Privacy Policy

SaaS Service Xperfo Legally reinforced version – GDPR & Estonian law

1. Purpose of the Policy This policy describes the legal framework for the collection, processing, storage, and protection of personal data of users of the Xperfo service. It applies to all use of the website, user account, and associated features. 2. Data Controller The data controller is the publisher of the Xperfo service, a company established in Estonia. Full legal information (company name, address, registration number, contact details) is provided in the Legal Notice section of the website. 3. Data Collected Only the data strictly necessary for the operation of the service is collected: – email address; – encrypted password; – preferred language; – payment data transmitted to the third-party payment provider; – minimal technical data (timestamps, subscription status, non-identifiable internal logs). No sensitive data within the meaning of the GDPR is collected. No unnecessary data is stored. 4. Purposes of Processing Data is used to: – create and manage the user account; – provide access to the service; – manage subscriptions and payments; – ensure the security, stability, and improvement of the service; – respond to support requests; – comply with legal obligations applicable in Estonia and the European Union. Data is never used for advertising or commercial profiling. 5. Legal Basis Processing is based on: – performance of the contract when creating the account or subscription; – compliance with legal obligations; – the legitimate interest related to the security and proper functioning of the service. 6. Data Disclosure Data may only be disclosed to: – a certified payment provider; – the hosting provider; – a competent authority where required by law. No data is sold, rented, transferred, or shared with third parties for commercial purposes. Service providers receive only the data strictly necessary for their tasks. 7. Data Location Data is stored in Estonia or within the European Union. Any transfer outside the European Union is carried out in accordance with the mechanisms provided for by the GDPR. 8. Data Retention Data is retained as long as the user account remains active. If the account is deleted, data is erased or anonymised, unless a longer retention period is required by law (billing, accounting, fraud prevention). 9. User Rights Under the GDPR, users have the following rights: – access; – rectification; – erasure; – restriction; – objection; – data portability; – lodging a complaint with a supervisory authority. Requests may be submitted using the contact methods provided on the website. The publisher may request additional information to verify the identity of the requester. 10. Data Security The publisher implements technical and organisational measures to prevent unauthorised access, loss, alteration, or disclosure of data. Passwords are always encrypted. Data is accessible only to authorised personnel within the scope of their duties. No credit card data is stored by the publisher. 11. Payment Provider and Third-Party Accounts The payment provider handles billing data directly. The publisher never has access to card numbers or full banking details. Data transmitted to the payment provider is limited to the strict minimum required. 12. Liability Limitations Related to Data The publisher is not responsible for consequences arising from: – incorrect use of the service by the user; – inaccurate information provided by the user; – failures attributable to third-party providers (payment, hosting); – force majeure events or circumstances reasonably beyond its control. These limitations apply within the limits permitted by Estonian law. 13. Policy Changes This policy may be updated to reflect legal or technical developments. Important changes will be notified before they take effect when required by law. 14. Applicable Law This policy is governed exclusively by Estonian law. Any dispute falls under the exclusive jurisdiction of Estonian courts, without prejudice to mandatory consumer rights under EU law. 15. Contact Any question regarding the protection of personal data may be submitted using the contact methods provided on the website.