1. Introduction

QBRI Digital (“we,” “us,” “our,” or “QBRI”) is committed to protecting your privacy and ensuring transparency about how we collect, process, store, and use your personal data. This Privacy Policy explains our data handling practices when you interact with our website (qbri.digital), use our services, or communicate with us regarding our IT consulting, web development, mobile development, digital strategy, and digital marketing services.

We comply with the EU General Data Protection Regulation (GDPR) (EU) 2016/679, the Estonian Personal Data Protection Act (PDPA), and all applicable Estonian and EU data protection legislation.

2. Definitions and Scope

Definitions

Personal Data

Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Processing

Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller

The natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Data Processor

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Scope of This Policy

This Privacy Policy applies to:

• Our website at qbri.digital and all associated subdomains
• Data collected through contact forms, email inquiries, and communication channels
• Data collected during recruitment and job applications
• Data collected in the course of providing IT consulting, web development, mobile development, digital strategy, and digital marketing services
• Data collected through cookies, analytics, and similar tracking technologies

This policy does not apply to third-party websites, applications, or services that may be linked from our website. We encourage you to review the privacy policies of any third-party services before providing your personal data.

3. Data Controller Information

QBRI OÜ is the data controller responsible for processing your personal data as described in this policy. If you have questions about our data handling practices, please contact us using the information provided above.

4. What Personal Data We Collect

We collect personal data only when necessary to provide our services, communicate with you, or fulfill legal obligations. The categories of personal data we collect include:

4.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, company name, job title, business address
• Service Request Data: Project details, requirements, preferences, timelines, budget information provided when requesting consultations or proposals
• Communication Records: Messages, inquiries, feedback, and any correspondence
• Account Information: Login credentials, account preferences (if you create a client account)
• Payment Information: Billing address, payment method details (processed through secure third-party payment processors; we do not store full payment card information)
• Employment Information: CV, cover letter, employment history, qualifications (for job applicants)
• Social Media Profiles: If you use social login (e.g., LinkedIn, GitHub), we collect basic profile data with your consent

4.2 Information Collected Automatically

• Website Usage Data: Pages visited, time spent on pages, links clicked, referral sources
• Device Information: Device type, operating system, browser type and version, IP address
• Location Data: Approximate geographic location (derived from IP address; not precise location data)
• Cookies and Tracking Technology: Information collected through cookies, web beacons, pixels, and similar technologies (see Section 12)
• Analytics Data: Behavioral patterns, interaction metrics, user engagement data collected through analytics platforms

4.3 Information from Third Parties

• Third-Party Services: Data received from analytics providers, email marketing platforms, CRM systems, or other business tools
• Business Partners: Information shared by partners, vendors, or affiliates in the context of service delivery
• Publicly Available Sources: Information obtained from public records or business directories where relevant to your inquiry

4.4 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) unless explicitly provided by you for a lawful purpose and with your express consent. If you voluntarily provide such information, you consent to our processing of it as described in this policy.

5. Legal Basis for Processing

Under GDPR and Estonian law, we process personal data based on one or more of the following legal bases:

Consent Management: Where we rely on your consent, you have the right to withdraw it at any time by contacting us at info@qbri.digital. Withdrawal of consent does not affect the lawfulness of processing conducted while consent was in place.

6. How We Use Your Personal Data

We use your personal data for the following purposes:

6.1 Service Delivery

• Providing IT consulting, web development, mobile development, digital strategy, and digital marketing services
• Responding to inquiries, proposals, and quotation requests
• Project management, coordination, and delivery
• Technical support and maintenance of services
• Billing, invoicing, and payment processing
• Fulfilling contractual obligations

6.2 Marketing and Communication

• Sending newsletters, case studies, industry insights, and business updates (with your consent or where you have opted in)
• Promotional communications about our services, events, and webinars
• Responding to customer inquiries and feedback
• Conducting market research and surveys
• Targeted advertising and personalized content recommendations

6.3 Recruitment and Employment

• Processing job applications and evaluating candidate qualifications
• Conducting interviews, assessments, and background checks (where applicable and with consent)
• Managing recruitment processes and maintaining talent databases
• Internal HR administration

