519 16 064

Inquiry

Privacy Policy

This Privacy Policy (hereinafter the “Policy”) sets out the procedure by which the website operator collects, stores, uses, and protects personal data in accordance with the General Data Protection Regulation (GDPR) and the laws in force in the Republic of Estonia.

 

1. General Provisions

This Policy contains information about which of your personal data is collected and processed when visiting the website and using its functions, and also explains the purposes and legal grounds for such processing in accordance with the GDPR and applicable law.

The following key terms are used in this document, corresponding to the terms set out in the GDPR:

 

2. Key Definitions

Personal data – any information relating to an identified or identifiable natural person.

Processing of personal data – any operation or set of operations performed on personal data, including, but not limited to:

    • collection, recording, organization, structuring, storage, adaptation, or alteration;
    • downloading, viewing, use;
    • disclosure by transmission, dissemination, or otherwise making available;
    • alignment or combination;
    • restriction, erasure, or destruction.

Data Controller – a natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor – a natural or legal person who processes personal data on behalf of the controller.

Data Subject – a natural person whose personal data is being processed.

Data subject’s consent – a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their personal data.

Cookies – small text files that a website saves on a user’s device to store information about the user’s activities or preferences.

Please note that data transmission over the internet (for example, when communicating by email) may involve security risks, and complete protection against access by third parties cannot be guaranteed. Subsequent sections of this document provide detailed information on the processing of personal data and the measures implemented for their protection.

 

3. Data Collection on This Website

3.1. Who is responsible for data collection

Definition:
Data Controller – a natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (such as names, email addresses, etc.) and is responsible for the processing of the data subject’s personal data.

Contact details of the controller on this website:
Numio Design OÜ
Registry code: 17368856
Address: Kaheküla tee 37, 13516 Tallinn, Estonia
Phone: +372 519 16 064
Email: info@numiodesign.ee

Inquiries regarding the processing of personal data:
You may submit requests regarding the processing of your personal data and notifications of potential breaches related to this website or the provision of services to the email address provided above.

We undertake to review the inquiry and provide a response within 30 calendar days of receipt at the latest, in accordance with Article 12 of the GDPR.

3.2. How we collect your data

Your data is collected, on the one hand, if you provide it to us yourself. This may include:

    • data you enter into the website’s contact form;
    • data you provide to us via email;
    • data you provide over the phone;
    • data you provide by checking the relevant boxes in forms (e.g., newsletter subscription);
    • data you enter when submitting an order or service inquiry;
    • other data that you voluntarily provide during the use of our services.

Other data is collected automatically by our IT systems or with your consent when visiting the website. This may include:

  • technical data: internet browser, browser version, operating system, device type (computer, smartphone, tablet), screen resolution, system language, IP address, time of access to the website, session duration;
  • data on website usage behavior: pages visited, clicks on elements, navigation sequence, duration of interaction with content;
  • location data (based on IP address or other geolocation technologies);
  • traffic source data: referrer (the page you came from), search query used, or advertising campaign;
  • download and error data: files you have downloaded, errors in loading pages or applications.

3.3. Purposes of using your data

We collect and process your personal data solely to achieve the following purposes:

    • Provision of services and support: to fulfill contractual obligations, communicate with you within projects, and process your inquiries;
    • Improving our website and services: to analyze website usage in order to increase user-friendliness and service quality;
    • Marketing and customer communication: only with your consent, for example, to send newsletters and special offers or to display advertisements;
    • Compliance with legal obligations: to comply with tax, accounting, and other legal acts;
    • Ensuring security: to protect our IT systems and prevent misuse.

 

3.4. Legal grounds for processing personal data

In accordance with Article 6 of the GDPR, we process your personal data only if at least one of the following legal grounds exists:

Consent (Article 6(1)(a) GDPR): if you have given us voluntary, specific, informed, and unambiguous consent, we process your data only within the scope of that consent.
This may include, for example:

    • subscribing to a newsletter;
    • using non-essential cookies;
    • providing information via feedback forms outside of contractual relationships.

Performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR): we process your data if it is necessary:

  • to perform a contract to which you are a party (e.g., website development, consultation);
  • to take steps at your request prior to entering into a contract (e.g., preparing a quote).

Compliance with legal obligations (Article 6(1)(c) GDPR): processing may be necessary to fulfill our legal obligations, such as:

  • storing accounting documents for the period prescribed by law;
  • responding to mandatory inquiries from public authorities.

