Effective: January 1, 2025
This policy is designed for global use and aligns with GDPR/UK GDPR and CPRA/CCPA. It's a robust template, not legal advice.
Controller: SaltSpatial OÜ (trading as SaltGIS) (collectively "SaltGIS", "we", "us").
Registered address: Estonia • Contact: privacy@saltgis.eu
If we process personal data on behalf of a customer (e.g., operating their GIS environment), we act as a processor. In all other cases (e.g., our website, sales), we are a controller.
This policy applies to our websites, apps, APIs, and professional services. A separate Data Processing Addendum (DPA) governs processor activities for customers. On conflict, the DPA prevails for those activities.
We do not knowingly collect special categories of personal data (e.g., health, biometrics) via our website.
| Purpose | Examples | Legal basis | Retention |
|---|---|---|---|
| Provide services | Operate apps/APIs, configure GIS, support | Contract necessity; Legitimate interests | Contract + 6 years (claims/records) |
| Sales & communications | Respond to requests, proposals | Legitimate interests; Consent where required | Up to 24 months from last interaction |
| Security & fraud | Logs, access control, monitoring | Legitimate interests; Legal obligation | 12–24 months (system logs) |
| Compliance | Tax, accounting, KYC/AML where applicable | Legal obligation | As required by law (often 7 years) |
| R&D and product improvement | Metrics, QA, de‑identified analytics | Legitimate interests | Aggregated/anonymized where possible |
For processor activities, we act on your documented instructions under a DPA.
We use strictly necessary cookies and—with your consent—analytics/performance cookies. Manage preferences via our cookie banner or your browser settings.
See our Cookie Policy for details.
Our services are not directed to children under 16. We do not knowingly collect such data. If you believe a child provided data, contact us to delete it.
We do not sell personal data.
Data may be processed outside your jurisdiction. Where required, we use recognized transfer mechanisms (e.g., EU Standard Contractual Clauses) and additional safeguards.
If we become aware of a personal‑data breach affecting you, we will notify you without undue delay consistent with applicable law.
We retain data only as long as necessary for the purposes described or as required by law. On request at project end, we will return or delete processor‑data within a commercially reasonable timeframe unless retention is legally required.
To exercise rights, email privacy@saltgis.eu. We may verify identity before fulfilling requests.
We do not make solely automated decisions with legal or similarly significant effects. For analytics or recommendations, we use aggregated or de‑identified data where feasible.
We do not respond to browser "Do Not Track" signals. Use our cookie banner and browser settings to control tracking technologies.
You can lodge a complaint with your local data protection authority. If you are in the EEA, you may contact the Estonian supervisory authority. We will cooperate with authorities in resolving complaints.
For customer projects where we act as processor, we will sign a DPA upon request. We maintain and will provide an up‑to‑date list of sub‑processors and notify you before material changes where required.
We may update this policy. We will post changes here and update the "Effective" date. Material changes will be communicated via the website or email when appropriate.