arrow_back

Back to all policies

GDPR Privacy Policy

When you visit our site or work with us, you trust us with your info. We don’t take that lightly. This policy outlines how Orgcaos collects, stores, and protects your data.

Last Updated: April 11, 2025

Orgcäos OÜ, operating as Orgcaos Purpose-Driven Design Studio ("Orgcaos," "we," "us," or "our"), is committed to protecting your privacy and ensuring the security of your personal data. This GDPR Privacy Policy ("Policy") explains how we collect, use, store, disclose, and protect your personal data when you visit our Website (https://orgcaos.com and https://orgcaos.ee, collectively the "Website"), submit inquiries through our contact forms, or engage our creative design services ("Services"). Our Website, hosted on Webflow, serves as a portfolio platform showcasing our branding and web design work, case studies, blog content, and client testimonials.

As a company registered in Estonia (registry code: 16321350, legal address: Vahtrepa küla, Liiva, Hiiumaa vald, Hiiu maakond, 92318, Estonia), we operate in full compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the Estonian Personal Data Protection Act, and other applicable EU and Estonian laws. This Policy applies to all users ("you," "User," or "Client") accessing our Website or Services, regardless of their location, with specific protections for individuals in the European Economic Area (EEA).

By using our Website or Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, please do not use our Website or provide us with any personal data.

1. Definitions

To ensure clarity, the following terms have the meanings set forth below:

  • Personal Data: Any information relating to an identified or identifiable natural person ("data subject"), as defined in Article 4(1) of the GDPR, such as names, email addresses, IP addresses, or device identifiers.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion, as defined in Article 4(2) of the GDPR.
  • Controller: The entity that determines the purposes and means of Processing Personal Data, in this case, Orgcäos OÜ, as defined in Article 4(7) of the GDPR.
  • Processor: An entity that Processes Personal Data on behalf of the Controller, such as our Third-Party Service providers, as defined in Article 4(8) of the GDPR.
  • Website: Refers to https://orgcaos.com

2. Our Role as Data Controller

Orgcäos OÜ acts as the Data Controller for Personal Data collected through the Website and Services, determining the purposes and means of Processing. In certain cases, we engage Third-Party Services as Data Processors to assist with analytics, marketing, or Website functionality. All Processors are carefully vetted to ensure GDPR compliance, and we enter into Data Processing Agreements (DPAs) with them, as required by Article 28 of the GDPR.

3. Personal Data We Collect

We collect and Process Personal Data in a lawful, fair, and transparent manner, in accordance with Article 5 of the GDPR. The types of Personal Data we collect depend on how you interact with our Website or Services. Below is a detailed breakdown:

3.1 Data You Provide Voluntarily

  • Contact Forms: When you submit an inquiry via our contact form (https://www.orgcaos.com/contact), we collect:
    • First name
    • Email address
    • Company name or details (optional, e.g., organization, collective, or side hustle)
    • Message (e.g., project details, such as a rebrand or website design)
  • Service Engagements: When you contract our Services, we may collect additional information, such as:
    • Full name
    • Billing address
    • Phone number (if provided)
    • Payment details (processed via secure third-party payment providers)
    • Project-specific information (e.g., brand preferences, design briefs)
  • Communications: If you email us (), call, or schedule a meeting, we collect any Personal Data you provide, such as your name, contact details, or inquiry content.
  • Testimonials: If you provide a testimonial, we may collect your name, company, and feedback, with your explicit consent for publication.

3.2 Data Collected Automatically

When you visit our Website, we collect certain information automatically using cookies and similar technologies, including through Third-Party Services:

  • Technical Data:
    • IP address
    • Browser type and version
    • Operating system
    • Device type and identifiers
    • Time zone and language preferences
  • Usage Data:
    • Pages visited
    • Time spent on the Website
    • Clickstream data (e.g., links clicked, scrolling behavior)
    • Referring URLs
    • Date and time of access
  • Analytics and Marketing Data:
    • Aggregated data on user interactions (via Google Analytics, Microsoft Clarity)
    • Tracking data for advertising campaigns (via Google Ads, Meta Pixels)

For details on cookies and similar technologies, please refer to our Cookie Policy.

