Privacy Policy and Cookie Policy

Last Updated: [Insert Date]

1. Introduction

Thank you for visiting b2bspace.ee and using our services! At OÜ b2bspace ("we", "us", "our"), we respect your privacy and are committed to protecting your personal data.

This document ("Policy") explains what information we collect, how we use and process it, what cookies we use, and your rights regarding your personal data and cookies when you use our website b2bspace.ee ("Site") and our analysis tools ("Service"). Please note that the Service is currently provided in beta status, as further detailed in our Terms of Use.

This Policy applies to all visitors and users of the Site and Service.

2. Data Controller

The controller of your personal data is:
OÜ b2bspace
Registry code: 16957970
Legal address: Harju maakond, Tallinn, Kesklinna linnaosa, Veskiposti tn 2-1002, 10138
Email for data protection inquiries: info@b2bspace.ee

3. Personal Data We Collect

We collect personal data in the following ways:

Data you provide directly:
- Upon Registration for the Service: Your email address, a hashed version of your password, and the timestamp of your agreement to the Terms of Use and this Policy (recorded upon successful verification).
- Via Contact Form: Your email address, your message or inquiry, and optionally your name and selected topics. We also record the submission timestamp and confirmation of acknowledgment of this Policy.
Data about your use of the Service:
- For registered users, we track the number of analyses performed (`analysis_count`) on the server-side to manage the established usage limit (`analysis_limit`, e.g., 3 free analyses).
Data collected automatically:
- Server Log Data: When you visit our Site, our servers automatically log technical information necessary for security and proper functioning, such as your IP address, browser type and version, operating system, device type, request time, requested URL, and server response status.
- Data via Cookies (with consent): Subject to your consent given via our cookie banner, we may also collect data about your interaction with the Site using analytics and advertising cookies (see Section 9 "Cookie Policy" for details).

4. Purposes and Legal Bases for Processing Data

We process your personal data only for specific, explicit, and legitimate purposes, and only when there is a legal basis under the General Data Protection Regulation (GDPR):

Providing Access to and Operating the Analysis Service:
Purposes: Creating and managing your user account; verifying your email address via code; providing access to the analysis tools and dashboard; delivering analysis results; monitoring and enforcing usage limits; sending essential service-related communications; ensuring compliance with our Terms of Use.
Legal Basis: Necessity for the performance of a contract with you (providing the analysis Service under the agreed Terms) - Article 6(1)(b) GDPR.
Processing Inquiries via Contact Form:
Purposes: Receiving, reviewing, and responding to your questions, comments, or requests.
Legal Basis: Our legitimate interest (Art. 6(1)(f) GDPR) to process user-initiated inquiries, and/or steps taken at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR).
Ensuring Security and Proper Functioning of the Site:
Purposes: Maintaining the stability and security of the Site and Service; diagnosing technical issues; preventing fraud, attacks.
Data: Processing technical data (IP address, request data, User-Agent, etc.).
Legal Basis: Our legitimate interest (Art. 6(1)(f) GDPR) and potentially compliance with a legal obligation (Art. 6(1)(c) GDPR). This processing occurs independently of cookie consent.
Site Analysis and Improvement (via Cookies):
Purposes: Collecting usage statistics to improve Site performance, functionality, and user experience.
Legal Basis: Your consent (Art. 6(1)(a) GDPR) to the use of analytics cookies, given via the cookie banner.
Marketing and Advertising (via Cookies):
Purposes: Measuring advertising effectiveness, showing more relevant ads (remarketing).
Legal Basis: Your consent (Art. 6(1)(a) GDPR) to the use of advertising cookies, given via the cookie banner.
Marketing Communications (Email, etc.):
We **do not use** your email address collected during registration for the Service or via the contact form to send you mass marketing emails without your separate, explicit consent.
In the future, we **may offer** you the opportunity to separately subscribe to receive news, offers, or other marketing information. Such subscription will require your **separate, voluntary, and explicit opt-in consent**. If you provide such consent, you will always have the right to easily **withdraw it at any time** by using the 'unsubscribe' link in every such email or by sending a request to info@b2bspace.ee. (*Future Legal Basis: Consent, Art. 6(1)(a) GDPR*).

5. Automated Decision-Making and Profiling

We do not use automated decision-making, including profiling, that would produce legal effects concerning you or similarly significantly affect you.

6. Data Retention

We retain your data for no longer than necessary for the purposes of processing or as required by law.

Account Data: Retained for the duration of your active account. Certain data (e.g., records of agreement to Terms/Policy) may be kept longer if legally required.
Contact Form Data: For the time necessary to fully resolve your inquiry, and for **6 (six) months** thereafter for record-keeping, unless otherwise required by law.
Cookie Data: According to the lifespan of each specific cookie (see Section 9).
Server Log Data: Typically retained for short periods (e.g., weeks or months) for security and diagnostics.

7. Data Sharing with Third Parties

We may share your data with:

Service Providers (Data Processors): Hosting provider (Railway), email service (Zoho Mail), other technical partners acting on our instructions.
Analytics and Advertising Platforms (with your cookie consent): Google (Analytics, Ads), Meta (Facebook/Instagram), LinkedIn.
Public Authorities: Upon a valid legal request.

