Last updated:  July 2024

1.            The policy

1.1.         This privacy policy (the “Privacy Policy”) regulates the processing of personal data by eID Easy OÜ, registry code 14080014, address: Telliskivi 60, Tallinn 10412, Estonia (“Service Provider”). The description of the service is available on the website of Service Provider at https://www.eideasy.com/ (the “Site”). The Privacy Policy is part of Service Provider’s Terms of Service (available at Service Provider’s Site).

1.2.         Please read the following terms carefully before you start using the services of Service Provider. Upon commencing use of the service, you certify that you consent to the Privacy Policy and also accept Service Provider’s Terms of Service.

1.3.         All information stored and processed by the Service Provider is done within the EU/EEA.

1.4.         You may exercise any of your rights in relation to your personal data by contacting our Data Protection Officer via email at info@eideasy.com and attaching application with qualified electronic signature or visiting the company office in person.

2.            Service provider as the data processor

2.1.         In most cases, the Service Provider is the data processor in the context of service being provided to the data controller who has a legal relationship with the data subject (“Data Controller”). In this case, you are not able to opt out of only the Service Provider’s services without it affecting your legal relationship with the data controller, but this Privacy Policy informs you of the nature of the processing as well as your rights.

2.2.         We keep, process and transmit uploaded documents and information related to them. This data is processed solely in accordance with the directions provided by the data controller. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.

2.3.         We are not responsible for any Personal Data stored at Data Controller’s discretion – we are not responsible for how the Data Controller collects, handles, discloses, distributes or otherwise processes such data. The terms for such data processing are defined in the Data Processing Agreement.

2.4.         Should we need to process Customer Data, the data will only be used in an anonymous form.

3.            Service provider as the data controller

3.1.         If you have signed a User Account with the Service Provider, we collect and associate with your User Account the information you provide us, for example: names, addresses, email addresses, phone numbers, log information regarding account’s confirmation, account creation date and account deletion date. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.

3.2.         If you have signed a User Account with the Service Provider, we collect for billing purpose your full name, address (house, flat, city, country, postal code) and e-mail addresses. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.

3.3.         If you have signed a User Account with the Service Provider, we collect for billing purpose also the IP address and phone number which provides us with location information which is needed for following accounting rules. The legal basis for the processing of personal data in this case is article 6(1)(c) of the GDPR.

3.4.         We collect information related to how you use the Services. We may collect information like IP addresses, device information and the way you use our Services. This is for improving our Services for our Customers. The legal basis for the processing of personal data in this case is article 6(1)(f) of the GDPR.

3.5.         We might use third-party tools to collect information regarding visitor behaviour and visitor demographics on our Services (see the Cookies section below). The legal basis for the processing of personal data in this case is article 6(1)(f) of the GDPR.

3.6.         We might receive information about you from third parties we are working closely with (like Qualified Trust Service Providers, other Service Providers integrated into our Services, business partners, subcontractors, payment service providers, credit rating agencies). We will treat this information as Personal Data in accordance with these Privacy Policy. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.

3.7.         Service Provider collects some metadata such as browser information in server logs in case of an issue or an attack on the service. For that reason, IP address is also processed. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.

3.8.         Service Provider also logs whether you have given consent for direct marketing e-mails. In this case we are acting as a data controller for this information. The legal basis for the processing of personal data in this case is article 6(1)(a) of the GDPR.

4.            Time of storage

4.1.         Service Provider retains the personal data of you only as long as it is necessary, in accordance with the aim of collecting the data and required by law. Service Provider keeps billing information (including address and IP address) at least as long as required by law.

4.2.         Once you delete your User Account from the Services, your Customer Data is deleted within 30 days.

4.3.         Application log files are deleted 90 days after the collection.

4.4.         Uploaded and unsigned files are deleted after 14 days.

4.5.         Uploaded and signed files are deleted after 7 days, or sooner if the relevant API call is made.

4.6.         All other data can be removed by you if you chose to.

5.            The recipients of the data

5.1.         Service Provider does not disclose personal data to third parties without your consent, except to the supervisory authorities to satisfy regulatory and legal requirements, accountants and in events arising from law or in case needed for submission or in process of claim against you.

5.2.         In case your User Account is managed for you by an Account Administrator, this Account Administrator will have full access to your Account. The Account Administrator is able to access all your uploaded data (Customer Data), suspend or terminate your Account access and obtain your usage information.

5.3.         We may provide the Personal Data to our trusted business partners to process it for us, based on our instructions and in compliance with these Privacy Policy.

5.4.         We may share and/or transfer your Personal Data if we become involved in any merger, acquisition, reorganization, sale of assets, bankruptcy.

5.5.         Service Provider does not transfer the data to third countries.

6.            Security measures

6.1.         Service Provider has had a security audit from security experts to ensure that the data is as safe as possible.

6.2.         Service Provider keeps your data safe by using organisational, physical and technological measures.

6.3.         The access to personal data is restricted and certain access rights are set.

6.4.         Services are provided through 256-bit encryption TLS connections. All data is stored in data centers in compliance with ISO 27001 standard. Data at rest is encrypted using industry standard algorithms.

6.5.         If users are using service only for identifying themselves or signing documents then their personal data (for example name and identity code) can be stored in a database in encrypted form. Personal data might also be written to application log files in encrypted form. User data might be stored in application log files for audit trail and debugging purposes.

