Privacy Policy

Last updated: 3 June 2026

1. Who we are

GEOS is a website-analysis service operated by Taavi Valberg, located in Estonia (the "Operator", "we", "us"). For data collected via the website at geos-app.com, we are the Data Controller. For customer audit data processed through our managed audit service, we act as a Data Processor on behalf of the Customer (who is the Data Controller for the audit data they submit).

Contact for privacy questions: [email protected]

2. What data we collect and why

2.1 When you submit the order form on geos-app.com

We collect:

Company name and your email address - to reply to your inquiry and identify the requester.
Your primary domain and a list of URLs you submit - to perform the audit you requested.
Language preference and any notes you provide - to tailor the audit to your needs.

Legal basis: performance of a contract (preparing your audit) and legitimate interest (responding to your inquiry).

2.2 When you become a customer (paid contract)

We additionally collect:

Payment-related information (bank account details on issued invoices, payment confirmation references) - to process payment and meet Estonian tax-law obligations.
Email correspondence - kept for the duration of the business relationship and as long as legally required for tax purposes (7 years under Estonian law).

Legal basis: performance of a contract; compliance with legal obligations (Estonian Bookkeeping Act § 12).

2.3 When you become a managed-audit customer

Our managed audit service is currently invitation-only. Customers onboarded to the service receive a separate, more detailed customer Data Processing Addendum (DPA) covering the data we hold and process on their behalf, including specific sub-processor names, retention periods, and security controls. Highlights summarized here:

URLs you submit for auditing and the resulting audit outputs - stored on infrastructure inside the European Union so you can view dashboards, export reports, and compare results over time. Time-bounded retention with automated deletion sweeps.
The HTML content of the URLs you audit - fetched from the public web at the moment you submit a job, minimized in our pipeline (only the audit-relevant portion is retained or sent onwards), and processed for AI-driven analysis.
Authentication credentials (where you have provided them) - encrypted at rest using authenticated symmetric encryption, decrypted only at job-run time in worker memory, never returned to your browser. Detailed handling described in the customer DPA.
Session cookies - strictly-necessary authentication only. No tracking, analytics, or advertising cookies.
Audit logs of sensitive operations - for security, incident investigation, and to support your audit-trail requirements.

Legal basis: performance of a contract; legitimate interest (security, fraud prevention); compliance with legal obligations.

3. Who we share your data with (sub-processors)

GEOS uses a small number of carefully-vetted service providers to operate the website and our managed audit service. Each handles a specific, narrow function and is bound by contractual data-processing terms (Data Processing Addendum, Standard Contractual Clauses for international transfers).

3.1 Public website (geos-app.com)

Two providers are directly involved when you interact with the marketing website itself:

Sub-processor	Purpose	Safeguards
Formspree	Receives the order-form submission you complete on this site and forwards it to us by email.	EU-US Data Privacy Framework
Cloudflare	DNS, content delivery, TLS termination, security filtering. Cloudflare may set a single strictly-necessary security cookie (see §6).	EU-US Data Privacy Framework; Cloudflare DPA

3.2 Managed audit service (customers only)

For our managed audit service, additional sub-processors handle hosting, AI inference, and transactional email. Categories used:

European Union cloud hosting for the audit platform, customer data, database, and backups. Customer data is held within the EU.
AI inference provider for the analytical portion of the audit pipeline. Bound by contractual non-training commitments and a Data Processing Addendum that includes Standard Contractual Clauses (Modules 2 and 3) for any international transfers.
Transactional email provider for authentication-related messages and audit-completion notifications.

Customers receive the complete list of named sub-processors, their specific roles, contractual safeguards, and Data Processing Addendum links as part of their onboarding documentation. We do not publish the named list of operational sub-processors on this public page; this follows standard B2B SaaS practice and is provided directly to customers under their signed agreement instead. Sub-processor additions or changes are notified to customers by email at least 30 days in advance, with a right of objection.

We do not sell or share your data with any party outside of these sub-processors, and we do not share for advertising or marketing purposes under any circumstances. We may disclose data where required by law (e.g. judicial order from a court of competent jurisdiction in Estonia or the European Union); we will challenge overly broad requests and notify affected customers wherever permitted by law.

4. How long we keep your data

Inquiry forms not converted to customers: 90 days, then deleted.
Customer account data and audit outputs: for the duration of the engagement plus 90 days after termination, then deleted (except as required by tax law).
Invoices and payment records: 7 years (Estonian Bookkeeping Act § 12).
Email correspondence: up to 7 years where relevant to a business relationship; otherwise deleted after 2 years.
Server-side audit logs: 12 months, then deleted.

5. Your rights

Under the EU General Data Protection Regulation, you have the following rights regarding your personal data:

Right of access: request a copy of what we hold about you.
Right to rectification: correct inaccurate data.
Right to erasure (right to be forgotten): request deletion, subject to legal retention obligations (e.g. tax records).
Right to restriction of processing: ask us to limit how we use your data.
Right to data portability: receive your data in a structured, machine-readable format.
Right to object: object to processing based on legitimate interest.
Right to lodge a complaint: with the Estonian Data Protection Inspectorate (www.aki.ee) or the supervisory authority in your country of residence.

To exercise any of these rights, email [email protected] with the relevant subject line (e.g. "Right of access request" or "Right to erasure request"). We respond within 30 days, typically sooner.

For right-to-erasure requests specifically: we delete all customer data we hold (database rows, audit outputs, encrypted credentials, file storage, archive snapshots). Items retained after erasure: (a) a non-reversible hashed record in our security audit log confirming the erasure was performed; (b) invoices and payment records where required by Estonian tax law (Bookkeeping Act §12, 7-year retention).

6. Cookies and tracking

The marketing website geos-app.com is served via Cloudflare, which may set a single strictly-necessary security cookie named cf_clearance. This cookie is used to verify that visitors are human and not automated bots attempting to abuse the site. It is essential for site security, does not track behavior across pages, does not identify you personally, and does not feed any analytics. Under Article 5(3) of the EU ePrivacy Directive, strictly-necessary cookies are exempt from cookie-consent requirements.

Customers using our managed audit service authenticate via a single strictly-necessary session cookie, exempt from cookie-consent requirements under Article 5(3) of the ePrivacy Directive. It does not track behavior across other sites and is destroyed when you sign out.

We do not use Google Analytics, Facebook Pixel, advertising trackers, or any third-party analytics. We rely on Cloudflare's privacy-preserving server-side analytics, which counts requests without identifying individual visitors.

7. Security

We use TLS encryption for all data in transit, encryption at rest for any third-party credentials customers entrust to us, network-level access controls, and audit logs of sensitive operations. Customers using our managed audit service receive a detailed security overview as part of their onboarding documentation, including encryption mechanisms, key management practices, and incident response procedures.

No system is perfectly secure. If we discover a security incident affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Articles 33-34.

8. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email to active customers. The "Last updated" date at the top of this page reflects the current version.

9. Contact

Questions about this policy or about how we handle your data: [email protected]

← Back to GEOS