SOLGREEN OÜ — Privacy Policy

Last Updated: 2026-05-07 Effective Date: 2026-05-07 Version: 2.0

Plain English: We're an Estonian software and AI agency. We collect business contact details when you reach out, engagement records when you become a client, and the minimum amount of website telemetry needed to keep the site secure. We don't sell your data, don't run ads, don't profile you, and don't let any AI vendor train its models on your data. The full version is below.

1. About This Policy

This Privacy Policy explains how SOLGREEN OÜ ("SOLGREEN", "we", "us", "our") collects, uses, discloses, and protects Personal Data when you visit https://solgreen.ee (the "Site"), inquire about our services, engage us under a Statement of Work, or otherwise interact with us.

This Policy is an "isikuandmete töötlemise teabe" (personal-data-processing notice) under the Estonian Personal Data Protection Act and a transparency notice under Articles 13–14 of the EU General Data Protection Regulation (GDPR). It is also designed to satisfy the UK GDPR, Swiss FADP, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) where applicable.

If you are an end-user of one of our clients (i.e., we are processing your Personal Data on behalf of a client as a processor), the controller of your Personal Data is the client, and you should refer to that client's privacy notice.

2. Who We Are (Data Controller)

Plain English: SOLGREEN OÜ in Tallinn is the data controller. The privacy contact is privacy@solgreen.ee.

Data Protection Lead : Acting as our Data Protection Officer for jurisdictions where formal DPO designation is not mandatory, the Data Protection Lead is reachable at privacy@solgreen.ee and is responsible for overseeing compliance with this Policy and Applicable Data Protection Law.

EU Representative (Article 27 GDPR): SOLGREEN is established in Estonia (an EU member state), so Article 27 does not require us to appoint a separate EU representative.

UK Representative (Article 27 UK GDPR) : Where we offer services to UK-based individuals or monitor their behavior, we will appoint a UK representative as required.

3. What Personal Data We Collect

Plain English: Business contact details when you reach out, engagement records when you become a client, technical logs to keep the site running. We don't collect special-category data and don't knowingly process children's data.

3.1 Identity and Contact Information

• Name (first and last)
• Business email address
• Company / organization name
• Job title or role
• Country of business
• Phone number (only if you provide it voluntarily)
• Information you choose to share in your inquiry

Source: You (contact form, email correspondence, scheduling tools).

3.2 Engagement and Service Records

• Notes from briefs, calls, and meetings
• Project correspondence (emails, messages, document comments)
• Deliverables produced for you
• Invoices and payment records
• Source-code repositories shared between us in a private GitHub organization
• Client Materials you provide to us in connection with an engagement (which may contain Personal Data of your end-users; see Section 13)

Source: You; generated in the course of the engagement.

3.3 Website Telemetry

• IP address (truncated where applicable for security purposes)
• HTTP request metadata: pages visited, referring URL, user-agent string
• Device type and browser (used aggregated, not for profiling)
• Server / security logs (typically retained 30 days)

Source: Automatically collected by the Site infrastructure (Cloudflare edge for security/CDN, Railway for application logs). We do not use Google Analytics, Meta Pixel, Microsoft Clarity, Hotjar, or any third-party advertising / behavioral tracker. See Subprocessors.

3.4 Cookies and Similar Technologies

See our Cookie Policy for the full list. We use a minimal set of first-party cookies and no third-party trackers.

3.5 Categories We Do NOT Collect

• We do not knowingly collect special categories of personal data (race, ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life, sexual orientation, criminal convictions) under GDPR Article 9.
• We do not knowingly collect Sensitive Personal Information for purposes beyond those permitted by 11 CCR § 7027(m) under CCPA/CPRA.
• We do not knowingly collect Personal Data of children under 13 (the Estonian consent age) or under 16 (where the local member-state age applies). If we become aware we have inadvertently collected such data, we will delete it promptly. Parents or guardians who believe we may have collected their child's Personal Data should contact privacy@solgreen.ee.

4. How We Use Personal Data (Purposes & Legal Bases)

Plain English: We use your data to talk to you, deliver Services, run our business, and (only if you've explicitly opted in) send you marketing.

We do not engage in automated decision-making producing legal or similarly significant effects on individuals (GDPR Art. 22). We do not engage in profiling of website visitors.

