GDPR Compliance Statement
1. Introduction
Ecxtrem Industries OÜ is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Estonian Personal Data Protection Act. This statement explains how we fulfil our obligations as a data controller and, where applicable, as a data processor. It should be read alongside our Privacy Policy and Cookie Policy.
Data Controller: Ecxtrem Industries OÜ · Registry 16211087
Address: Ahtri 12, Kesklinna Linnaosa, 10151 Tallinn, Harju Maakond, Estonia
Data Protection Officer: dpo@ecxtrem.com
Supervisory Authority: Estonian Data Protection Inspectorate — www.aki.ee
2. Lawful Basis for Processing
| Processing Activity | Lawful Basis | Article |
|---|---|---|
| Contact form enquiries | Legitimate interest — responding to voluntarily submitted business enquiries | Art. 6(1)(f) |
| Website analytics | Consent — only where the data subject has accepted analytics cookies | Art. 6(1)(a) |
| Server and infrastructure logs | Legitimate interest — security and integrity of our systems | Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
3. Data Subject Rights
To exercise any right, submit a written request to dpo@ecxtrem.com. We will acknowledge within 5 business days and respond within 30 calendar days. Complex or numerous requests may be extended by a further two months with notification.
3.1 Right of Access (Article 15)
You may obtain confirmation of whether we process personal data about you and, if so, receive a copy along with information on purposes, categories, recipients, retention periods, and your other rights.
3.2 Right to Rectification (Article 16)
You may have inaccurate personal data corrected and incomplete data completed without undue delay.
3.3 Right to Erasure (Article 17)
You may request deletion where: the data is no longer necessary for its original purpose; you withdraw consent and no other lawful basis exists; you object and we cannot demonstrate overriding legitimate grounds; the data has been unlawfully processed; or erasure is required by law. This right does not apply where processing is necessary for legal claims or legal obligations.
3.4 Right to Restriction (Article 18)
You may request restriction of processing where you contest accuracy (pending verification); processing is unlawful and you prefer restriction to erasure; we no longer need the data but you require it for legal claims; or you have objected pending verification of our legitimate grounds.
3.5 Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you may receive your personal data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller.
3.6 Right to Object (Article 21)
Where we process your data on the basis of legitimate interest, you may object at any time. We must cease processing unless we can demonstrate compelling legitimate grounds which override your interests, or for legal claims.
3.7 Automated Decision-Making (Article 22)
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
3.8 Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To withdraw analytics cookie consent, use the cookie settings link in the footer.
4. Data Protection by Design and Default
We implement data protection by design and by default per Article 25 GDPR: collecting only the minimum data necessary; limiting access to authorised personnel; applying privacy-protective default settings; and incorporating data protection into system design from the outset.
5. Security Measures
In accordance with Article 32 GDPR we implement: encryption of data in transit (TLS 1.2+); encryption of data at rest where applicable; role-based access controls; regular security assessments; and incident response procedures.
6. Personal Data Breach Notification
In the event of a personal data breach we will: notify the Estonian Data Protection Inspectorate within 72 hours where required (Article 33); notify affected individuals without undue delay where there is high risk to their rights (Article 34); and maintain an internal breach register for all incidents.
7. International Data Transfers
Transfers to Webflow, Inc. and Google LLC (United States) are governed by Standard Contractual Clauses (SCCs) under Commission Decision 2021/914. Supabase infrastructure is hosted in Frankfurt, Germany — no transfer outside the EEA occurs for that data.
8. Data Processor Agreements
All third-party processors operate under Article 28 GDPR-compliant data processing agreements requiring them to: process data only on our documented instructions; implement appropriate security; not engage sub-processors without authorisation; assist with data subject rights; and delete or return data on termination.
9. Record of Processing Activities
We maintain an internal Record of Processing Activities (ROPA) per Article 30 GDPR, available to the supervisory authority on request.
10. Supervisory Authority
Andmekaitse Inspektsioon
Tatari 39, 10134 Tallinn, Estonia
www.aki.ee · info@aki.ee
If resident in another EU member state, you also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work.
11. Updates
We review this statement at least annually and update it whenever processing activities change materially. The date at the top reflects the most recent review.