6.4 Business Operations and Improvement

• Analytics and user behavior analysis to improve website and service functionality
• Measuring interest in specific services and content
• Optimizing user experience and interface design
• Developing new services and features
• Conducting business research and competitive analysis
• Internal reporting and performance metrics

6.5 Legal and Security

• Compliance with legal, regulatory, and contractual obligations
• Fraud prevention, detection, and investigation
• Cybersecurity and data protection measures
• Defending against legal claims and disputes
• Maintaining records for accounting and tax purposes
• Exercising or defending legal rights

6.6 Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you, except as permitted by applicable law. If we implement such processing in the future, we will provide transparent notice and appropriate safeguards.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, or resolve disputes. Specific retention periods are as follows:

After the applicable retention period expires, personal data is securely deleted or anonymized. If you request deletion before the retention period ends, we will honor your request unless we have a legal obligation to retain the data longer.

8. Sharing Personal Data with Third Parties

We do not sell or rent your personal data. We share personal data with third parties only when necessary and appropriate, as follows:

8.1 Service Providers and Processors

We may share your data with third-party service providers who process data on our behalf under data processing agreements (Data Processor Agreements), including:

• Cloud Hosting Providers: Server infrastructure, website hosting, backup and storage services
• Email and Communication Platforms: Email delivery services, newsletter management (Mailchimp, ConvertKit, or similar)
• Customer Relationship Management (CRM) Systems: HubSpot, Pipedrive, or similar for managing client relationships
• Analytics and Tracking Tools: Google Analytics, Hotjar, or similar for website analytics
• Payment Processors: Stripe, PayPal, or similar for secure payment processing
• Project Management Tools: Asana, Monday.com, or similar for internal project coordination
• Communication Platforms: Slack, Microsoft Teams, or similar for internal team communication
• Recruitment Platforms: LinkedIn Recruiter or similar for job postings and candidate sourcing
• Accounting and Tax Services: External accountants or tax advisors for financial compliance

All service providers are bound by written data processing agreements that require them to process personal data only as instructed and to maintain appropriate security measures.

8.2 Affiliate Companies and Business Partners

We may share personal data with affiliated companies or business partners for service delivery, business development, or operational purposes. Any such sharing is governed by contractual obligations to protect your data.

8.3 Legal Requirements and Law Enforcement

We may disclose personal data if required by law, court order, or governmental authority. This includes:

• Compliance with Estonian law, EU law, or other applicable legal requirements
• Response to lawful requests from law enforcement, regulatory agencies, or public authorities
• Protection of legal rights, property, safety, or security of QBRI, our users, or the public
• Investigation or prevention of fraud, security breaches, or illegal activities

8.4 Business Transfers

If QBRI is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction, your personal data may be transferred as part of that transaction. We will provide notice of such changes and any applicable choices you may have regarding your personal data.

8.5 Public Disclosure

Information you voluntarily post in public areas of the Site (such as testimonials, case studies, or public project portfolios) may be displayed publicly and indexed by search engines. Do not submit personal data you wish to keep private through public forums or postings.

8.6 Anonymous and Aggregated Data

We may use and share anonymized or aggregated data that cannot identify you for business purposes, research, marketing, analytics, and other lawful purposes without restriction.

9. International Data Transfers

QBRI is based in Estonia (EU). Your personal data is primarily processed and stored within the European Union, where it benefits from GDPR protections.

9.1 Transfers Outside the EU/EEA

If we transfer personal data outside the European Economic Area (EEA), we will:

• Ensure the recipient country is deemed to have adequate data protection by the European Commission; or
• Implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs); or
• Obtain your explicit consent for such transfer

Transfers to the United States are governed by Standard Contractual Clauses or other lawful mechanisms compliant with GDPR following the Schrems II ruling.

9.2 Your Rights Regarding International Transfers

You have the right to request information about safeguards in place for your data when transferred outside the EEA. Contact us at info@qbri.digital for details.

10. Your Data Subject Rights

Under GDPR and Estonian law, you have the following rights regarding your personal data:

10.1 Right of Access (GDPR Article 15)

You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data in a structured, commonly used, machine-readable format (data portability).

