Privacy policy.

The data controller is Virtual Franciscans OÜ, registry code 16190480, EU VAT EE102428687, registered at Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia. For any matter relating to this policy, contact [email protected].

We collect only the limited categories of information described below, and we use it only for the purposes set out in section 03.

• Submissions. Information you provide through the booking or contact forms — typically your name, email address, company, the engagement scope you select, a preferred time, and any free-text note you choose to write.
• Technical data. Standard request metadata generated by your browser and our hosting provider, including IP address, user-agent string, referrer, requested URL, and timestamp. Used for security, diagnostics, and aggregate reporting only.
• Analytics. When privacy-respecting analytics are enabled, we process aggregate, non-identifying counts of page views and referrers via Plausible Analytics, which does not use cookies and does not collect personal data. We do not operate cross-site tracking, fingerprinting, advertising pixels, or session-replay.
• Cookies. The Services do not set tracking cookies. The site may set strictly necessary cookies required for security or basic operation; these do not require consent under applicable law.

We process personal data on the following legal bases under Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"):

• Performance of, or steps prior to, a contract (Art. 6(1)(b)) — responding to enquiries, scheduling introductory calls, evaluating engagements, and providing services to clients.
• Legitimate interests (Art. 6(1)(f)) — operating, securing, and improving the Services; preventing fraud and abuse; and maintaining records of business communications. We have considered the impact on individuals and have concluded that these interests are not overridden by individual rights.
• Compliance with legal obligations (Art. 6(1)(c)) — fulfilling bookkeeping, tax, regulatory, and statutory record-keeping obligations applicable to the Republic of Estonia and the European Union.

We share personal data only with the categories of recipients reasonably required to operate the Services, and only under written processor terms where applicable. Current processors include hosting and email-delivery providers (Vercel Inc.; Resend, Inc.) and, where enabled, an analytics provider (Plausible Insights OÜ). We do not sell personal data and we do not share personal data with third parties for advertising, profiling, or marketing purposes.

Some of our processors are established outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses or another lawful transfer mechanism recognised under Chapter V of the GDPR. Copies of the relevant safeguards are available on written request.

We retain personal data only for as long as is reasonably necessary for the purposes for which it was collected, or for as long as is required by applicable law. Specific retention periods are determined on a case-by-case basis having regard to the nature of the data, the relationship with the individual, and applicable statutes of limitation. Aggregated and anonymised information may be retained indefinitely.

Subject to the conditions and exceptions set out in the GDPR and in Estonian data protection legislation, you may have the right to:

• request access to the personal data we hold about you;
• request the rectification of inaccurate or incomplete data;
• request the erasure of personal data where the processing is no longer necessary or where you have withdrawn consent and no other legal basis applies;
• request the restriction of processing in defined circumstances;
• receive your data in a structured, commonly used machine-readable format (portability), where the processing is based on consent or contract and is carried out by automated means;
• object to processing carried out under our legitimate interests, where you have grounds relating to your particular situation;
• withdraw any consent you have given, without affecting prior processing.

To exercise any of these rights, write to [email protected]. We may verify your identity before responding and may decline or charge a reasonable fee for requests that are manifestly unfounded or excessive, in particular because of their repetitive character. We aim to respond within one month of a verified request, extendable by a further two months where necessary in light of complexity or volume.

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), aki.ee. We would, however, appreciate the opportunity to address your concerns directly before you contact the authority.

We apply technical and organisational measures intended to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. No method of transmission over the internet or method of electronic storage is, however, completely secure, and we cannot guarantee absolute security.

The Services are directed to a professional audience and are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please write to [email protected].

We may update this Privacy Policy from time to time. The updated version will be indicated by the effective date at the top of this page and will be effective on publication. Material changes will be notified by reasonable means, which may include an in-product notice. Your continued use of the Services after any change constitutes your acceptance of the revised policy.

This Privacy Policy and any non-contractual obligations arising out of or in connection with it are governed by the laws of the Republic of Estonia, without regard to its conflict-of-laws principles, save for any mandatory data protection rights you may have under the law of the country in which you reside.