarding our data processing activities.
2. DEFINITIONS
For the purposes of thisPrivacy Policy, the following definitions shall apply:
"Personal Data" means any informationrelating to an identified or identifiable natural person ("datasubject"); an identifiable natural person is one who can be identified,directly or indirectly, in particular by reference to an identifier such as aname, an identification number, location data, an online identifier or to oneor more factors specific to the physical, physiological, genetic, mental,economic, cultural or social identity of that natural person.
"Special Categories of Personal Data" means personal data revealingracial or ethnic origin, political opinions, religious or philosophicalbeliefs, trade union membership, genetic data, biometric data for the purposeof uniquely identifying a natural person, data concerning health or data concerninga natural person's sex life or sexual orientation.
"Processing" means any operation or set ofoperations which is performed on personal data or on sets of personal data,whether or not by automated means, such as collection, recording, organisation,structuring, storage, adaptation or alteration, retrieval, consultation, use,disclosure by transmission, dissemination or otherwise making available,alignment or combination, restriction, erasure or destruction.
"Controller" means the natural or legalperson, public authority, agency or other body which, alone or jointly withothers, determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person, public authority,agency or other body which processes personal data on behalf of the controller.
"Data Subject" means the natural personwhose personal data are being processed by the Controller or Processor.
"Consent" means any freely given, specific, informed andunambiguous indication of the data subject's wishes by which he or she, by astatement or by a clear affirmative action, signifies agreement to theprocessing of personal data relating to him or her.
"Data Breach" means a breach of securityleading to the accidental or unlawful destruction, loss, alteration,unauthorised disclosure of, or access to, personal data transmitted, stored orotherwise processed.
3. DATA PROTECTION PRINCIPLES
We adhere strictly to thefundamental data protection principles established by the GDPR and Estonianlegislation:
3.1 Lawfulness, Fairness andTransparency
All personal data processingis conducted lawfully, fairly, and in a transparent manner in relation to datasubjects.
3.2 Purpose Limitation
Personal data is collected forspecified, explicit and legitimate purposes and not further processed in amanner that is incompatible with those purposes.
3.3 Data Minimisation
Personal data collected andprocessed is adequate, relevant and limited to what is necessary in relation tothe purposes for which they are processed.
3.4 Accuracy
We ensure that personal datais accurate and, where necessary, kept up to date, and we take every reasonablestep to ensure that personal data that are inaccurate are erased or rectifiedwithout delay.
3.5 Storage Limitation
Personal data is kept in aform which permits identification of data subjects for no longer than isnecessary for the purposes for which the personal data are processed.
3.6 Integrity andConfidentiality
Personal data is processed ina manner that ensures appropriate security of the personal data, includingprotection against unauthorised or unlawful processing and against accidentalloss, destruction or damage, using appropriate technical or organisationalmeasures.
3.7 Accountability
We are responsible for, andable to demonstrate compliance with, all the above principles.
4. PERSONAL DATA WE COLLECTAND LEGAL BASIS FOR PROCESSING
4.1 Contact Form Data
Data Collected:
· Full name
· Email address
· Telephone number (if provided)
· Subject of inquiry
· Message content
· IP address (automatically collected)
· Timestamp of submission
· Browser information
· Device information
Legal Basis: Article 6(1)(a) GDPR - Consent. Your consent is obtained throughthe explicit submission of the contact form after being informed about thisPrivacy Policy.
Purpose: To respond to your inquiries, provide information about ourservices, establish potential business relationships, and maintain records ofcommunications for customer service purposes.
Retention Period: Contact form data is retained for a maximum of 3years from the date of submission, unless a business relationship isestablished, in which case data may be retained for up to 7 years in accordancewith business record-keeping requirements and legal obligations.
4.2 Server Log Data
Data Automatically Collected:
· IP address (pseudonymised after 6 months)
· Date and time of access
· Pages visited
· Referring website URL
· Browser type and version
· Operating system
· Device type
· Screen resolution
· Language preferences
· Time zone information
Legal Basis: Article 6(1)(f) GDPR - Legitimate interests. Our legitimateinterests include ensuring website security, preventing malicious activities,optimising website performance, and maintaining service availability.
Purpose:
· Website security and fraud prevention
· Technical performance monitoring
· Error detection and resolution
· Capacity planning and infrastructure optimisation
· Compliance with legal obligations
Retention Period: Server log data is retained for a maximum of 6months, except for IP addresses associated with security incidents, which maybe permanently blocked and retained for security purposes.