10.2 Right to Rectification (GDPR Article 16)

You have the right to correct inaccurate, incomplete, or outdated personal data. You may request correction by contacting us with details of the inaccuracy.

10.3 Right to Erasure (“Right to Be Forgotten”) (GDPR Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent on which processing was based
• You object to processing based on legitimate interests
• The data has been unlawfully processed
• Legal obligation requires deletion

We may retain data if required by law or where processing is necessary for specified legal reasons.

10.4 Right to Restrict Processing (GDPR Article 18)

You may request restriction of processing of your personal data in circumstances such as disputing accuracy, unlawful processing, or when you’ve objected to processing but we have not yet determined if our legitimate interests override yours.

10.5 Right to Object (GDPR Article 21)

You have the right to object to:

• Processing based on legitimate interests or a public task
• Direct marketing communications (including newsletters and promotional emails)
• Profiling associated with these purposes

We will honor objections to direct marketing immediately. If you object to other processing, we will evaluate your request and cease processing unless we have compelling legitimate reasons or legal obligations to continue.

10.6 Right to Data Portability (GDPR Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance, where processing is based on consent or contract.

10.7 Right Not to Be Subject to Automated Decision-Making (GDPR Article 22)

You have the right not to be subject to automated decision-making (including profiling) that produces legal or similarly significant effects. If we implement such processing, we will provide notice and safeguards.

10.8 Right to Lodge a Complaint (GDPR Article 77)

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the supervisory authority:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Email: info@aki.ee
Website: https://www.aki.ee
Phone: +372 627 4135

10.9 How to Exercise Your Rights

To exercise any of these rights, please contact us in writing at:

Email: info@qbri.digital
Postal Address: QBRI OÜ, Tornimäe 5, 10145 Tallinn, Estonia

Please include sufficient detail to identify you and the right you wish to exercise. We will respond to your request within 30 days (or up to 90 days for complex requests), or notify you if we require additional information. You will not be charged for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee.

11. Data Security Measures

QBRI implements comprehensive technical, organizational, and administrative safeguards to protect personal data from unauthorized access, alteration, disclosure, or destruction. Our security measures include:

11.1 Technical Measures

• Encryption: Data in transit is encrypted using TLS/SSL encryption (HTTPS); sensitive data at rest is encrypted
• Firewalls and Access Controls: Network firewalls, IP whitelisting, and role-based access controls limit unauthorized access
• Secure Hosting: Data is hosted on secure, professionally managed cloud servers with redundancy and backup systems
• Regular Security Updates: All systems and software are kept up-to-date with security patches
• Vulnerability Assessment: Regular security audits and penetration testing
• Intrusion Detection: Continuous monitoring for unauthorized access attempts

11.2 Organizational Measures

• Access Restrictions: Personal data access is limited to authorized personnel with a legitimate need to know
• Data Protection Training: Employees receive regular training on data protection, privacy, and security best practices
• Confidentiality Agreements: All employees and contractors sign confidentiality agreements
• Incident Response Plan: We have documented procedures for responding to data breaches
• Data Processing Agreements: All processors are bound by written agreements requiring appropriate security measures

11.3 Limitations

While we maintain strict security measures, no system is completely immune to attack. We cannot guarantee absolute security against determined, sophisticated attacks. However, we will implement and maintain industry-standard security practices and notify you of any material breaches as required by law.

11.4 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected individuals and the Estonian Data Protection Inspectorate without undue delay and in accordance with GDPR Article 33 and Article 34 requirements. Notifications will include details of the breach, its potential impact, and recommended protective measures.

12. Cookies and Tracking Technologies

12.1 What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) that contain information about your browsing activity. We use cookies and similar tracking technologies to enhance your website experience, provide analytics, and enable certain functionality.