For Estonian Personal Data Protection Act purposes, the purposes set out above are the only purposes for which Personal Data is collected, and they are directly related to a function or activity of SOLGREEN.

5. Who We Share Personal Data With

Plain English: We don't sell your data. We don't share it for advertising. We use four named subprocessors. They're listed publicly.

5.1 No Sale; No Cross-Context Behavioral Advertising

We do not sell Personal Data and do not share Personal Data for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.

5.2 Processors and Sub-processors

We share Personal Data with a deliberately small set of third-party processors. Each is bound by a written DPA requiring confidentiality, security, and use of the data only on our documented instructions.

We maintain a public, current list of our sub-processors at https://solgreen.ee/subprocessors. Current subprocessors (as of the date of this Policy):

Where a Statement of Work introduces additional engagement-specific processors (commonly: an AI vendor, a client-specified cloud service), we identify them in the SOW and update the public Subprocessor list accordingly.

5.3 Other Recipients

We may also share Personal Data:

• With professional advisers (lawyers, accountants, auditors) bound by confidentiality
• With government authorities, regulators, or courts where required by law or to establish, exercise, or defend legal claims
• With a successor entity in a merger, acquisition, restructuring, or sale of assets (subject to your continuing rights)
• With your consent or at your direction

6. International Data Transfers

Plain English: All four of our current subprocessors (Railway, Cloudflare, Resend, GitHub) are US-headquartered. EU data flowing to them moves under the EU SCCs and (where the vendor self-certifies) the EU-US Data Protection Framework.

When Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a non-EEA jurisdiction (typically the United States, where our subprocessors are headquartered), we rely on the following Chapter V GDPR safeguards:

6.1 EU / EEA Transfers

• Mechanism: Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021
• Modules used: Module Two (Controller-to-Processor) where we act as processor of an EU-based controller's data, and Module Three (Processor-to-Processor) where we onward-transfer to a sub-processor
• EU-US Data Protection Framework: Where a sub-processor is self-certified under the DPF, the transfer also relies on the European Commission's adequacy decision for DPF-certified entities
• Supplementary measures: Encryption in transit (TLS 1.2+) and at rest (AES-256), pseudonymization where appropriate, strict access controls

6.2 UK Transfers

• Mechanism: International Data Transfer Addendum (IDTA) to the EU SCCs (Version B1.0), as issued by the UK ICO under section 119A of the UK Data Protection Act 2018

6.3 Swiss Transfers

• Mechanism: Swiss Addendum to the EU SCCs, recognized by the Swiss Federal Data Protection and Information Commissioner

6.4 Transfer Impact Assessments

We have completed Transfer Impact Assessments (TIAs) for the United States as a destination jurisdiction and for each of our US-based subprocessors. TIAs are reviewed annually and on material change to vendor operations or US surveillance law.

6.5 Article 49 Derogations

Where the safeguards above are unavailable, we will rely only on the derogations in Article 49 GDPR (e.g., your explicit informed consent or necessity for the performance of a contract requested by you).

7. Direct Marketing

Plain English: We only send marketing emails to people who have explicitly opted in. You can unsubscribe at any time, free of charge, with one click.

This section satisfies the requirements of the Estonian Electronic Communications Act, Article 13 of the EU ePrivacy Directive, and the U.S. CAN-SPAM Act for any commercial email we send.

7.1 What We Use for Direct Marketing

• Personal Data used: Name, business email address, company, role
• Marketing categories: SOLGREEN service updates, content offers (case studies, technical writing), event invitations relevant to your industry

7.2 Consent

We will only use your Personal Data for direct marketing if you have provided your explicit consent (e.g., by checking an unchecked-by-default opt-in box on a contact form or by confirming a double-opt-in email). Consent is sought separately from any other consent or contractual purpose.

7.3 Opt-Out

You may opt out at any time, free of charge, by:

• Clicking the unsubscribe link in any marketing email
• Emailing privacy@solgreen.ee requesting opt-out

We will give effect to your opt-out within ten (10) business days.

7.4 No Sharing for Third-Party Direct Marketing

We do not provide your Personal Data to any third party for that third party's direct marketing.