4.3 Webflow Platform Data
Data Processed by Webflow:
As our website is hosted on Webflow, certain technical data may be processed byWebflow Inc. for the provision of hosting services, including:
· Website performance metrics
· Technical error logs
· Basic visitor statistics (if enabled)
Legal Basis: Article 6(1)(f) GDPR - Legitimate interests for website operationand Article 6(1)(b) GDPR for contract performance with our hosting provider.
Purpose: Website hosting, content delivery, technical support, and serviceavailability.
Note: We have configured our Webflow installation to minimise datacollection. No Webflow Analytics, tracking scripts, or third-party integrationsbeyond essential hosting services are active.
4.4 Google Search Console Data
Data Processed:
Google Search Console processes certain data about how our website appears inGoogle search results, including:
· Search queries that lead to our website
· Click-through rates
· Website indexing status
· Technical SEO data
Legal Basis: Article 6(1)(f) GDPR - Legitimate interests in websiteoptimisation and search engine visibility.
Purpose: Website optimisation for search engines, technical SEOmonitoring, and improving website discoverability.
Note: This data is processed by Google and is not directly accessibleto us in a way that identifies individual users.
5. DATA SUBJECTS' RIGHTS
Under the GDPR and EstonianPersonal Data Protection Act, you have the following comprehensive rightsregarding your personal data:
5.1 Right of Access (Article15 GDPR)
You have the right to obtainfrom us confirmation as to whether or not personal data concerning you arebeing processed, and where that is the case, access to the personal data andcomprehensive information about the processing.
5.2 Right to Rectification(Article 16 GDPR)
You have the right to obtainfrom us without undue delay the rectification of inaccurate personal dataconcerning you and to have incomplete personal data completed.
5.3 Right to Erasure ('Rightto be Forgotten') (Article 17 GDPR)
You have the right to obtainfrom us the erasure of personal data concerning you without undue delay wherespecific grounds apply, including when the personal data are no longernecessary for the purposes for which they were collected.
5.4 Right to Restriction ofProcessing (Article 18 GDPR)
You have the right to obtainfrom us restriction of processing where specific conditions are met, includingwhen you contest the accuracy of personal data or object to processing.
5.5 Right to Data Portability(Article 20 GDPR)
You have the right to receivethe personal data concerning you in a structured, commonly used andmachine-readable format and have the right to transmit those data to anothercontroller.
5.6 Right to Object (Article21 GDPR)
You have the right to object,on grounds relating to your particular situation, to processing of personaldata concerning you which is based on legitimate interests.
5.7 Right to Withdraw Consent
Where processing is based onconsent, you have the right to withdraw consent at any time, without affectingthe lawfulness of processing based on consent before its withdrawal.
5.8 Right Not to be Subject toAutomated Decision-Making
You have the right not to besubject to a decision based solely on automated processing, includingprofiling, which produces legal effects concerning you or significantly affectsyou.
5.9 Right to Lodge a Complaint
You have the right to lodge acomplaint with the Estonian Data Protection Inspectorate (AndmekaitseInspektsioon) or the supervisory authority of your habitual residence if youbelieve our processing of your personal data violates applicable data protectionlaw.
Exercising Your Rights:
To exercise any of these rights, please contact us using the details providedin Section 12. We will respond to your request within one (1) month of receipt.In complex cases, this period may be extended by two (2) additional months, inwhich case we will inform you of the extension and reasons within one month ofreceiving your request.