6.6.         If a user has connected their Facebook or Google account for convenience purposes then their data will be stored until these methods connection event is expired or these methods are detached from the user info. This is needed for providing the service and identify themselves in an easier way without strong identification methods.

6.7.         Depending on the Customer’s preference, they may opt to store signed containers on our servers. Containers are only stored in encrypted form.

7.            Your rights as a Data Subject

7.1.         Right to access. As a user you can manage your personal data in the account/dashboard settings. We provide you, upon request and free of charge, a copy of your personal data that we process.

7.2.         Right to be informed. This Privacy Policy informs you about who we as a Service Provider are, what personal data we process, how we process it, and it explains what your rights are and how you can enforce them. If you wish to have more information related to this Privacy Policy, you can find our contacts in the beginning of the Privacy Policy.

7.3.         Right to data portability. You can easily copy, move, or transfer the personal data you provided us to a third-party service provider if you wish so, therefore keeping its usability.

7.4.         Right to erasure. You have the right to request us to delete your personal data in case the obligation to retain the data is not set out by the law.

7.5.         Right to object. You have the right to object to the way we are processing your data. You have the absolute right to object to your personal data being used for direct marketing.  In any other circumstances, we will reply to your objection within one month .

7.6.         Right to rectification. You have the right to modify and correct your personal data on your User Account at any time and you are therefore responsible for the accuracy of your personal data.

7.7.         Right to restrict processing. According to the GDPR, you may have, depending on the circumstances, the right to ask us to suppress the use of your personal data. We reserve the right to store your personal data even if we will not use it.

7.8.         Right to withdraw consent. You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

7.9.         Rights related to automated decision making, including profiling. We are not doing automated decisions.

7.10.      Right to complain to a data protection authority. You have the right to lodge a complaint with the supervisory authority Estonian Data Protection Inspectorate, located at Tatari 39, 10134 Tallinn, Estonia.

8.            Cookies

8.1.         A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.

8.2.         Service Provider uses cookies in all the provided Services, storing only anonymous identifiers and other preferences. Cookies can be categorized as following:

8.2.1.     Essential cookies for provision of Services. These cookies ensure that information and services are delivered securely and optimally.

8.2.2.     Functionality cookies for helping personalize your experience. For example, these cookies remember choices, language, preferred options etc.

8.2.3.     Performance cookies to monitor your behaviour and help us improve our information and services.

8.3.         Service Provider currently uses the following cookies:

URLNamePurposeExpirationType
id.eideasy.comlaravel_sessionEnsures the visitor sees (only) info that is related to their person, and not anyone else’s.After current browsing session is closed.Essential cookies
id.eideasy.comXSRF-TOKENPrevents user from being vulnerable to CSRF attacks.2 hoursEssential cookies
eideasy.com, id.eideasy.com_ga, _ga_*Allows us to collect information about visits to the websites. Used by Google Analytics.2 yearsPerformance cookies
eideasy.com, id.eideasy.com_gcl_auSame as previous.90 daysPerformance cookies
eideasy.com, id.eideasy.com_gat, _gid _gat_*Same as previous.1 dayPerformance cookies
eideasy.com, id.eideasy.comcollect, r/collectSame as previous.After current browsing session is closed.Performance cookies
eideasy.com, id.eideasy.com__hssrcNecessary for the functionality of the website’s chat-box function.After current browsing session is closed.Functionality cookies
eideasy.com, id.eideasy.com__hsscSame as previous.1 hourFunctionality cookies
eideasy.com, id.eideasy.com__hstcSame as previous.215 daysFunctionality cookies
eideasy.com,
id.eideasy.com
hubspotutkSame as previous.184 daysFunctionality cookies
id.eideasy.comAMP_*, AMP_MKTG_*Used to collect information necessary for addressing issues encountered by users in using our services.1 yearPerformance cookies

8.4.         It is possible to reject cookies from your browsers (different browsers have different options). Blocking all cookies may affect the usage of Service Provider’s Site.

9.            Amendments

10.          Please be aware that Service Provider may revise these Privacy Policy (including the list of used cookies) from time to time. Therefore, Service Provider’s Privacy Policy may be changed or amended. Any changes or amendments will be published on the Site. If a revision might reduce your rights, we will notify you at least 30 days in advance.

11.          The effective date which is at the top of the Privacy Policy informs you about the latest version of the Privacy Policy. Service Provider advises you to revisit this page from time to time to make sure you are familiar with the current version of the Privacy Policy.

12.          By continuing to access and use the Site or the Services after Service Provider has posted changes on the Site, or after notifying you by e-mail, you agree to be bound by the updated Privacy Policy.

13.          If you do not agree to the updated Privacy Policy, you must stop using the Site or the Services.

14.          Governing law, jurisdiction and submitting complaints

14.1.      This Privacy Policy and obligations arising from or related to it are governed by the legislation of the Republic of Estonia.

14.2.      Any and all disputes arising from or related to the personal data protection will be settled by the parties by way of negotiations. Failing agreement, you shall have the right to lodge a complaint with the supervisory authority Estonian Data Protection Inspectorate or a claim to court.

14.3.      In case the dispute between the parties is to be resolved in judicial proceedings, the parties agree to refer the dispute to Harju County Court in accordance with the legislation in force in the Republic of Estonia.

14.4.      The above mentioned does not exclude consumers from their rights regarding jurisdiction.

Older versions of our Privacy Policy:

03.2023 – 06.2024

08.2020 – 02.2023

GDPR Badge BVCER ISO 27001 eIDAS eID Easy Google for Startups