12.2 Types of Cookies We Use

12.3 Third-Party Tracking Technologies

Our website uses the following third-party tools that set cookies and tracking pixels:

• Google Analytics (Google LLC): Website analytics and user behavior tracking. Google Privacy Policy. You can opt-out using Google Analytics Opt-Out Browser Add-on.
• Facebook Pixel (Meta Platforms, Inc.): Tracks website conversions and enables retargeting. Facebook Privacy Policy
• LinkedIn Insight Tag (LinkedIn Corporation): Tracks website visitors and enables LinkedIn advertising. LinkedIn Privacy Policy
• Google Ads (Google LLC): Enables Google advertising and conversion tracking. Google Privacy Policy
• Hotjar (Hotjar Ltd): Heatmaps, user recordings, and feedback tools. Hotjar Privacy Policy
• Mailchimp (Intuit Inc.): Email marketing platform tracking. Mailchimp Privacy Policy

These third parties may process your data according to their own privacy policies and may share data across multiple websites. We recommend reviewing their privacy policies.

12.4 Consent and Control

We use a cookie consent management system that obtains your explicit consent before deploying non-essential cookies. When you first visit our website, you will see a cookie notice explaining cookie usage and providing options to:

• Accept All: Accept all non-essential cookies
• Reject Non-Essential: Accept only essential cookies required for website functionality
• Customize: Choose specific categories of cookies to allow

You can change your cookie preferences at any time by clicking the cookie settings link in the website footer.

12.5 Managing Cookies in Your Browser

You can manage, disable, or delete cookies through your browser settings:

• Chrome: Settings → Privacy and Security → Cookies and other site data
• Firefox: Preferences → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and website data
• Edge: Settings → Privacy, search, and services → Clear browsing data

Disabling cookies may impact website functionality and user experience. Essential cookies cannot be disabled as they are necessary for basic site operation.

12.6 Do Not Track (DNT)

Some browsers include a “Do Not Track” feature. Our website currently does not respond to DNT signals, but you can disable tracking cookies through cookie settings or your browser preferences.

12.7 Local Storage and Similar Technologies

We may use local storage, session storage, and similar client-side storage technologies to enhance website functionality and user experience. These operate similarly to cookies and can be managed through browser settings.

13. Third-Party Links and Services

13.1 External Links

Our website may contain links to third-party websites, applications, and services that are not operated or controlled by QBRI, including:

• Social media platforms (LinkedIn, Facebook, Twitter, GitHub)
• Client and partner websites
• Industry resources and educational content
• Payment processors and service providers

QBRI is not responsible for the privacy practices, content, or security of third-party websites. We encourage you to review the privacy policies of any third-party services before providing personal data.

13.2 Social Media Integration

Our website includes social media integration and widgets (e.g., LinkedIn sharing, GitHub badges, social follow buttons) that may:

• Collect your IP address and device information
• Set cookies and tracking pixels
• Track your interaction with our content
• Correlate your social media account with your activity on our site

Third-party social networks control these interactions. Please review their privacy policies for details on how they process your data.

13.3 Embedded Content

Our website may embed content from third parties (videos, maps, documents, code repositories). Embedded content may collect data as you interact with it, subject to the third party’s privacy policy.

13.4 Testimonials and Case Studies

With permission, we may publish client testimonials, case studies, or project portfolios that include company names, project descriptions, and results achieved. If you provide such information, you consent to its publication.

14. Children’s Privacy

QBRI’s website and services are not directed at, nor intended for, children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 16 without parental consent.

If we become aware that personal data has been collected from a child under 16 without parental consent, we will take steps to delete such information promptly and may terminate the child’s access to our services.

Parents or guardians who believe their child has provided information to us may contact us at info@qbri.digital to request deletion.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the revised policy on our website with an updated “Last Updated” date
• Sending an email notification to your registered email address (if applicable)
• Displaying a prominent notice on our website before the changes take effect

Your continued use of our website after such changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your personal data.

If you do not agree with our updated practices, you may discontinue your use of our services and request deletion of your personal data as described in Section 10 (Your Data Subject Rights).

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

16.1 Data Protection Officer

For data protection-related inquiries, you may also contact our Data Protection Officer (DPO) at info@qbri.digital.

16.2 Supervisory Authority

If you wish to lodge a complaint about our privacy practices, you have the right to contact the supervisory authority in your jurisdiction:

For Estonia:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Email: info@aki.ee
Website: https://www.aki.ee
Phone: +372 627 4135

For Other EU Member States: Contact your national data protection authority listed on the European Data Protection Board website.