3.3 Data from Third Parties

We may receive Personal Data from Third-Party Services, such as:

  • Analytics Providers: Google Analytics and Microsoft Clarity provide anonymized or pseudonymized data about user behavior.
  • Marketing Platforms: Google Ads and Meta Pixels may provide data on ad interactions, which may include pseudonymized identifiers.
  • Social Media: If you interact with us via social media platforms (e.g., LinkedIn, Instagram), we may receive your username or public profile information, subject to the platform’s privacy policy.

We do not collect sensitive Personal Data (e.g., racial or ethnic origins, political opinions, health data) unless voluntarily provided by you for a specific purpose, and such data will only be Processed with your explicit consent, per Article 9 of the GDPR.

4. Lawful Bases for Processing

We Process Personal Data only when we have a lawful basis under Article 6 of the GDPR. The specific bases for our Processing are:

  • Consent (Article 6(1)(a)):
    • When you submit a contact form, you consent to our Processing of your Personal Data to respond to your inquiry.
    • When you agree to receive marketing communications (e.g., newsletters), you provide explicit consent.
    • When you accept cookies via our cookie banner, you consent to the use of non-essential cookies.
  • Contract (Article 6(1)(b)):
    • When you engage our Services, we Process Personal Data to fulfill the Service Agreement (e.g., delivering designs, communicating about projects).
    • Processing billing information to process payments.
  • Legitimate Interests (Article 6(1)(f)):
    • Analyzing Website usage to improve functionality and user experience (e.g., via Google Analytics, Microsoft Clarity), provided your rights and freedoms do not override our interests.
    • Preventing fraud and ensuring Website security (e.g., monitoring IP addresses).
    • Marketing our Services to existing Clients, subject to your right to opt out.
  • Legal Obligation (Article 6(1)(c)):
    • Retaining certain data to comply with tax or accounting laws under the Estonian Accounting Act.
    • Responding to lawful requests from authorities, such as the Estonian Data Protection Inspectorate.

We will always inform you of the lawful basis for Processing at the point of data collection, ensuring transparency as required by Article 13 of the GDPR.

5. Purposes of Processing

We Process Personal Data for the following specific purposes, in line with Article 5(1)(b) of the GDPR:

  • Website Operation:
    • To provide access to the Website and its content (e.g., portfolio, case studies, blog).
    • To ensure the Website functions correctly and securely.
  • Inquiries and Communication:
    • To respond to contact form submissions and follow up on inquiries.
    • To communicate with Clients about Service Agreements, project updates, or deliverables.
  • Service Delivery:
    • To execute Service Agreements, including designing branding materials, websites, or multimedia content.
    • To process payments and issue invoices.
  • Analytics and Improvement:
    • To analyze Website usage and user behavior (via Third-Party Services) to enhance performance, design, and content.
    • To identify technical issues and optimize user experience.
  • Marketing and Promotion:
    • To send newsletters or promotional materials to Users who have opted in.
    • To track ad performance and target relevant audiences (via Google Ads, Meta Pixels).
  • Legal Compliance:
    • To comply with tax, accounting, or data protection obligations.
    • To respond to legal requests or defend against claims.
  • Security:
    • To detect and prevent fraudulent or unauthorized activity.
    • To protect our systems and Users’ data from cyber threats.

We do not Process Personal Data for purposes incompatible with those listed above without obtaining your consent or providing prior notice.

6. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with Article 5(1)(e) of the GDPR. Our retention periods are:

  • Contact Form Submissions: Retained for up to 2 years from the date of submission to facilitate follow-ups, unless you request deletion or engage our Services.
  • Service Agreements: Client data (e.g., names, billing details, project files) is retained for up to 6 years after the Service Agreement ends to comply with the Estonian Accounting Act and to support potential future collaborations.
  • Analytics Data: Anonymized or pseudonymized data (e.g., Google Analytics) is retained for up to 26 months, as per Google’s default settings, unless otherwise configured.
  • Marketing Data: Email addresses for newsletters are retained until you unsubscribe, at which point they are deleted within 30 days.
  • Security Logs: IP addresses or device data for security purposes are retained for up to 1 year unless needed for ongoing investigations.