6. DATA RETENTION PERIODS
We retain personal data onlyfor as long as necessary to fulfil the purposes for which it was collected andprocessed, in accordance with our legitimate business needs and legalobligations:
6.1 Contact Form Data
· Active Inquiries: Retained while inquiry isbeing processed and for 1 year thereafter
· General Contact Data: Retained for 3 years fromlast contact
· Business Relationship Data: Retained for 7 years inaccordance with business record-keeping requirements
6.2 Server Log Data
· General Logs: Retained for 6 months
· Security Incident Logs: Retained indefinitely forsecurity purposes
· IP Addresses: Pseudonymised after 6 months,deleted after 2 years unless security incident
6.3 Legal Compliance Data
Where we are required by lawto retain certain data, we will retain such data for the period required byapplicable legislation, including but not limited to:
· Commercial records: 7 years
· Tax-related information: 7 years
· Security incident logs: As required for legal proceedings
7. DATA SECURITY MEASURES
We implement comprehensivetechnical and organisational security measures to protect your personal dataagainst unauthorised access, alteration, disclosure, or destruction:
7.1 Technical Measures
· Encryption: All data transmissions areencrypted using TLS 1.3 or higher
· Access Controls: Strict access controls limitdata access to authorised personnel only
· Secure Hosting: Website hosted onenterprise-grade infrastructure with security monitoring
· Regular Updates: All systems and software areregularly updated with security patches
· Backup Systems: Secure, encrypted backupsystems with geographic redundancy
· Intrusion Detection: Advanced monitoring systemsdetect and respond to security threats
7.2 Organisational Measures
· Staff Training: Regular training for allstaff on data protection requirements
· Access Limitation: Access to personal datalimited to personnel who need it for their duties
· Confidentiality Agreements: All staff and contractorssign comprehensive confidentiality agreements
· Incident Response: Documented procedures forresponding to data security incidents
· Regular Audits: Periodic security audits andassessments
· Privacy by Design: Data protectionconsiderations integrated into all business processes
7.3 Data Breach Response
In the unlikely event of apersonal data breach, we will:
· Notify the Estonian Data Protection Inspectorate within 72 hoursof becoming aware of the breach
· Notify affected individuals without undue delay if the breach islikely to result in high risk to their rights and freedoms
· Take immediate steps to contain and remediate the breach
· Conduct a thorough investigation and implement additionalprotective measures as necessary
8. INTERNATIONAL DATATRANSFERS
8.1 General Principle
We do not routinely transferpersonal data outside the European Economic Area (EEA). When transfers dooccur, we ensure appropriate safeguards are in place.
8.2 Webflow Hosting
Our website is hosted byWebflow Inc., which may process data in the United States. Webflow participatesin relevant data protection frameworks and implements appropriate technical andorganisational measures to ensure data protection.
8.3 Safeguards forInternational Transfers
Any international transfers ofpersonal data are conducted only:
· To countries with an adequacy decision from the EuropeanCommission, or
· With appropriate safeguards in place, including StandardContractual Clauses approved by the European Commission, or
· Where one of the specific derogations in Article 49 GDPR applies
8.4 Contact for TransferInquiries
If you have questions aboutinternational transfers of your personal data, please contact us using thedetails in Section 12.
9. THIRD PARTY SERVICES ANDDATA PROCESSORS
9.1 Webflow Inc.
· Purpose: Website hosting and contentdelivery
· Data Processed: Technical website data,server logs
· Location: United States
· Safeguards: EU-US Data Privacy Framework,Standard Contractual Clauses
9.2 Google (Search Console)
· Purpose: Search engine optimisationand website performance monitoring
· Data Processed: Search query data, websiteperformance metrics
· Location: Global (with data centres inEU)
· Safeguards: Google's data protectionmeasures and EU data centres
9.3 Due Diligence
We conduct thorough duediligence on all third-party processors and service providers to ensure they:
· Provide sufficient guarantees regarding technical andorganisational security measures
· Comply with GDPR and applicable data protection laws
· Process personal data only on documented instructions
· Assist us in ensuring compliance with data subject rights
· Maintain appropriate records of processing activities
10. CHILDREN'S PRIVACY
10.1 Age Restrictions
Our Website and services arenot directed at children under the age of 16. We do not knowingly collectpersonal data from children under 16 without parental consent.
10.2 Parental Rights
If you are a parent orguardian and believe your child under 16 has provided us with personal data,please contact us immediately. We will take steps to verify the informationand, if necessary, delete the child's personal data from our systems.
10.3 Educational Use
If our services are used in aneducational context involving children, we ensure compliance with additionalprotections under applicable laws.
11. COOKIES AND TRACKINGTECHNOLOGIES
11.1 Our Approach to Cookies
We have specificallyconfigured our Website to minimise the use of cookies and trackingtechnologies. We do not use:
· Analytics cookies (Google Analytics is not implemented)
· Marketing cookies (no Meta Pixel, advertising trackers)
· Social media tracking pixels
· Third-party advertising cookies
11.2 Essential Cookies Only
We only use strictly necessarycookies that are essential for the Website to function properly, including:
· Session cookies: To maintain Websitefunctionality during your visit
· Security cookies: To protect against maliciousactivities
· Preference cookies: To remember basic languageand accessibility settings
11.3 Webflow Cookies
Webflow may set minimalessential cookies for:
· Content delivery and caching
· Basic security functions
· Technical website operation
11.4 Cookie Management
You can control cookiesthrough your browser settings. However, disabling certain essential cookies mayaffect Website functionality.
