Privacy policy

Data controller

Categories of personal data processed

• Account creation and sign-in: email address, name details (e.g. via Google), technical authentication data. Passwords are never stored in readable form.
• Emergency and contact forms: name, email, phone, location/object name, city, and free-form message.
• Technical logs: IP address, browser and device info, request time and URL, error messages, and performance data for secure operations.

Purposes and legal bases for processing

• Providing the service and managing accounts — contract performance (GDPR art. 6(1)(b)).
• Security, troubleshooting, and fraud prevention — legitimate interest (GDPR art. 6(1)(f)).
• Activities based on consent (e.g. optional notifications) — consent (GDPR art. 6(1)(a)), which can be withdrawn at any time.
• Meeting legal obligations (e.g. accounting, authority inquiries) — legal obligation (GDPR art. 6(1)(c)).

Retention periods

We only retain data for as long as necessary to fulfil the purpose:

• Account data: until the account is closed and for a reasonable period afterwards for backups and legal obligations.
• Contact and emergency requests: generally up to 12 months after the case is closed, unless the law requires otherwise.
• Technical logs: short-term retention for security and troubleshooting.

Recipients and processors

We work with trusted service providers (processors) under appropriate agreements:

• Vercel — hosting and infrastructure.
• Supabase — authentication and data storage.
• Directus — content management and data queries.
• Brevo (Sendinblue) — email delivery for contact forms.

We may disclose data to authorities when required by law.

Transfers outside the EEA

We prefer to process data within the European Economic Area. If transfers outside the EEA are unavoidable, we apply appropriate safeguards (e.g. EU Standard Contractual Clauses) and risk assessments.

Your rights

• Access to your data and copies of it.
• Rectification and updates.
• Erasure (right to be forgotten) and restriction of processing.
• Data portability in a machine-readable format.
• Objection to processing based on legitimate interest.
• Withdrawal of consent at any time (if processing is based on consent).

To exercise your rights, email veljo@wifi.ee.

You can lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee, email info@aki.ee) or your local supervisory authority in the EU.

Cookies and similar technologies

We use only essential cookies needed for the service (for example remembering your language or keeping you signed in). We do not run marketing or profiling cookies by default. You can restrict or delete cookies in your browser settings, although essential features may stop working.

Security

We apply technical and organisational safeguards such as role-based access control, encrypted connections, least-privilege principles, monitoring, and incident response procedures. While no internet service can guarantee absolute security, we follow industry best practices and review risks regularly.

Children

The service is not intended for unsupervised use by children under 13. If you believe a child has provided us with personal data, please contact us so we can remove it.

Changes to this policy

We may update this privacy policy from time to time. Material changes will be highlighted on this page, and the latest version is always available at /privacy.