8. Data Retention

Plain English: We keep engagement records for 7 years after the work ends (Estonian accounting law requires it), then delete or anonymize them.

After the applicable retention period, Personal Data is securely deleted or anonymized so that it cannot be re-associated with an identifiable individual.

For Personal Data we process on behalf of clients (where we are a processor), retention is governed by the applicable Data Processing Agreement and the client's instructions.

9. Security

Plain English: Encrypt everything, strict access, log access, train people, name an incident coordinator. Full picture is on the Trust page.

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, in compliance with GDPR Article 32:

• Encryption: TLS 1.2+ in transit; AES-256 at rest
• Access control: Need-to-know; role-based access; multi-factor authentication on administrative accounts; named, time-bounded, and logged access to client environments
• Endpoint security: Full-disk encryption; remote-wipe; centrally-managed devices
• Personnel: Confidentiality and data-protection clauses in every employment / contractor agreement; mandatory privacy and security training on onboarding and annually
• Vendor management: Sub-processor due diligence (security questionnaire, certifications, DPA, transfer-mechanism review); DPAs in place with each
• Incident response: Written incident-response plan; named incident coordinator; documented breach SLAs (Section 10)
• Backup and DR: Encrypted backups; documented business-continuity and disaster-recovery procedures

For details, see Data & Trust.

10. Personal Data Breach Notification

Plain English: If something goes wrong, we notify regulators within 72 hours, notify affected people promptly when there's a real risk to them, and notify our clients within 24 hours of confirmation.

In the event of a personal data breach affecting Personal Data:

• EU/EEA supervisory authorities (GDPR Article 33): Without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach. The lead supervisory authority is Andmekaitse Inspektsioon (AKI) (aki.ee).
• Affected EU/UK data subjects (GDPR Article 34): Without undue delay where the breach is likely to result in a high risk to rights and freedoms.
• Clients (where we act as processor): Within twenty-four (24) hours of confirmation, in accordance with the DPA.
• California residents and the California Attorney General (Cal. Civ. Code § 1798.82): Where the breach involves their unencrypted personal information and meets statutory thresholds.

A post-incident report is prepared within fourteen (14) days, including root-cause analysis and remediation measures.

11. Your Rights

Plain English: You can ask what we have on you, fix it, delete it, take it elsewhere, restrict or object to processing, or withdraw consent. Email privacy@solgreen.ee and we'll respond within one month.

Subject to applicable law, you have the following rights with respect to your Personal Data.

11.1 Rights Under GDPR / UK GDPR / Estonian PDPA / Swiss FADP

• Right of access (Art. 15): Confirmation of whether we process your Personal Data and a copy of that data
• Right to rectification (Art. 16): Correction of inaccurate or incomplete data
• Right to erasure / "right to be forgotten" (Art. 17)
• Right to restriction (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21): Including for direct marketing (always honored)
• Right not to be subject to automated decision-making (Art. 22): We do not engage in such decision-making
• Right to withdraw consent: At any time, free of charge, where processing is based on consent
• Right to lodge a complaint with a supervisory authority: Including Andmekaitse Inspektsioon (AKI) (Estonian DPA), your local EU Data Protection Authority, the UK ICO, or the Swiss FDPIC

11.2 Rights Under CCPA / CPRA (California Residents)

• Right to know: Categories and specific pieces of Personal Information we have collected, sources, business or commercial purposes, and categories of third parties with whom we share it
• Right to delete: Subject to legal exceptions
• Right to correct
• Right to opt-out of sale or sharing: We do not sell or share Personal Information for cross-context behavioral advertising; we still offer this opt-out as a matter of policy
• Right to limit use of Sensitive Personal Information: We do not use Sensitive Personal Information for purposes beyond those permitted by 11 CCR § 7027(m), so this right does not apply in practice
• Right to non-discrimination
• Authorized agents: You may use an authorized agent to submit a request, subject to verification
• Shine the Light (Cal. Civ. Code § 1798.83): We do not disclose Personal Information to third parties for those third parties' direct-marketing purposes

11.3 How to Exercise Your Rights

• Email: privacy@solgreen.ee
• Postal: SOLGREEN OÜ, Tartu mnt 67/1-13b, 10115 Tallinn, Estonia

We will:

• Acknowledge your request within ten (10) business days
• Verify your identity using reasonable measures
• Respond within thirty (30) days for GDPR / UK GDPR / Estonian PDPA / FADP requests, or forty-five (45) days for CCPA/CPRA requests, with one extension where reasonably necessary

There is no charge for exercising your rights, except where requests are manifestly unfounded, excessive, or repetitive.

