Privacy Policy

1. Purpose and Scope 

This Privacy Policy outlines how Allcontrols OÜ (hereinafter referred to “Allcontrols” or “We”) collects, uses, protects, and manages your personal data in the context of providing consultative and managed Information Security services, including risk assessments, security audits, compliance advisory, and incident response, and maintaining our corporate website.

This policy applies to all individuals whose personal data we process, including clients, prospective clients, business partners, suppliers, and website visitors. By engaging with our services or accessing our website, you agree to the terms outlined in this Privacy Policy.

This Privacy Policy is supported by internal governance documents, including our Information Security Policy and Information Classification and Handling Policy, which guide the principles and controls for managing sensitive data and maintaining confidentiality, integrity, and availability of information assets.

2. Main Definitions

Personal Data: Any information relating to an identified or identifiable natural person (Data Subject), such as names, identification numbers, location data, online identifiers, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Processing of Personal Data: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

Data Subject: The identified or identifiable natural person to whom the personal data relates.

Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of personal data relating to them.

Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Third Party: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

3. Legal Basis for Processing 

3.1. We process your personal data only when we have lawful bases in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. Specifically, we process your personal data if:

• Processing is based on your consent. This applies to activities such as newsletters, surveys, participation in webinars or events, submission of feedback, and the use of non-essential cookies.
• Processing is necessary for the performance of a contract. This includes delivering our Information Security services and entering into or managing service agreements with clients.
• Processing is necessary for our legitimate interests. This includes improving our services, network security, internal audits, and lawful business development.
• Processing is necessary for compliance with a legal obligation. For example, tax reporting, responding to lawful requests from regulatory bodies, or fulfilling statutory data retention obligations.
• Processing is required to protect vital interests or is carried out in the public interest — in rare or emergency cases.

3.2. When acting as a data processor, we process personal data only:

• On documented instructions from the data controller (our clients);
• Under the terms of a Data Processing Agreement (DPA);
• In accordance with applicable data protection laws.

In such cases, the data controller is responsible for determining and communicating the legal basis for processing.

3.3. In all cases, we will notify you about the applicable legal basis for processing and provide relevant information prior to commencing the processing, unless we are legally restricted from doing so.

4. Data We Collect: Scope 

4.1. Personal Information:

• Name, email address, and contact details.
• Business affiliation and job title.
• Billing and payment information.
• Communications and correspondence with us.

4.2. Usage Data:

• Device type, operating system, and browser version.
• IP address and geographic location.
• Website interaction data (pages visited, time spent).

4.3. Additional Data:

• Information submitted through contact forms, surveys, or business proposals.
• Data related to participation in webinars or events.

4.4. When we collect personal data via our website forms (e.g., contact forms, newsletter sign-ups, job applications), providing this information is generally voluntary. However, certain fields may be required to fulfill your request (e.g., an email address to respond to a contact inquiry). Required fields are clearly marked at the point of collection. If you do not provide the required data, we may be unable to process your request.

4.5. We do not use personal data to make decisions that produce legal or similarly significant effects based solely on automated processing, including profiling.

5. Data Collected as a Data Processor

5.1. In many cases, we act as a data processor, meaning we process personal data on behalf of and under the instructions of our clients, who are the data controllers. When acting in this capacity:

• We do not determine the purposes or legal basis for processing personal data. These are defined by the data controller.
• We only collect and process personal data as instructed in a written Data Processing Agreement (DPA) with the controller.
• The types of data processed may include identification data, contact details, employee or contractor information, technical logs, and other business-relevant personal data as defined by the controller.
• We do not use or share this data for our own purposes.
• We apply appropriate technical and organizational measures to protect the data, in accordance with our Information Security Policy and Information Classification Policy and Handling Policy.
• Any data subject rights requests (e.g., access, rectification, deletion) must be directed to the data controller. We assist the controller in responding to such requests, where applicable.

5.2. When we process personal data on behalf of our clients (as a data processor), we do so under their instructions. If you wish to exercise your rights in relation to data we process for a client, please contact that client directly. If we receive such a request, we will forward it to the relevant client without responding directly, unless we are legally permitted or required to do so.

