1. Who we are
This Privacy Policy applies to Samarkand OÜ, a private limited company registered in Estonia under registry code [XXXXXXXXX], with registered address at [Address], Tallinn, Estonia, European Union (“Samarkand”, “we”, “us”, “our”).
Samarkand OÜ is the data controller for personal data collected through:
- The samarkandindustries.com website
- The kontrol-sentinel.com platform and associated services
- The eupeak.io platform and associated services
- The waretto.com platform and associated services
- The developer.waretto.com API platform
- The thehightable.international experience and waitlist
For questions about this policy or your personal data, contact us at privacy@samarkandindustries.com.
2. What personal data we collect
We collect personal data only where we have a lawful basis for doing so. Depending on how you interact with us, this may include:
2.1 Data you provide directly
| Data | Context |
|---|---|
| Full name | Contact form, account registration, event sign-up |
| Email address | All of the above |
| Organisation name and role | Contact form, enterprise enquiries |
| Phone number | Enterprise sales process (if provided) |
| Message content | Contact form submissions |
| Payment information | Subscription purchases (processed by our payment provider; we do not store card data) |
2.2 Data collected automatically
| Data | Context |
|---|---|
| IP address | Server access logs, fraud prevention |
| Browser type and version | Server logs, compatibility |
| Pages visited and time spent | Analytics (see Section 6) |
| Referrer URL | Analytics |
| Device type and operating system | Analytics |
| Cookie identifiers | See our Cookie Policy |
2.3 Data from third parties
We may receive limited information about you from third parties in the following circumstances:
- Payment processors (to confirm successful transactions)
- Identity verification services (for enterprise onboarding, where required by law)
3. Legal bases for processing
We process your personal data on the following legal bases under GDPR Article 6:
| Processing activity | Legal basis |
|---|---|
| Responding to contact form enquiries | Legitimate interests (Article 6(1)(f)) |
| Providing subscribed services | Performance of a contract (Article 6(1)(b)) |
| Processing payments | Performance of a contract (Article 6(1)(b)) |
| Sending service notifications | Performance of a contract (Article 6(1)(b)) |
| Marketing communications | Consent (Article 6(1)(a)) — where explicitly given |
| Security monitoring and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Legal compliance (tax, accounting) | Legal obligation (Article 6(1)(c)) |
| Analytics (if non-anonymous) | Legitimate interests (Article 6(1)(f)) or Consent |
4. How we use your data
We use your personal data to:
- Respond to your enquiries and provide the services you have requested
- Manage your account and subscription
- Process payments and issue invoices
- Send transactional communications (receipts, service updates, security alerts)
- Send marketing communications where you have consented
- Improve our products and services through aggregated analytics
- Comply with legal obligations (VAT records, accounting, regulatory requirements)
- Detect and prevent fraud, abuse, and security threats
5. Who we share data with
We share personal data only with:
Service providers acting as data processors on our behalf:
- Cloud infrastructure providers (EEA-based)
- Payment processing providers
- Email delivery providers
- Analytics providers (where applicable — see Section 6)
All processors are bound by data processing agreements under GDPR Article 28.
Legal authorities: We will disclose personal data to competent authorities where required by law or valid legal process. We will notify affected individuals where legally permitted to do so.
We do not transfer personal data outside the European Economic Area except where adequate protection is in place (adequacy decision or standard contractual clauses).
6. Analytics
Where we use web analytics, we configure it to:
- Anonymise IP addresses before any processing
- Disable cross-site tracking
- Not share data with advertising platforms
- Respect browser-level Do Not Track signals and consent choices
Where analytics involves non-anonymous data collection, we obtain your consent via our cookie banner before any such data is processed.
7. Data retention
We retain personal data for as long as necessary for the purpose for which it was collected, subject to the following:
| Data type | Retention period |
|---|---|
| Contact form submissions | 24 months from submission |
| Account data (active customers) | Duration of subscription + 12 months |
| Account data (churned customers) | 36 months from end of subscription |
| Payment records | 7 years (Estonian accounting law requirement) |
| Server access logs | 90 days |
| Marketing consent records | Until consent is withdrawn + 36 months |
When retention periods expire, data is securely deleted or anonymised.
8. Your rights
Under GDPR, you have the following rights:
- Right of access (Article 15): Request a copy of the personal data we hold about you.
- Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Article 17): Request deletion of your personal data where we no longer have a legitimate reason to retain it.
- Right to restrict processing (Article 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Article 20): Receive your data in a structured, machine-readable format.
- Right to object (Article 21): Object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent (Article 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact privacy@samarkandindustries.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or the data protection authority in your country of residence.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, and unauthorised access or disclosure. These include:
- Encryption of data in transit (TLS 1.2+) and at rest
- Access controls and authentication requirements for all internal systems
- Regular security testing and vulnerability assessments
- Incident response procedures aligned with GDPR Article 33 notification obligations
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email (for registered users) and by updating the “Last updated” date at the top of this document. Continued use of our services after such notice constitutes acceptance of the updated policy.
11. Contact
Data Controller:
Samarkand OÜ
[Address], Tallinn, Estonia
privacy@samarkandindustries.com
Estonian supervisory authority:
Andmekaitse Inspektsioon (Data Protection Inspectorate)
Tatari 39, 10134 Tallinn
www.aki.ee