Privacy Policy

Effective date: 01.07.2025

This Privacy Policy explains how Maelstrom OÜ (“Findaroo”, “we”, “us”, “our”) collects and uses personal data when we act as a controller (e.g., on our website, for billing and support, and for our own business operations). When we process personal data on behalf of our customers inside the Findaroo service (e.g., verifying contacts you submit), we act as a processor and our Data Processing Agreement (DPA) applies.

  • Company: Maelstrom OÜ (registry code 17086035)
  • Address: Järvevana tee 9, 11314 Tallinn, Estonia
  • Contact: hola@findaroo.eu
  • Supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)https://www.aki.ee/en
B2B only. Findaroo is intended for business users; we do not knowingly target or process children’s data.

1. What data we collect (as controller)

We may collect the following categories of personal data:

  1. Identity & professional details: name, job title, employer, business contact details (work email/phone), country.
  2. Account & usage data: account identifiers, authentication events, API usage, logs (IP address, user agent, timestamps), preferences.
  3. Billing & transactions: subscription tier, invoices, payment status, VAT number (card data handled by our payment processor; we do not store card numbers).
  4. Communications: support messages, email correspondence, feedback.
  5. Marketing: email preferences, campaign interactions, and (if applicable) business prospect data obtained from you or publicly available sources.
  6. Cookies/online identifiers: see Section 6.

We do not intentionally collect special category data (e.g., health, religion) or data about criminal offences.

2. How we obtain data

  • Directly from you when you visit our site, create an account, use the Services, contact support, or manage billing.
  • Automatically via logs when you use our site or Services.
  • From our payment provider (payment status and limited billing metadata).
  • From publicly available business sources (e.g., corporate websites, public registries) for B2B outreach, where permitted by law.

3. Purposes and legal bases

We process personal data for these purposes and legal bases:

Purpose Examples Legal basis
Provide and secure the Services account creation, authentication, API usage, service delivery, security monitoring Contract (Art. 6(1)(b)); Legitimate interests (security)
Billing & administration invoicing, tax/VAT records, payment reconciliation Contract; Legal obligation
Support & communications respond to requests, incident notices, product updates Legitimate interests; Contract when tied to your subscription
Service improvement service analytics, aggregated/de-identified statistics Legitimate interests
Marketing to business contacts sending B2B product information to work contacts, opt-out available Legitimate interests (B2B outreach, where permitted)
Compliance & enforcement preventing abuse, enforcing terms, legal claims Legitimate interests; Legal obligation
Analytics (Matomo, cookieless) usage analytics without cookies; no profiling Legitimate interests

First-contact transparency. For B2B outreach where we obtained your work contact from a public source, we include GDPR Art. 14 information and an easy opt-out in the first message.

If we later enable any non-essential cookies or third-party trackers, we will seek consent and update this Policy.

4. When we act as processor (customer data)

For personal data you submit to the Service (e.g., contact lists and the email verification Results), we act as processor and process such data solely on your documented instructions under the DPA. Retention and deletion follow the DPA (e.g., 7-day retention for Results and verification artefacts, then deletion; EEA-only processing).

5. Sharing your data (recipients)

We share controller-side personal data with:

  • Service providers (processors) we use to operate our business, under contracts that impose confidentiality and data protection obligations, including:
    • DigitalOcean (IaaS hosting) – data centres in Frankfurt (DE) and Paris (FR).
    • Stripe (payments) – processes your payment method and billing events.
  • Self-hosted analytics (Matomo). We run Matomo on our own EEA servers; analytics data are not sent to Matomo GmbH or other third parties.
  • Professional advisers (e.g., accountants) and auditors, where necessary.
  • Public authorities or courts when required by law or to protect our rights.

We do not sell personal data.

6. Cookies & similar technologies

We use only essential cookies necessary to operate the site (e.g., session, CSRF, and payment/fraud prevention on checkout via Stripe). We do not set non-essential cookies.

Matomo analytics (cookieless). We measure usage with self-hosted Matomo configured without cookies. We do not build user profiles or track across sites. IP addresses are truncated/pseudonymised and analytics are aggregated. Because this configuration does not place analytics cookies or use cross-site identifiers, we do not show a cookie consent banner.

  • We respect browser Do Not Track / Global Privacy Control signals for analytics where technically feasible.
  • You can also contact hola@findaroo.eu if you object to analytics; we will register your preference and exclude your visits where possible.

7. International transfers

We process and store data exclusively within the EEA. If we later engage a non-EEA provider or transfer data outside the EEA, we will implement EU Standard Contractual Clauses and appropriate safeguards, and update this Policy.

8. Retention

We keep personal data no longer than necessary for the purposes described above:

  • Account & billing: for the subscription term and as required for tax/accounting (typically 7–10 years under applicable law).
  • Support communications: up to 24 months after resolution, unless needed longer for compliance.
  • Marketing contacts (B2B): up to 3 years from the last interaction, or until you opt out.
  • Logs & security events: 7–90 days unless required longer for security or legal reasons.

Where we process data as processor, retention is governed by the DPA (see Section 4).

9. Security

We apply appropriate technical and organisational measures, including TLS encryption in transit, least-privilege access controls, network isolation, monitoring, and incident response. We do not apply encryption at rest or maintain persistent backups for customer-submitted data; compensating controls include access restriction and rapid deletion policies (see DPA). No system is perfectly secure, but we work to protect your data and the Service.

10. Your rights

Subject to conditions and exemptions in the GDPR, you have the right to access, rectify, erase, restrict, object (including to direct marketing), and data portability. You also have the right to set post-mortem instructions where applicable under local law.

  • To exercise your rights, contact us at hola@findaroo.eu.
  • For data we process on behalf of a customer (processor role), please contact the relevant customer (the controller). If you contact us directly, we will notify the controller.

11. Complaints

You can lodge a complaint with your local supervisory authority or with our lead authority in Estonia: Andmekaitse Inspektsioonhttps://www.aki.ee/en
(You may also seek judicial remedy.)

12. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new effective date and, if changes are material, provide reasonable advance notice.

13. Contact

Questions or requests about this Policy: hola@findaroo.eu
Postal: Maelstrom OÜ, Järvevana tee 9, 11314 Tallinn, Estonia

14. Service-specific notes

  • No mailbox sync. We do not access user mailboxes or email content.
  • Non-intrusive verification. When acting as processor, verification relies on syntax/DNS/MX checks and SMTP dialogue without sending message content.
  • EEA-only processing. Hosting in Frankfurt (DE) and Paris (FR).

Appendix A – Cookie details

Cookie/Tool Type Provider Purpose Duration Legal basis
app_session Essential Findaroo Session management session Legitimate interests
__stripe* Essential Stripe Payment and fraud prevention up to 1 year Legitimate interests
Matomo (cookieless) Analytics (no cookies) Findaroo (self-hosted) Usage analytics without cookies; IP truncation; no cross-site tracking n/a Legitimate interests

We currently set no non-essential cookies. If this changes, we will update this table and obtain consent where required.