6. Data Collected as a Data Controller

6.1. While we primarily act as a data processor, there are instances where we act as an independent data controller. This occurs when we determine the purposes and means of processing personal data, including the following scenarios:

• Website analytics and cookies: we collect usage data (e.g., IP addresses, browser type, visit duration) to improve the performance, security, and user experience of our website. You can manage your cookie preferences at any time via our cookie banner or settings panel;
• Leads and CRM management: we collect and process contact details (e.g., name, surname, email address, company name) of prospective and existing clients for business development and relationship management;
• Recruitment and HR-related data: we collect candidate and employee personal data (e.g., CVs, contact details, employment history) for recruitment and human resources purposes;
• Internal analytics: to analyze and improve the performance and security of our services and internal systems, we may collect usage metrics in an anonymized or pseudonymized format.
• ​​Indirectly collected data: in some cases, we may collect personal data from third-party sources such as job boards, professional networking platforms, referrals from clients or partners, or publicly available online resources. Where required, we will inform individuals of the source of their data and their associated rights.

6.2. In these contexts, we act as the data controller and determine the legal basis for processing, which may include:

• Your consent (e.g., for cookies or marketing communications);
• Our legitimate interests (e.g., business development, analytics, recruitment);
• The performance of a contract (e.g., employment agreements);
• Compliance with legal obligations (e.g., labor laws).

6.3. We uphold the same high standards of data protection in our controller capacity and ensure transparency, minimization, and accountability. We will only retain personal data as long as necessary for the stated purposes, as described in Section 10 of this policy.

6.4. In relation to the personal data we process as a data controller, you have the right to request access, rectification, or erasure of your data; to restrict or object to its processing; and, where applicable, the right to data portability and to withdraw your consent. You may also lodge a complaint with a supervisory authority if you believe your rights have been violated.

7. Sharing Your Information 

We do not sell your personal information. We may share your data with:

• Service Providers: For web hosting, analytics, business operations, and support.
• Legal Authorities: When required to comply with legal obligations or to enforce our rights.
• Business Transfers: In case of a merger, acquisition, or asset sale. All third parties are contractually obligated to protect your data.

8. International Data Transfers

Your data may be transferred and stored outside the European Economic Area (EEA). When we do so, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfers to countries with adequacy decisions.

9. Data Security 

9.1. We implement technical and organizational security measures, such as:

• Organizational

• Technical

9.2. Our data protection and security measures are aligned with our Information Security Policy, which outlines technical and organizational controls based on ISO/IEC 27001:2022 standards. In addition, our Information Classification Policy and Handling Policy governs how data is categorized, accessed, stored, and disposed of in accordance with its sensitivity level.

9.3. Employees and contractors receive training aligned with these policies to ensure secure handling of client and internal data at all times.

9.4. No system is completely secure; however, we take all reasonable steps to protect your data.

10. Data Retention

10.1. As a data processor, we retain personal data only for as long as instructed by the data controller (our client). We do not determine how long personal data is kept, and we do not use it for our own purposes.

10.2. We follow our clients’ instructions regarding:

• How long data should be stored;
• Whether data should be returned or deleted at the end of the service;
• Any legal or regulatory retention requirements they specify.

10.3. In cases where we collect and use personal data for our own purposes, such as managing client relationships, handling recruitment, or operating our website, we determine how long to retain that data based on several factors, including:

• The original purpose for collecting the data (e.g., we retain contact details while you have an active relationship with us);
• The nature, volume, and sensitivity of the data;
• The risk of harm from unauthorized access or misuse;
• Whether we can meet our goals with less data or anonymized data;
• Legal, regulatory, or contractual obligations, such as applicable statutes of limitation.

10.4. When the agreed retention period ends, or upon termination of the contract, we securely delete or return the personal data in accordance with our agreement with the client – unless we are legally required to retain it. If immediate deletion is not technically possible, we will restrict access and apply appropriate safeguards to prevent any further use of the data.

Children’s Privacy

Our services are intended for use by businesses and are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently received personal data about a child, we will delete it as soon as possible. If you believe we may have collected such data, please contact us at [email protected].

11. Changes to This Policy

11.1. We may update this Privacy Policy from time to time. If we make changes that significantly affect how we process personal data, especially where we act as a data controller, we will post the updated policy with a revised “effective date” and, where required, notify our clients or obtain consent.

11.2. As a data processor, any changes to how we process client-controlled data will continue to be governed by our service agreements and client instructions. We encourage our clients to inform their users of any changes that may affect them.

12. Reference Policies 

12.1. To ensure transparency and trust in our information handling practices,we maintain comprehensive internal policies, including:

• Information Security Policy – defines our approach to protecting information systems and data in accordance with ISO/IEC 27001.
• Information Classification and Handling Policy – establishes rules for classifying and handling information based on sensitivity and risk.

12.2. These policies are available to clients and partners upon request under a confidentiality agreement where appropriate.

13. Contact Information

If you have any questions or concerns, contact us at: [email protected].