Privacy Policy
Enterpriseon OÜ privacy policy — how we collect, process, and protect your personal data under GDPR.
1. Data Controller
Enterpriseon OÜ
Registration number: 16949956
Lõõtsa tn 5, 11415 Tallinn, Estonia
Email: info@enterpriseon.com
Enterpriseon OÜ (”we”, ”us”, ”our”) is the data controller for personal data processed via this website (enterpriseon.com) and associated services. We share GDPR policy and data handling practices with Enterprise4IT (enterprise4it.com), our technical platform partner.
2. Personal data we collect
2.1 Contact forms
When you submit our contact form, we collect:
- Name
- Email address
- Phone number (optional)
- Company name (optional)
- Message (free text)
Legal basis: Legitimate interest (Art. 6.1.f GDPR) — to respond to your inquiry and manage potential business relationships.
2.2 Visitor analytics (with your consent)
If you accept analytics cookies, we collect:
- Anonymized page view data
- Scroll depth and time on page
- Referral source (where you came from)
- UTM parameters (campaign tracking)
- Anonymous visitor ID (hashed)
Legal basis: Consent (Art. 6.1.a GDPR) — you can withdraw consent at any time via our Privacy Center.
2.3 Automatically collected technical data
Our web server automatically logs:
- IP address (hashed after 30 days)
- Browser type and version
- Operating system
- Date and time of visit
Legal basis: Legitimate interest (Art. 6.1.f GDPR) — IT security and operational stability.
3. How we use your data
- Respond to inquiries — name and email used to contact you regarding your request
- CRM management — contact details stored in our CRM system (Modern CRM, hosted by Enterprise4IT) to manage business relationships
- Consent management — we record your consent in a central consent register (Art. 7 GDPR) with five consent types: email marketing, SMS marketing, profiling, data processing, and phone calls
- Improve the website — anonymized visitor statistics help us understand how the website is used
- Legal obligations — accounting and business documentation per Estonian and EU legislation
We never use your personal data for automated decision-making or profiling with legal effects.
4. Who we share data with
| Recipient | Purpose | Location | DPA |
|---|---|---|---|
| Enterprise4IT (enterprise4it.com) | CRM system (Modern CRM) and technical platform | EU (Sweden/Estonia) | Yes |
| Loopia AB | Web hosting, DNS, and email | Sweden | Yes |
| Google LLC | Analytics and Search Console (with consent) | EU/USA (EU-US DPF) | Yes |
We never sell personal data to third parties. All sub-processors have Data Processing Agreements (DPA) per Art. 28 GDPR.
4.1 Records of processing activities (Art. 30)
Enterpriseon maintains a record of all personal data processing activities. The register documents purposes, categories of data subjects, retention periods, and safeguards. The register is available to supervisory authorities upon request.
5. Transfer to third countries
Our operational base is in Laos (Southeast Asia). Personal data may be processed outside the EU/EEA. In such cases, we ensure appropriate safeguards through:
- EU Standard Contractual Clauses (SCC) per Art. 46.2.c GDPR
- Technical safeguards (encryption in transit and at rest)
- Organizational measures (access restrictions, NDA for all personnel)
6. How long we store data
Our CRM system enforces automated retention rules (gdpr_retention_rules):
| Data type | Retention period | Action on expiry |
|---|---|---|
| Contact data (CRM) | 1,095 days (3 years) after inactivity | Anonymization |
| Email history | 730 days (2 years) | Deletion |
| Activity logs | 365 days (1 year) | Archival |
| WordPress form submissions | 90 days after processing | Anonymization |
| IP addresses | 30 days | Permanent hashing (SHA-256) |
| Visitor analytics | 90 days | Automatic deletion |
| Cookies | See section 8 below | — |
| Accounting records | 7 years | Estonian Accounting Act |
Deletion or anonymization upon request (Art. 17) is handled by our GdprErasureService which anonymizes data across ~20 tables simultaneously and queues via anonymization_queue.
7. Your rights
Under GDPR, you have the following rights:
- Right of access (Art. 15) — request a copy of all data we hold about you
- Right to rectification (Art. 16) — request correction of inaccurate data
- Right to erasure (Art. 17) — request deletion of your data (”right to be forgotten”)
- Right to restriction (Art. 18) — request restriction of processing
- Right to data portability (Art. 20) — request your data in machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent — withdraw consent at any time via our Privacy Center
To exercise your rights, contact us at info@enterpriseon.com or use our Privacy Center. We respond to all requests within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In Estonia: Andmekaitse Inspektsioon (aki.ee). In Sweden: Integritetsskyddsmyndigheten, IMY (imy.se).
8. Cookies
8.1 Necessary cookies
These cookies are required for the website to function and cannot be turned off.
| Cookie | Purpose | Duration |
|---|---|---|
| eon_consent_given | Stores your cookie preferences | 1 year |
8.2 Analytics cookies (requires consent)
These cookies help us understand how visitors use the website.
| Cookie | Purpose | Duration |
|---|---|---|
| eon_vid | Anonymous visitor ID | Session |
| eon_sid | Session ID | Session |
| _ga / _ga_* | Google Analytics (if enabled) | 2 years |
8.3 Marketing cookies (requires consent)
These cookies are used to show relevant offers. We currently do not use any marketing cookies, but reserve the option to enable them in the future — always with your consent.
8.4 Managing cookies
You can manage your cookie preferences via:
- Our Privacy Center page (recommended)
- The cookie banner displayed on your first visit
- Your browser settings
9. Security
We protect your personal data with technical and organizational measures:
Technical measures
- Encryption in transit — TLS/HTTPS on all connections, HSTS enabled
- Encryption at rest — AES-256-CBC for API keys, passwords, and sensitive fields
- Content Security Policy (CSP) — nonce-based policy against XSS and injection attacks
- RBAC — role-based access control with specific permissions per module and operation
- CSRF protection — token-based protection on all forms and API calls
- Rate limiting — protection against brute force and DDoS on all public endpoints
- HMAC signing — SHA-256 signatures on all webhook communications between systems
- IP hashing — IP addresses hashed with SHA-256 after 30 days
- Audit logging — all sensitive operations logged with correlation ID and timestamp
Organizational measures
- NDA — all personnel handling personal data are under non-disclosure agreements
- Least privilege — principle of least privilege enforced for all access
- Data Processing Agreements (DPA) — in place with all sub-processors (Art. 28 GDPR)
- Incident response — process for notification to supervisory authority within 72 hours (Art. 33 GDPR)
- Regular review — security scanning and code review
10. Relationship with Enterprise4IT
Enterpriseon OÜ and Enterprise4IT (enterprise4it.com) share technical infrastructure and GDPR procedures. Enterprise4IT provides the CRM system (Modern CRM) used to manage contact data and business relationships. Both organizations follow the same data protection policy and security standards.
Enterprise4IT acts as data processor (Art. 28 GDPR) for Enterpriseon regarding CRM processing. A Data Processing Agreement (DPA) is in place.
11. Changes to this policy
We may update this privacy policy. For material changes, we will inform you via the website. Last updated: 2026-04-05.
12. Contact
Questions about how we process your personal data?
Enterpriseon OÜ
Email: info@enterpriseon.com
Address: Lõõtsa tn 5, 11415 Tallinn, Estonia