Legitimate interest (Article 6(1)(f) GDPR): in certain cases, data processing may take place based on our legitimate interest if:

    • it is necessary for the secure, efficient, and reliable operation of our website;
    • we conduct limited customer communication after the end of a project;
    • we analyze user behavior on the website for the purpose of its optimization.

In such cases, we always carry out an assessment to ensure that the interests, fundamental rights, and freedoms of the data subject do not outweigh our legitimate interest. You have the right to object to such processing at any time on grounds relating to your particular situation.

 

4. List of Processed Personal Data

We collect and process the following personal data of our clients and website users:

    • contact details (first and last name, email address, phone number);
    • data provided through feedback forms and requests;
    • company data (name, address, legal details);
    • IP address and location data, if necessary to improve the service and ensure security;
    • data collected through cookies and other information collected with tracking technologies on the website;
    • data voluntarily provided during consultations, performance of a contract, and communication with us;
    • information necessary for billing and fulfillment of contractual obligations;
    • technical data about the user’s browser and device (browser type, version, operating system).

All data is processed only to the extent necessary to achieve the purposes set out in this privacy policy.

 

5. Retention Periods for Personal Data

Unless a more specific retention period is set out in these terms, your personal data will be stored until the purpose of the data processing is no longer relevant (GDPR Article 5(1)(b)).

After the termination of processing or the end of the contract, mandatory retention periods set out in the laws of the Republic of Estonia may apply: business documentation and accounting documents – up to 7 years; correspondence – up to 6 years.

In the event that you exercise your right to erasure of personal data or withdraw your consent for their processing, we will delete the relevant data, unless further storage is necessary on other legal grounds (for example, to comply with mandatory retention periods set out in Estonian law). In such a case, deletion will take place after the relevant retention period has expired or other legal grounds have ceased to exist.

 

6. Rights of the Data Subject

In accordance with the General Data Protection Regulation (GDPR), you as a data subject have the following rights:

6.1. Right to rectification

You have the right to demand the immediate rectification or completion of inaccurate or incomplete personal data that we process.

 

6.2. Right to erasure (“right to be forgotten”)

You have the right to demand the erasure of your personal data if there is no legal basis for their processing (for example, to fulfill a legal obligation).
You will be notified of the fulfillment of your request within the period prescribed by law (generally no later than 30 calendar days).

 

6.3. Right to restriction of processing

You have the right to demand the restriction of processing of your personal data (GDPR Article 18). To exercise this right, you may contact us at any time.

The right to restriction of processing applies in the following situations:

    • if you contest the accuracy of the personal data in our possession – for the period of verification, you have the right to demand restriction of processing;
    • if the processing of your personal data has been or is unlawful – you may demand restriction of processing instead of erasure;
    • if we no longer need your personal data, but they are necessary for you to establish, exercise, or defend legal claims – you have the right to demand restriction of processing;
    • if you have objected pursuant to Article 21(1) of the GDPR and time is needed to assess which interests prevail.

If the processing of your personal data is restricted, it may – with the exception of storage – only be processed:

    • with your consent;
    • for the establishment, exercise, or defense of legal claims;
    • to protect the rights of another natural or legal person;
    • for reasons of important public interest of the European Union or a Member State.

 

6.4. Right to withdraw consent

You have the right to withdraw your consent to the processing of personal data at any time through the following methods:

    • unsubscribing from the newsletter via the “Unsubscribe” link contained in the emails;
    • changing cookie settings via the banner or browser settings;
    • contacting us via the contact details provided in the section “Who is responsible for data collection”.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

 

6.5. Right to data portability

You have the right to receive the personal data you have provided in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance from us, where technically feasible.

 

6.6. Right to object to data processing

You have the right to object at any time to the processing of your personal data if the processing is based on legitimate interest (GDPR Article 6(1)(e) or (f)), for example, for the purpose of analysis or profiling.
We will stop processing unless we can demonstrate compelling legitimate grounds.

If your data is used for direct marketing purposes, you have the right to object to this at any time. In such a case, your data will no longer be used for advertising purposes.

 

6.7. Right to lodge a complaint with a competent supervisory authority

In the event of a GDPR violation, you have the right to lodge a complaint with a supervisory authority in accordance with Article 77 of the GDPR, in particular in the Member State of the European Union of your habitual residence, place of work, or place of the alleged violation.

In Estonia, the competent supervisory authority is:

Data Protection Inspectorate (Andmekaitse Inspektsioon)
Address: Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: info@aki.ee
Website: www.aki.ee

 

7. Cookies

Our websites use so-called cookies.

Upon your first visit to the website, a cookie banner is displayed, providing information about the use of cookies and allowing you to give consent for the use of cookies or to configure preferences.