When Personal Data is no longer needed, we securely delete or anonymize it using industry-standard methods, ensuring compliance with Article 32 of the GDPR. If you request deletion of your data (see Section 9), we will comply within 30 days, subject to any legal obligations to retain certain information.

7. Data Sharing and Transfers

7.1 Third-Party Processors

We share Personal Data with trusted Third-Party Processors to support our operations, including:

  • Webflow: Hosts our Website and processes contact form submissions.
  • Google Services (Google Tag Manager, Google Ads, Google Search Console, Google Analytics): Provide analytics and marketing tools.
  • Microsoft Clarity: Analyzes user behavior through heatmaps and session recordings.
  • Meta Pixels: Tracks ad interactions for marketing purposes.
  • Payment Providers: Process payments for Services (e.g., Stripe, if applicable).
  • Email Providers: Manage communications and newsletters (e.g., Mailchimp, if applicable).

All Processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance, including obligations to protect your data and limit Processing to our instructions.

7.2 Other Disclosures

We may disclose Personal Data in the following limited circumstances:

  • Legal Obligations: To comply with court orders, tax authorities, or requests from the Estonian Data Protection Inspectorate, as required by Article 6(1)(c) of the GDPR.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred to a third party, provided they agree to comply with this Policy and GDPR requirements.
  • Protection of Rights: To defend against legal claims, protect our intellectual property, or ensure the safety of our Users or staff.

7.3 International Transfers

As an Estonian company operating primarily within the EEA, most of our Processing occurs in GDPR-compliant jurisdictions. However, some Third-Party Processors (e.g., Google, Meta) are based outside the EEA, such as in the United States. When transferring Personal Data outside the EEA, we ensure appropriate safeguards, including:

  • EU-U.S. Data Privacy Framework: For Processors certified under this framework (e.g., Google, Meta).
  • Standard Contractual Clauses (SCCs): Incorporated into DPAs with non-EEA Processors, as approved by the European Commission under Article 46 of the GDPR.
  • Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate data protection (e.g., Canada, if applicable).

8. Cookies and Similar Technologies

Our Website uses cookies and similar technologies to enhance functionality, analyze usage, and support marketing efforts. Cookies are small text files stored on your device by your browser. We use:

  • Essential Cookies: Necessary for the Website to function (e.g., maintaining sessions, ensuring security).
  • Analytics Cookies: Track user behavior to improve the Website (e.g., Google Analytics, Microsoft Clarity).
  • Marketing Cookies: Support targeted advertising (e.g., Google Ads, Meta Pixels).

You can manage cookie preferences through our cookie banner, which appears on your first visit, allowing you to accept or reject non-essential cookies. For detailed information, including how to disable cookies, please refer to our Cookie Policy.

We obtain your consent for non-essential cookies in accordance with Article 7 of the GDPR and Article 5(3) of the EU ePrivacy Directive (Directive 2002/58/EC, as amended).

9. Your Data Subject Rights

As a data subject under the GDPR, you have the following rights regarding your Personal Data, subject to certain conditions:

  • Right of Access (Article 15): Request a copy of your Personal Data and information about how we Process it.
  • Right to Rectification (Article 16): Request correction of inaccurate or incomplete Personal Data.
  • Right to Erasure (“Right to Be Forgotten”) (Article 17): Request deletion of your Personal Data, subject to legal retention obligations (e.g., accounting records).
  • Right to Restriction of Processing (Article 18): Request that we limit Processing in certain cases, such as when you contest data accuracy.
  • Right to Data Portability (Article 20): Receive your Personal Data in a structured, commonly used, and machine-readable format, or have it transferred to another Controller.
  • Right to Object (Article 21): Object to Processing based on legitimate interests (e.g., marketing), after which we will cease Processing unless we demonstrate compelling grounds.
  • Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time (e.g., for newsletters or cookies), without affecting the lawfulness of prior Processing.
  • Right Not to Be Subject to Automated Decision-Making (Article 22): We do not engage in automated decision-making or profiling that produces legal effects, so this right is not applicable.