8. International Data Transfers

Some of our service providers (e.g., Railway, Zoho Mail, Google, Meta, LinkedIn) may be located or process data outside the European Economic Area (EEA). In such cases, we ensure an adequate level of data protection through **Standard Contractual Clauses (SCCs)** approved by the European Commission or other appropriate transfer mechanisms under the GDPR.

9. Cookie Policy

What are Cookies?

Cookies are small text files stored on your device when you visit a website. They help the site function, remember your preferences, analyze usage, and assist in marketing efforts.

Your Consent (Cookie Banner)

On your first visit, we ask for your consent for non-essential cookies via a banner with **"Accept All"** and **"Reject All"** options. Ignoring the banner is treated as "Reject All". Your choice is stored in your browser's `localStorage`.

Changing Consent

You can change your cookie preferences at any time by clicking the **"Cookie Settings"** link in the footer of our Site. Clicking this link will reset your previous choice and allow you to select "Accept All" or "Reject All" again on the banner.

Types of Cookies We Use

Strictly Necessary Cookies: These cookies do not require your consent as they are essential for the basic operation of the Site and Service, security, and managing your logged-in session (e.g., session cookies like `connect.sid` or similar). Our server-side control of usage limits for registered users relies on the logged-in state maintained by these cookies, not separate non-
Non-Essential Cookies (Require "Accept All" consent):
- Analytics Cookies: Help us understand Site usage to improve it (Google Analytics 4).
- Advertising/Marketing Cookies: Measure ad effectiveness, enable remarketing, and track conversions (Google Ads, Meta Pixel, LinkedIn Insight Tag).

Specific Cookies (Examples)

Below are examples of cookies that may be used on our Site:

connect.sid (or similar): Strictly necessary session cookie.
Google Analytics: _ga, _gid, _ga_CONTAINER-ID (Used if you consent).
Google Ads: IDE, test_cookie (via doubleclick.net domain) (Used if you consent).
LinkedIn: li_sugr, lidc, bcookie, lissc (Used if you consent).
Meta (Facebook): _fbp, fr (Used if you consent).

Note: Specific cookie names, providers, and lifespans may change. For the most current details, please refer to the privacy policies of the respective third-party services (Google, Meta, LinkedIn).

Browser Controls

You can also manage and delete cookies through your web browser's settings. However, disabling strictly necessary cookies may affect Site functionality.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

Password Hashing: Using the strong bcrypt algorithm for storing password hashes.
Encryption: Using HTTPS for encrypting data in transit between your browser and our server, and SSL/TLS for encrypting the connection between our server and the database.
Access Control: Limiting access to your personal data to authorized personnel or contractors who need it to perform their duties and are bound by confidentiality obligations. Database access is restricted to the internal network.
Infrastructure Security: Utilizing a reliable hosting platform (Railway) and implementing measures to protect our infrastructure.
API Security: Our API employs authorization mechanisms (access only for logged-in users), rate limiting to prevent abuse, and CORS policies to restrict access.
Secure Key Storage: Storing sensitive credentials (API keys, database passwords, session secrets) as secure environment variables on the server.

However, no internet transmission or electronic storage method is 100% secure, and we cannot guarantee absolute security.

11. Your Rights (GDPR)

You have the following rights regarding your personal data:

Right of Access: Obtain information about and a copy of your data.
Right to Rectification: Correct inaccurate data.
Right to Erasure ('Right to be Forgotten'): Request deletion of your data under certain conditions.
How to Request Erasure: Please email info@b2bspace.ee with the subject "Data Erasure Request". We may need to verify your identity. Deletion results in account closure. We will inform you if legal reasons prevent full deletion.
Right to Restriction of Processing: Request restriction under certain conditions.
Right to Object: Object to processing based on our legitimate interests.
Right to Data Portability: Receive your data in a machine-readable format.
Right to Withdraw Consent: Withdraw your consent for processing (specifically for non-essential cookies) at any time via the mechanism described in Section 9 ("Changing Consent").
Right to Lodge a Complaint: File a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon - AKI).

To exercise your rights (except lodging a complaint), please contact us at info@b2bspace.ee.

12. Links to External Resources

Our Site may contain links to third-party websites or resources. We do not control and are not responsible for the data collection or processing practices of such third parties. We encourage you to review the privacy policies of every website you visit.

13. Policy Updates

We may update this Policy periodically. The "Last Updated" date at the top indicates the latest revision. In case of significant changes affecting your rights, we will notify you in advance by posting a prominent notice on the Site and/or sending an email notification (if you have provided us with your email address). Your continued use of the Site after changes are posted constitutes your acknowledgment of the updated policy. We recommend reviewing this page regularly.

14. Contact Information

OÜ b2bspace
Registry code: 16957970
Legal address: Harju maakond, Tallinn, Kesklinna linnaosa, Veskiposti tn 2-1002, 10138
Email: info@b2bspace.ee