11.5 No Consent Required
As we only use strictlynecessary cookies essential for Website operation, no separate cookie consentis required under GDPR and ePrivacy regulations.
12. CONTACT INFORMATION ANDDATA PROTECTION OFFICER
12.1 Data Controller Contact
Stergios & Dimitris Pappos OÜ
Sepapaja 6, 15551 Tallinn, Estonia
VAT: EE102609752
Email: contact@stergiospappos.me
Phone: +306946063828
12.2 Data Protection Inquiries
For all data protectioninquiries, requests to exercise your rights, or privacy concerns, pleasecontact us at:
Email: contact@stergiospappos.me
Subject: "Data Protection Inquiry"
12.3 Response Times
We aim to respond to all dataprotection inquiries within:
· Simple requests: 5 business days
· Complex requests: 30 days (may be extended to60 days for very complex requests)
· Urgent security matters: Within 24 hours
12.4 Supervisory Authority
Estonian Data ProtectionInspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee/
Email: info@aki.ee
Phone: +372 627 4135
13. PRIVACY POLICY UPDATES
13.1 Policy Review
We regularly review and updatethis Privacy Policy to ensure continued compliance with applicable laws and toreflect changes in our data processing activities.
13.2 Notification of Changes
We will notify you of anymaterial changes to this Privacy Policy by:
· Posting the updated policy on our Website with a new "LastUpdated" date
· Sending email notification to users who have provided contactinformation (for significant changes)
· Providing prominent notice on our Website homepage for majorchanges
13.3 Continued Use
Your continued use of ourWebsite after any changes to this Privacy Policy constitutes acceptance of theupdated policy.
13.4 Version Control
We maintain records of allprevious versions of this Privacy Policy for transparency and compliancepurposes.
14. LEGAL COMPLIANCE ANDADDITIONAL PROVISIONS
14.1 Applicable Law
This Privacy Policy and alldata processing activities are governed by:
· General Data Protection Regulation (EU) 2016/679 (GDPR)
· Estonian Personal Data Protection Act
· Estonian Electronic Communications Act
· Other applicable Estonian and EU legislation
14.2 Legal Disclosure
We may disclose your personaldata when required by law, court order, or other legal process, or when webelieve in good faith that disclosure is necessary to:
· Comply with legal obligations
· Protect and defend our rights and property
· Protect the safety of our users or the public
· Prevent or investigate possible wrongdoing
14.3 Business Transfers
In the event of a merger,acquisition, or sale of all or part of our business, personal data may betransferred as part of that transaction. We will provide notice and ensurecontinued protection of your personal data in accordance with this Privacy Policy.
14.4 Dispute Resolution
Any disputes arising from thisPrivacy Policy shall be resolved according to Estonian law, with jurisdictionin Estonian courts, unless mandatory consumer protection laws provideotherwise.
15. ADDITIONAL RIGHTS FOR EURESIDENTS
15.1 Enhanced Rights
As an EU resident, you benefitfrom enhanced data protection rights under GDPR, including all rights specifiedin Section 5 of this policy.
15.2 Representative in the EU
As we are established inEstonia (EU), we do not require a separate EU representative.
15.3 Cross-Border DataProtection
You may exercise your rightswith any EU supervisory authority, particularly in your country of habitualresidence, place of work, or where an alleged infringement occurred.
16. FINAL PROVISIONS
16.1 Severability
If any provision of thisPrivacy Policy is found to be invalid or unenforceable, the remainingprovisions will continue to be valid and enforceable.
16.2 Entire Agreement
This Privacy Policy, togetherwith our Terms and Conditions, constitutes the entire agreement between you andus regarding the processing of your personal data.
16.3 Language
This Privacy Policy isprepared in English. In case of any discrepancy between translations, theEnglish version shall prevail.
16.4 Effectiveness
This Privacy Policy iseffective as of the date stated at the top of this document and remains ineffect until superseded by a new version.
Last Updated: September 20, 2025
Version: 1.0
Company: Stergios & DimitrisPappos OÜ
Website: https://stergiospappos.me/