[EXAMPLE]
Privacy Policy
Valid from 16.01.2026
Introduction
This Privacy Policy explains how GBRIS (“we”, “us”, “our”) processes personal data when users visit our website, use our services, or purchase documents and reports. We are committed to protecting personal data and complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable data protection laws.
This Privacy Policy applies to:
- Visitors to our website
- Customers purchasing documents or reports
- Individuals whose personal data may appear in documents or reports purchased through our services
Data Controller
Controller: GBRIS
Address: Harju maakond, Tallinn, Põhja-Tallinna linnaosa, Telliskivi tn 60/1-53, 10412, Estonia
Email: [email protected]
GBRIS acts as the data controller within the meaning of Article 4(7) GDPR.
All questions regarding the processing of personal data, the exercise of data subject rights, or privacy-related inquiries should be directed to the above email address.
Types of Data We Process
Publicly Available Entity Information
The information displayed publicly on our website primarily consists of business entity data, such as:
- Legal entity name
- Registered business address
- Registration or identification numbers
This information primarily relates to legal entities. Where such information relates to identifiable natural persons, it is treated as personal data in accordance with GDPR.
Personal Data of Natural Persons
We may process personal data relating to identifiable natural persons, including but not limited to:
- Customer contact details (name, email address, billing information)
- Technical data (IP address, device identifiers, browser type)
- Transaction and order details
- Personal data contained in purchased documents or reports (e.g. names of company representatives, sole proprietors, or beneficial owners)
All such data is processed in accordance with GDPR.
Purposes of Processing and Legal Bases (Article 6 GDPR)
We process personal data only where a lawful basis exists under Article 6 GDPR:
| Purpose | Legal Basis |
| Processing orders and delivering purchased documents | Performance of a contract (Art. 6(1)(b)) |
| Customer communication and support | Performance of a contract (Art. 6(1)(b)) |
| Accounting, invoicing, tax, and legal compliance | Legal obligation (Art. 6(1)(c)) |
| Website security, fraud prevention, and abuse monitoring | Legitimate interests (Art. 6(1)(f)) |
| Website analytics (non-essential cookies) | Consent (Art. 6(1)(a)) |
| Advertising and conversion tracking | Consent (Art. 6(1)(a)) |
Where processing is based on consent, consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
Cookies and Tracking Technologies
We use cookies and similar technologies on our website.
Cookie Categories
- Strictly necessary cookies
Required for the operation, security, and functionality of the website.
- Non-essential cookies
- Analytics cookies (website usage analysis)
- Marketing and advertising cookies (including conversion tracking)
Cookie Consent Management
- Non-essential cookies are placed only after obtaining explicit user consent
- Users may accept or reject non-essential cookies via the cookie banner
- Consent can be withdrawn at any time by revisiting cookie settings and selecting “reject”
- Cookie durations are defined per cookie and disclosed in the cookie information section
Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Customer and transaction data: retained for the duration of the contractual relationship and thereafter as required by accounting and tax laws
- Communication data: retained for up to 24 months after the last interaction
- Analytics and cookie data: retained according to cookie-specific duration settings
- Personal data contained in purchased documents: retained only as long as necessary to fulfil the order and comply with legal obligations
Retention periods may be extended where required by law or for the establishment, exercise, or defence of legal claims.
Data Sharing and Processors
We may share personal data with trusted third-party service providers acting as data processors, including:
- Hosting and infrastructure providers
- Payment service providers
- Analytics and advertising providers (including Google and Microsoft)
- Customer communication and support tools
All processors are subject to GDPR-compliant Data Processing Agreements (DPAs) and process personal data solely on our documented instructions.
International Data Transfers
Some of our service providers (including Google and Microsoft group companies) may process personal data outside the EU/EEA.
Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards, including:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions adopted by the European Commission, where applicable
- Additional technical and organisational security measures
Data Subject Rights
Under GDPR, individuals have the following rights:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to object to processing
- Right to data portability
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
Requests may be submitted by email to [email protected].
Supervisory Authority
Individuals have the right to lodge a complaint with their local data protection authority or with the supervisory authority in the EU Member State of their habitual residence, place of work, or place of the alleged infringement.
Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss, or misuse.
Changes to This Policy
We may update this Privacy Policy from time to time. The latest version is always available on our website and applies from the “Last updated” date stated above.