Privacy Policy

Last updated: 3 March 2026

‍

This Privacy Policy explains how PlatformStack OÜ, registry code 16757366, incorporated under the laws of Estonia, with registered address at Estonia, Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141 (“Govplane”, “we”, “us”, “our”), collects, uses, discloses, and protects personal data in connection with the Govplane platform and website.

If you have any privacy-related questions, you may contact: management@platformstack.org

‍

1. Scope of This Policy

‍

This Privacy Policy applies to:

‍

- Visitors of the Govplane website
- Account holders and users of the Govplane platform
- Individuals contacting us via email or support channels

It does not apply to personal data processed by our customers within their own applications using Govplane. In such cases, Govplane acts as a data processor (see Section 8).

‍

2. Data Controller

‍

For personal data collected directly by Govplane (e.g., account registration, billing, support), the data controller is:

‍

PlatformStack OÜ
Registry Code: 16757366
Address: Estonia, Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141
Email: management@platformstack.org

‍

3. Categories of Personal Data Collected

‍

We may collect the following categories of personal data:

‍

3.1 Account Information
- Name
- Email address
- Company name
- Role within organization
- Login credentials (hashed)

‍

3.2 Billing Information
- Billing contact details
- Company information
- VAT number (if applicable)
- Transaction metadata

Payment card data is processed directly by Stripe and is not stored by Govplane.

‍

3.3 Technical Data
- IP address
- Device and browser information
- Log files
- Usage metadata
- API interaction logs
- Runtime key usage metadata

‍

3.4 Support Communications
- Email correspondence
- Support tickets
- Diagnostic logs voluntarily shared

‍

3.5 Website Usage Data
- Cookies (where applicable)
- Analytics data
- Session data

‍

4. Legal Basis for Processing

‍

We process personal data under the following legal bases pursuant to Article 6 GDPR:

‍

- Performance of a contract (Art. 6(1)(b)) – to provide the Service.
- Legal obligation (Art. 6(1)(c)) – accounting and regulatory compliance.
- Legitimate interests (Art. 6(1)(f)) – platform security, fraud prevention, service improvement.
- Consent (Art. 6(1)(a)) – where required for optional cookies or marketing.

Where processing is based on legitimate interests, we ensure such interests are not overridden by the fundamental rights and freedoms of data subjects.

5. Purpose of Processing

‍

We process personal data to:

‍

- Provide and maintain the Govplane Service;
- Authenticate users and manage accounts;
- Process payments;
- Provide customer support;
- Ensure platform security and prevent abuse;
- Comply with legal obligations;
- Improve platform performance and reliability.

We do not sell personal data.

‍

6. Data Retention

‍

We retain personal data only as long as necessary for the purposes described above.

‍

- Account data is retained for the duration of the contract.
- Billing records are retained in accordance with Estonian accounting law.
- Technical logs may be retained for security and audit purposes for a limited period.
- Backup data retention periods may vary depending on plan level.

‍

Upon account termination, personal data may be deleted or anonymized unless legal obligations require continued retention.

‍

7. Data Sharing and Processors

‍

We may share personal data with:

‍

- Payment processors (Stripe);
- Cloud hosting providers;
- Infrastructure and security service providers;
- Professional advisors (legal, accounting);
- Authorities where required by law.

‍

All third-party processors are contractually bound to appropriate data protection obligations under Article 28 GDPR.

We do not transfer personal data to third parties for independent marketing purposes.

‍

8. Govplane as Data Processor

‍

When customers use Govplane to process personal data within their own applications, Govplane acts as a data processor and the customer acts as the data controller.

‍

In such cases:

‍

- The customer determines the purpose and means of processing;
- Govplane processes data solely on documented instructions;
- A separate Data Processing Agreement (DPA) may be executed;
- Govplane implements appropriate technical and organizational security measures.

‍

Govplane does not verify the legality of data uploaded by customers.

‍

Customers are solely responsible for ensuring lawful processing and for fulfilling their own GDPR obligations toward their end users.

‍

9. International Data Transfers

‍

Govplane primarily operates within the European Union.

‍

If personal data is transferred outside the EEA, such transfers will be subject to appropriate safeguards, including:

‍

- Standard Contractual Clauses (SCCs);
- Adequacy decisions;
- Other legally recognized transfer mechanisms.

‍

Enterprise customers selecting specific data regions acknowledge that certain auxiliary services (e.g., backups or monitoring tools) may involve limited cross-border processing.

‍

10. Security Measures

‍

Govplane implements commercially reasonable technical and organizational measures to protect personal data, including:

‍

- Access controls;
- Encryption in transit;

- Encryption at rest;
- Secure authentication mechanisms;
- Infrastructure monitoring;
- Role-based permissions (where applicable).

‍

However, no system can be guaranteed to be fully secure.

‍

Security is a shared responsibility model. Customers remain responsible for:

‍

- Protecting credentials;
- Proper configuration;
- Securing their own runtime environments.

‍

11. Data Subject Rights

‍

Under GDPR, individuals have the right to:

‍

- Access their personal data;
- Rectify inaccurate data;
- Erase data (“right to be forgotten”);
- Restrict processing;
- Object to processing;
- Data portability;
- Withdraw consent (where applicable).

‍

Requests may be submitted to:
management@platformstack.org

‍

We may require identity verification before responding.

‍

If you believe your rights have been violated, you may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

‍

12. Cookies and Tracking

‍

Govplane may use cookies for:

‍

- Authentication;
- Security;
- Session management;
- Performance analytics (where applicable).

‍

Where required by law, non-essential cookies are deployed only with user consent.

A separate Cookie Policy may be provided where applicable.

13. Children’s Data

‍

Govplane is not directed to individuals under 18 years of age and does not knowingly collect personal data from minors.

14. Automated Decision-Making

‍

Govplane provides infrastructure for automated policy evaluation.

‍

However:

‍

- Govplane does not independently perform profiling of end users of customer systems;
- Automated decisions within customer applications are defined and controlled by the customer.

Customers are solely responsible for ensuring compliance with Articles 22 and related GDPR provisions concerning automated decision-making and human oversight.

‍

15. Changes to This Policy

‍

We may update this Privacy Policy from time to time.

The updated version will be published with a revised “Last updated” date.

Continued use of the Service constitutes acknowledgment of the updated policy.

‍

16. Contact Information

‍

For privacy-related matters:
management@platformstack.org

Registered Company:
PlatformStack OÜ
Registry Code: 16757366
Estonia, Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141

‍