Cookies are small text files that do not harm your device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted after your visit to the website. Persistent cookies remain on your device until you delete them yourself or until they are automatically removed by your web browser.

Sometimes, third-party cookies (third-party cookies) may also be stored on your device when visiting our website. These allow us or you to use certain third-party services (for example, cookies for processing payment services).

Cookies perform various functions. Many cookies are technically necessary because certain website functions would not work without them (e.g., displaying videos). Other cookies are used to analyze user behavior or to display advertisements.

Cookies that are necessary to carry out electronic communication (necessary cookies) or to provide specific functions requested by you (functional cookies) or to optimize the website (e.g., web statistics cookies) are stored on the basis of Article 6(1)(f) of the GDPR, unless another legal basis is provided. The website operator has a legitimate interest in storing cookies to ensure the technically error-free and optimized provision of services.

If consent has been requested for the storage of cookies, the relevant cookies will be stored solely on the basis of that consent (GDPR Article 6(1)(a)). Consent can be withdrawn at any time.

You can configure your browser to inform you about the use of cookies and allow cookies only in individual cases, exclude the acceptance of cookies in specific situations or entirely, and activate the automatic deletion of cookies when closing the browser. If cookies are disabled, the functionality of the website may be limited.

If cookies are used by third parties or for analytical purposes, we will inform you separately within the framework of this privacy policy and ask for your consent if necessary.

Server Logs

The website service provider automatically collects and stores information in so-called server logs, which your browser automatically transmits to us. This data includes:

    • browser type and version;
    • operating system used;
    • referrer URL;
    • hostname of the accessing computer;
    • time of the server request;
    • IP address.

 

8. Third-Party Services and Analysis Tools Used

 

8.1. CookieYes Cookie Banner

Service Provider:
CookieYes Limited
Address: 3 Warren Yard, Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom

Purpose of the service:

managing user consent for the use of cookies on our website.

Operating principle:

upon entering our website, CookieYes stores a cookie in your browser;

the cookie contains data about your choice: consent or refusal; date; IP address;

this data is not transmitted to third parties.

Data processing:

the plugin does not process personal data in terms of their transmission or use by third parties;

all information about your choice is stored locally in the browser in the form of a cookie.

User rights:

You can change or withdraw your consent at any time by clicking the “Cookie Settings” button located at the bottom of the website.

CookieYes Privacy Policy:
https://www.cookieyes.com/privacy-policy/

 

8.2 Google Analytics

Service Provider:
Google Ireland Limited
Address: Gordon House, Barrow Street, Dublin 4, Ireland

Purpose of the service:

analyzing website usage using cookies.

Operating principle:

    • Google Analytics uses cookies that allow for the analysis of your website usage;
    • the information collected by cookies (including the truncated IP address) is usually transmitted to and stored on Google’s servers in the United States;
    • we use IP address anonymization – your IP address is truncated beforehand within Member States of the European Union or the European Economic Area.

Your rights:

You have the right to withdraw your consent at any time.

Google Privacy Policy:
https://policies.google.com/privacy?hl=en

 

8.3 Divi’s Basic Captcha

Service Provider:
Elegant Themes
Address: 977 West Napa Street #1002, Sonoma, CA 95476, USA

Purpose of the service:

    • protecting contact forms from automated submissions (bots);
    • preventing misuse;
    • ensuring the technical security of the website.

Specifics of Divi’s Basic Captcha operation:

    • works locally;
    • does not use third-party APIs or external servers;
    • does not transmit or store personal data with third-party service providers;
    • verification takes place entirely in the user’s browser.

Scope of data processing:

    • processing is limited solely to functional input verification.

Elegant Themes Privacy Policy:
https://www.elegantthemes.com/policy/privacy/

 

8.4 Google Maps

Service Provider:
Google Ireland Limited
Address: Gordon House, Barrow Street, Dublin 4, Ireland

Purpose of the service:

    • displaying our studio’s location on a map in real-time.

Operating specifics:

    • when using the map, your IP address may be transmitted to Google;
    • cookies may be set and used during the use of the service.

Google Privacy Policy:
https://policies.google.com/privacy?hl=en

 

8.5. Third-Party Platforms (Facebook, Instagram, Threads)

Our website may use hyperlinks, buttons, icons, or widgets that direct to pages or chats on third-party platforms: Facebook, Instagram, Threads.

Service Provider:
Meta Platforms Ireland Limited
Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

These elements (icons, buttons, etc.) are implemented as simple links that activate only upon your click.

