Privacy Policy

Last updated: 22 May 2026 · Version 1.0

1. Who we are

GEOS is a website-analysis service operated by [YOUR FULL LEGAL NAME OR REGISTERED BUSINESS NAME], located in Tallinn, Estonia (the "Operator", "we", "us"). The Operator is the Data Controller for the personal data described in this policy.

Contact for privacy questions: [YOUR_PRIVACY_EMAIL]

2. What data we collect and why

2.1 When you submit the order form on geos-app.com

We collect:

Company name and your email address — to reply to your inquiry and identify the requester.
Your primary domain and a list of URLs you submit — to perform the audit you requested.
Language preference and any notes you provide — to tailor the audit to your needs.

Legal basis: performance of a contract (preparing your audit) and legitimate interest (responding to your inquiry).

2.2 When you become a customer (paid engagement)

We additionally collect:

Payment-related information (bank account details on issued invoices, payment confirmation references) — to process payment and meet Estonian tax-law obligations.
Email correspondence — kept for the duration of the business relationship and as long as legally required for tax purposes (7 years under Estonian law).

Legal basis: performance of a contract; compliance with legal obligations (Estonian Bookkeeping Act § 12).

2.3 When you use the self-service platform at app.geos-app.com (future)

When the self-service SaaS platform is live, we additionally collect:

Your Anthropic API key — encrypted at rest using industry-standard symmetric encryption (Fernet). Used solely to run audits you submit. We never transmit, share, or log your key in plaintext. You can revoke it from your account at any time.
Session cookies — a single strictly-necessary cookie for authentication. We do not use tracking, analytics, or advertising cookies of any kind.
Audit logs of sensitive operations (logins, key changes, job submissions) — for security and to enable account recovery and incident investigation.

Legal basis: performance of a contract; legitimate interest (security).

3. Who we share your data with (sub-processors)

We use the following service providers to operate GEOS:

Sub-processor	Purpose	Location	Safeguards
Formspree	Receives order-form submissions and forwards them to us by email	USA	EU–US Data Privacy Framework
Cloudflare	DNS, CDN, email forwarding, TLS certificates	USA (global edge)	EU–US Data Privacy Framework, Cloudflare DPA
Anthropic	AI inference used by the audit pipeline to evaluate page content	USA	EU–US Data Privacy Framework, Anthropic DPA
Resend (future)	Sending transactional email (magic-link sign-in, audit completion notifications)	USA	EU–US Data Privacy Framework
Hetzner (future)	Hosting the self-service SaaS server	Germany (EU)	EU controller

We do not sell or share your data with any party outside of these sub-processors and except where required by law. The URLs you submit for auditing are sent to Anthropic's AI inference API as input data; Anthropic's commercial terms state they do not train models on inputs received via their commercial API.

4. How long we keep your data

Inquiry forms not converted to customers: 90 days, then deleted.
Customer account data and audit outputs: for the duration of the engagement plus 90 days after termination, then deleted (except as required by tax law).
Invoices and payment records: 7 years (Estonian Bookkeeping Act § 12).
Email correspondence: up to 7 years where relevant to a business relationship; otherwise deleted after 2 years.
Server-side audit logs: 12 months, then deleted.

5. Your rights

Under the EU General Data Protection Regulation, you have the following rights regarding your personal data:

Right of access: request a copy of what we hold about you.
Right to rectification: correct inaccurate data.
Right to erasure (right to be forgotten): request deletion, subject to legal retention obligations (e.g. tax records).
Right to restriction of processing: ask us to limit how we use your data.
Right to data portability: receive your data in a structured, machine-readable format.
Right to object: object to processing based on legitimate interest.
Right to lodge a complaint: with the Estonian Data Protection Inspectorate (www.aki.ee) or the supervisory authority in your country of residence.

To exercise any of these rights, email [YOUR_PRIVACY_EMAIL]. We respond within 30 days, often sooner.

6. Cookies and tracking

The marketing website geos-app.com uses no cookies of any kind. The future application at app.geos-app.com uses a single strictly-necessary cookie for authentication, which is exempt from cookie-consent requirements under the EU ePrivacy Directive.

We do not use Google Analytics, Facebook Pixel, advertising trackers, or any third-party analytics. We rely on Cloudflare's privacy-preserving server-side analytics, which counts requests without identifying individual visitors.

7. Security

Customer Anthropic API keys (when added to the self-service platform) are encrypted at rest using Fernet symmetric encryption with a master key stored in a server environment file with restrictive file permissions. The master key is not stored in the database. Keys are decrypted only at the moment an audit job runs, in worker process memory, and cleared immediately afterward. Keys are never transmitted to any party other than Anthropic. We never log keys in plaintext or in any reversible form.

TLS encryption is used for all data in transit. Database access is limited to the application server. We retain audit logs of sensitive operations.

No system is perfectly secure. If we discover a security incident affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by the GDPR.

8. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email to active customers. The "Last updated" date at the top of this page reflects the current version.

9. Contact

Questions about this policy or about how we handle your data: [YOUR_PRIVACY_EMAIL]

Postal address: [YOUR ADDRESS or registered business address]
Tallinn, Estonia

← Back to GEOS