To exercise your rights, contact us at:

Orgcäos OÜ

Email: hello@orgcaos.com

Address: Vahtrepa küla, Liiva, Hiiumaa vald, Hiiu maakond, 92318, Estonia

Please include your name, contact details, and a description of your request. We will respond within 30 days, or 60 days for complex requests, as permitted by Article 12 of the GDPR. We may request proof of identity to verify your request, ensuring compliance with Article 5(1)(f) (security).

If you are dissatisfied with our response, you may lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee) or your local supervisory authority in the EEA, per Article 77 of the GDPR.

10. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, loss, alteration, or disclosure, as required by Article 32 of the GDPR. These measures include:

  • Encryption: SSL/TLS encryption for data transmission on the Website.
  • Access Controls: Restricting access to Personal Data to authorized personnel only.
  • Secure Hosting: Using Webflow’s GDPR-compliant hosting infrastructure.
  • Regular Audits: Monitoring and updating security practices to address emerging threats.
  • Incident Response: Procedures to detect, report, and respond to data breaches within 72 hours of discovery, as required by Article 33 of the GDPR.

Despite these measures, no online system is entirely secure. In the unlikely event of a data breach, we will notify you and the Estonian Data Protection Inspectorate promptly, if required, and take steps to mitigate harm.

11. Children’s Privacy

Our Website and Services are not directed to individuals under 16 years of age, in accordance with Article 8 of the GDPR. We do not knowingly collect Personal Data from children under 16 without verifiable parental consent. If we become aware that a child has provided Personal Data without consent, we will delete it immediately, unless legally required to retain it. If you believe a child has submitted data to us, please contact us at hello@orgcaos.com.

12. Changes to This Policy

We may update this Policy to reflect changes in our practices, legal requirements, or Website functionality. Material changes will be communicated by:

  • Posting the updated Policy on the Website with a revised “Last Updated” date.
  • Providing notice via email or a Website pop-up at least 30 days before the changes take effect, where required by Article 13 of the GDPR.

Your continued use of the Website or Services after the effective date constitutes acceptance of the updated Policy. If you do not agree with the changes, you should cease using the Website and contact us to request data deletion.

13. Third-Party Links

The Website may contain links to external websites, such as our social media profiles (e.g., Facebook, Instagram, LinkedIn, Medium, Substack) or partner sites. These links are provided for convenience, and we are not responsible for the content, privacy practices, or security of these websites. We encourage you to review their privacy policies before providing Personal Data, as our Policy does not apply to third-party sites, per Article 17 of the EU Digital Services Act.

14. Contact Information

For questions, concerns, or to exercise your data subject rights, please contact us at:

Orgcäos OÜ

Email: hello@orgcaos.com

Address: Vahtrepa küla, Liiva, Hiiumaa vald, Hiiu maakond, 92318, Estonia

We aim to respond to all inquiries within 7 business days. For data protection-specific requests, we will comply within the GDPR’s mandated timelines.

If you are not satisfied with our response, you may contact the Estonian Data Protection Inspectorate:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Email: info@aki.ee

Website: www.aki.ee

Address: Tatari 39, 10134 Tallinn, Estonia

Do you still have questions? Let's set our first milestone!

Get in touch
arrow_forward

purpose-driven
design studio

We’re a creative design studio doing branding and web design for people trying to make the world a little better.

Design Partners to:

Menu

HomeWorkStudioServicesInsightsContact

Contact

Send us an emailPick a time in CalendlyGive us a callSend us a message

Follow us

LinkedIn Instagram FacebookMedium Substack

© 2025

Orgcaos OÜ

. All rights reserved.

Privacy & CookiesFAQs   Accessibility StatementCredits
Go to Top
arrow_upward