Possible data transmission to platforms:

    • IP address;
    • data about your browser and operating system;
    • the address of the page from which the redirection occurred;
    • your user account identifier on the respective platform (if you are logged in).

Important: we have no influence over the further processing of this data by the respective service providers.

Data processing takes place based on the terms and privacy policies of those platforms. Redirection to such links occurs only at your own request and initiative.

Recommendation: before using such functions, we ask you to familiarize yourself with the privacy policies of the respective platforms.

Meta Privacy Policy:
https://www.facebook.com/privacy/policy/

 

8.6 MailerLite

Service Provider:
MailerLite Limited
Address: 88 Harcourt Street, Dublin 2, D02 DK18, Ireland

Purpose of the service:

    • Delivery of newsletters and special offers.

Operating principle:

    • Data is processed on MailerLite servers solely based on the consent you have given.

Processed data:

    • email address;
    • name (if provided);
    • IP address;
    • information about interaction with emails (opens, clicks).

Your rights:

    • You can unsubscribe from the newsletter at any time by clicking the “Unsubscribe from newsletter” link at the bottom of the email.

MailerLite Privacy Policy:
https://www.mailerlite.com/legal/privacy-policy

 

8.7 Web Hosting

Service Description:
We use a service provider to host our website. The website is located on the service provider’s servers and is thus accessible via the internet (web hosting).

Data processing by the service provider:
The service provider may process all data that your browser transmits and that is generated during the use of our website. This includes in particular:

    • your IP address – necessary to deliver our web service to your browser;
    • all entries you make through our website.
    • In addition, the service provider may collect the following data:
    • date and time of access to our website;
    • time zone difference from Greenwich Mean Time (GMT);
    • access status (HTTP status);
    • volume of data transmitted;
    • internet service provider of the accessing system;
    • type and version of the browser used;
    • operating system used;
    • the website from which you may have reached our website;
    • pages or subpages of our website that you visit.

Data storage:
The above data is stored on our service provider’s servers as log files. This is necessary to ensure the reliability and security of our website.

Processed data:

    • content information (e.g., posts, photos, videos);
    • usage data (e.g., access time, websites visited);
    • communication data (e.g., information about the device used, IP address).

Data subjects:

    • users of our website.

Purpose of processing:

    • displaying and ensuring the functioning of our websites.

Web hosting ordered by us:
Service Provider: Zone Media OÜ
Address: Lõõtsa tn 5, 11415 Tallinn, Estonia
Privacy Policy: https://www.zone.ee/en/zone-media-ou-privacy-policy/

 

9. Personal Data Security Measures

We implement comprehensive technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction in accordance with GDPR requirements and applicable Estonian law.

 

9.1 Technical Security Measures

    • Protection of data transmission via the website using the secure HTTPS protocol (SSL/TLS).
    • Implementation of firewalls and intrusion prevention systems.
    • Regular software updates, including CMS, plugins, and server software.
    • Storage of data on servers with restricted physical and remote access.
    • Data backup with secure storage of backup copies.
    • Limiting the number of access points and monitoring system activities.

9.2 Organizational Security Measures

    • Access to personal data is restricted to authorized employees or contractual partners bound by confidentiality obligations.
    • Training employees on the rules of personal data processing and protection.
    • Entering into Data Processing Agreements in accordance with Article 28 of the GDPR.
    • Implementation of internal password and access management policies.

9.3 Physical Protection

    • Servers are located in data centers with controlled physical access, video surveillance, and access card-based authorization.
    • Restricting access by unauthorized persons to devices on which personal data is processed.

9.4 Security Control and Audit

    • Periodic checking and testing of security measures.
    • Updating protection measures according to technical changes or legal requirements.
    • Responding to security incidents within established timeframes and, if necessary, notifying supervisory authorities and data subjects in accordance with Articles 33–34 of the GDPR.

 

10. Cross-Border Data Transfer

The processing and storage of your personal data primarily take place on servers located in the European Union (EU) or the European Economic Area (EEA).

Data transfer outside the EU/EEA may occur only in the following cases:

    • when using Google Analytics and Google Maps services (service provider: Google Ireland Limited, possible data processing on Google LLC servers in the USA);
    • when sending newsletters via MailerLite (service provider: MailerLite Limited, Ireland; in certain cases, data transfer to third countries may occur due to technical necessity).

In all other cases, cross-border data transfer does not take place.

 

11. Changes to the Privacy Policy

We reserve the right to change or supplement this privacy policy at any time to bring it into line with legal changes or technical changes on our website.

The current version is always available on our website.

 

Last update date: 20.02.2026