Privacy Policy

Delvaris OÜ (reg. no. 17464650, VAT: EE102967232), Tiskrevälja tn 59, 13516 Tallinn, Estonia ("we," "us," "our") is the data controller responsible for your personal data. We operate the website flexireo.com and the Flexireo application. We have not appointed a Data Protection Officer as our core activities do not require one under GDPR Art. 37. For data protection inquiries, please contact Marek Stark at privacy@flexireo.com.

This privacy policy explains how we collect, use, store, and share your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We are committed to protecting your privacy and being transparent about our data practices.

We do not collect sensitive personal data (special category data). We collect the following personal data:

• Name
• Email address
• Company name
• Message content (via contact form)
• IP address

We collect your data in the following ways:

• Through the contact form on our website (flexireo.com), where you provide your name, email, company, and message.
• Through cookies placed on your device. Non-essential cookies (analytics, marketing, and preference cookies) are only placed after you have given explicit consent through our cookie banner. You can manage or withdraw your cookie preferences at any time through the "Cookie Settings" link in the website footer or via your browser settings.

We process your personal data only when we have a valid legal basis under GDPR Art. 6:

• Responding to your inquiries via the contact form - Art. 6(1)(b) (pre-contractual measures at your request).
• Sending marketing communications - Art. 6(1)(a) (your consent). You may withdraw consent at any time.
• Website analytics - Art. 6(1)(a) (your consent via the cookie banner). We use a first-party analytics system that does not set cookies or create persistent identifiers.
• Necessary cookies for website functionality - Art. 6(1)(f) (our legitimate interest in providing a functioning website).

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, modification, distribution, or destruction. Contact form submissions are stored with hashed IP addresses for privacy. Only authorized personnel have access to your data.

• Respond to your inquiries submitted via the contact form.
• Provide relevant information about our services.
• Improve website functionality and analyze anonymous traffic patterns through our first-party analytics system.
• Send marketing communications (only with your explicit consent).

Website analytics are processed in-house using our own first-party analytics system. Your IP address is used only to derive approximate location (country and city) and is then discarded - it is never stored. Visitor identification uses a daily-rotating anonymous hash that cannot be traced back to you and resets every 24 hours. Analytics data is automatically deleted after 90 days. We do not share analytics data with third parties. A current list of our data processors is available upon request at privacy@flexireo.com.

Some of our service providers (hosting, database, email) are located in the United States. Where applicable, transfers are protected by the EU-US Data Privacy Framework (adequacy decision, July 2023) or Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary measures where necessary. Analytics data is processed by Delvaris OÜ (Estonia) and stored via Supabase Inc. (US) under SCCs. You may request a copy of the safeguards in place by contacting us at privacy@flexireo.com.

We retain your personal data for up to 24 months from the date of collection, or until you request its deletion, whichever comes first. Contact form submissions are retained for the same period to enable us to follow up on inquiries.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access - You may request a copy of the personal data we hold about you (Art. 15).
• Right to rectification - You may request correction of inaccurate or incomplete data (Art. 16).
• Right to erasure - You may request deletion of your personal data (Art. 17).
• Right to restriction of processing - You may request that we restrict how we process your data (Art. 18).
• Right to data portability - You may request your data in a structured, commonly used, and machine-readable format (Art. 20).
• Right to object - You may object to processing based on our legitimate interests (Art. 21).
• Right to withdraw consent - You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3)).

To exercise any of these rights, please contact us at privacy@flexireo.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for Delvaris OÜ is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee). You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work.

Our website uses cookies. Non-essential cookies are only placed after you have given explicit consent through our cookie banner. You can manage your preferences at any time via the "Cookie Settings" link in the footer. We use the following categories of cookies:

• Necessary cookies - Essential for the website to function. Always active, no consent required.
• Analytics cookies - Help us understand how visitors interact with the website using our first-party analytics system. No third-party cookies are set. A temporary session identifier is stored in your browser’s sessionStorage (cleared when the tab closes). Analytics only activate after you give consent.
• Marketing cookies - Used to show relevant advertisements and measure campaign effectiveness. Placed only with your consent.
• Preference cookies - Remember your settings and preferences for future visits. Placed only with your consent.

We do not engage in automated decision-making or profiling as defined under GDPR Art. 22.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours (Art. 33). Where the breach poses a high risk, we will also notify you without undue delay (Art. 34).

If you have any questions regarding this privacy policy, please contact Marek Stark at privacy@flexireo.com.

We may update this privacy policy from time to time. If we make material changes, we will inform you via email or a prominent notification on our website before the changes take effect.