Legal
Privacy Policy
Last updated: 19 May 2026 · Effective: 19 May 2026
This Privacy Policy explains how CrispWebs OÜ(“CrispWebs,” “we,” “us,” or “our”), a private limited company registered in Estonia (registry code: XXXXXXXX), collects, uses, shares, and protects personal data when you use our website at crispwebs.com, our platform, APIs, and related services (collectively, the “Service”).
As an EU-based company, we are directly subject to the General Data Protection Regulation (GDPR). We also comply with the UK GDPR, the Swiss Federal Act on Data Protection (nFADP/DSG), and other applicable data protection laws in the jurisdictions where we operate.
1. Data Controller
CrispWebs OÜ
Tallinn, Estonia
Registry code: XXXXXXXX
Email: privacy@crispwebs.com
As an EU-established entity, no Art. 27 GDPR representative is required. For UK data subjects, our UK representative can be contacted at the same email address.
2. Data We Collect
2.1 Data You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email, password hash | Account creation, authentication |
| Business data | Business name, address, phone, services, photos | Site generation |
| Payment data | Card details (processed by Stripe), billing address | Subscription billing |
| Communications | Support messages, chat edits, emails | Service delivery, support |
2.2 Data We Collect Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device & browser | IP address, browser type, OS, screen resolution | Security, analytics, currency detection |
| Usage data | Pages visited, clicks, session duration | Service improvement |
| Location (coarse) | Country derived from IP address | Currency localisation, fraud prevention |
2.3 Data From Public Sources
To generate your Site, we collect publicly available business information from sources such as Google Business Profile, Yelp, Trustpilot, Facebook Business Pages, and similar platforms. This data is used solely for Site generation and is presented for your review before publication.
3. Legal Bases (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) — processing necessary to deliver the Service you requested.
- Legitimate interest (Art. 6(1)(f)) — analytics, fraud prevention, service improvement, direct marketing to existing customers (with opt-out).
- Consent (Art. 6(1)(a)) — where required (e.g., non-essential cookies, marketing emails to non-customers).
- Legal obligation (Art. 6(1)(c)) — tax records, fraud reporting, law enforcement requests.
4. How We Use Your Data
- Generate, host, and maintain your Site;
- Process payments and manage subscriptions;
- Provide customer support and implement AI-assisted edits;
- Send transactional emails (confirmations, previews, invoices);
- Detect and prevent fraud, abuse, and security threats;
- Improve the Service through aggregated, anonymised analytics;
- Comply with legal obligations;
- Localise currency display based on your country (IP-derived).
5. Data Sharing
We do not sell your personal data. We share data only with:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | US (EU SCCs) |
| Vercel, Inc. | Hosting, edge delivery | US (EU SCCs) |
| Cloudflare, Inc. | DNS, CDN, domain registration | US (EU SCCs) |
| Supabase, Inc. | Database, authentication | EU (Frankfurt) |
| Resend (via Svix, Inc.) | Transactional email delivery | US (EU SCCs) |
| OpenAI / Anthropic | AI content generation | US (EU SCCs) |
All processors are bound by Data Processing Agreements with Standard Contractual Clauses (SCCs) where transfers are outside the EU/EEA/Switzerland.
6. International Transfers
Where personal data is transferred outside Switzerland or the EU/EEA, we rely on:
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission;
- Swiss-adapted SCCs recognised by the FDPIC;
- Adequacy decisions where applicable;
- Supplementary technical measures (encryption in transit and at rest).
7. Data Retention
- Active account data — retained for the duration of your subscription plus 30 days.
- Post-cancellation — your Site data is available for export for 30 days, then permanently deleted.
- Billing records — retained for 7 years (Estonian Accounting Act § 12).
- Server logs — 90 days, then auto-deleted.
- Analytics (aggregated) — retained indefinitely (no personal data).
8. Your Rights
Under the GDPR, nFADP, and equivalent laws, you have the right to:
- Access — obtain a copy of your personal data;
- Rectification — correct inaccurate or incomplete data;
- Erasure — request deletion (“right to be forgotten”);
- Restriction — limit processing in certain circumstances;
- Portability — receive your data in a structured, machine-readable format;
- Object — object to processing based on legitimate interests or direct marketing;
- Withdraw consent — at any time, without affecting lawfulness of prior processing.
To exercise any right, email privacy@crispwebs.com. We respond within 30 days (extendable by 60 days for complex requests, with notice).
9. Automated Decision-Making
We use AI to generate website content. This constitutes automated processing but does not produce legal effects or similarly significant effects on you. You may request human review of any Generated Content before publication.
10. Security
We implement industry-standard security measures including:
- TLS 1.3 encryption for all data in transit;
- AES-256 encryption for data at rest;
- Role-based access controls and principle of least privilege;
- Regular security audits and penetration testing;
- Secure password hashing (bcrypt/argon2);
- Automatic security updates and vulnerability patching.
11. Children’s Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.
12. Cookies
Our use of cookies and similar tracking technologies is described in our Cookie Policy.
13. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- Estonia (lead authority): Andmekaitse Inspektsioon (Data Protection Inspectorate), www.aki.ee
- EU/EEA: Your local supervisory authority under GDPR Art. 77
- UK: Information Commissioner’s Office (ICO)
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
We encourage you to contact us first at privacy@crispwebs.com so we can resolve concerns directly.
14. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or a notice on the Service at least 30 days before they take effect. The “Last updated” date at the top indicates the latest revision.
15. Contact
CrispWebs OÜ
Tallinn, Estonia
Registry code: XXXXXXXX
Email: privacy@crispwebs.com