11.4 Global Privacy Control

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request for California residents and as a withdrawal of analytics-cookie consent for visitors generally.

12. AI / Machine-Learning Processing

Plain English: We build AI products for clients (RAG, agents, automation) and use AI tools internally. We don't let AI vendors train on your data. We disclose AI involvement in deliverables. We follow the EU AI Act and EDPB guidance.

This section addresses Article 50 of the EU AI Act (Regulation (EU) 2024/1689), Article 25 (responsibilities along the AI value chain), and EDPB guidance on AI processing of personal data.

12.1 SOLGREEN's AI Activities

• Internal use: We use AI tools (large language models, code-generation assistants) to improve productivity in software engineering, content production, and internal documentation.
• Client deliverables: We design and build AI products for clients — retrieval-augmented generation (RAG) systems, autonomous agents, AI workflows, on-site assistants, and operator consoles.

12.2 No Training on Customer Data

We use AI vendors that contractually commit not to train, retrain, or fine-tune their models on your data or our customers' data. Where this commitment is not technically feasible for a specific vendor, we will inform the relevant client in advance and obtain written consent before processing data with that vendor.

12.3 Transparency (EU AI Act Article 50)

Where SOLGREEN deploys an AI system that interacts with natural persons (e.g., a customer-support agent), or that generates synthetic audio, image, video, or text content that is published to the public, we will ensure transparency consistent with Article 50:

• AI systems that interact with humans are clearly identified as AI to the user
• AI-generated content is labeled where required

For deliverables we hand off to clients, we document AI involvement so the client (as the deployer) can satisfy their own Article 50 obligations.

12.4 Human Oversight

Human review applies to AI-assisted outputs before delivery. Final editorial control rests with the client.

12.5 Prohibited Uses

We will not use AI tools to (a) make decisions producing legal or similarly significant effects on individuals without human oversight; (b) generate non-consensual intimate imagery; (c) create deceptive deepfakes intended to mislead about identity; (d) infer sensitive attributes from non-sensitive inputs; (e) any use prohibited by Article 5 of the EU AI Act.

12.6 Records and Value-Chain Responsibilities (Article 25)

We maintain internal records of AI tools used, data flows, and safeguards. Where SOLGREEN sits in the AI value chain as a deployer, modifier, or component supplier, we will provide downstream parties with the information they need to fulfill their own AI Act obligations.

13. When We Act as a Processor for Our Clients

Plain English: When we work on your behalf and process your end-users' personal data, you are the controller and we are the processor. The DPA governs that relationship. End-users should look at your privacy notice, not ours.

In the course of performing the Services for our clients, we may process Personal Data of the client's end-users on the client's behalf. In that case:

• The client is the controller of that Personal Data
• SOLGREEN is the processor acting on the client's documented instructions
• The relationship is governed by a written Data Processing Agreement at https://solgreen.ee/dpa

End-users whose data is processed by us on behalf of a client should refer to that client's privacy notice. Rights requests submitted directly to SOLGREEN will be forwarded to the relevant client controller without undue delay.

14. Cookies

Plain English: Quick summary; full details in the Cookie Policy.

We use a small set of first-party cookies — strictly necessary cookies for site function and consent recording, and a preference cookie if you set a theme. We do not use third-party advertising, analytics, or session-replay scripts. For full details, see our Cookie Policy. A persistent "Cookie preferences" footer link allows you to update preferences at any time.

15. Changes to This Policy

Plain English: We update this Policy from time to time. Material changes get 30 days' notice.

For material changes we provide at least thirty (30) days' notice via a prominent banner on the Site and (where we have your email) by email. Non-material changes (clarifications, formatting) take effect on posting. The "Last Updated" date reflects the most recent changes. A change history is maintained in Appendix B.

16. How to Contact Us; How to Complain

• Privacy contact: privacy@solgreen.ee
• Postal: SOLGREEN OÜ, Tartu mnt 67/1-13b, 10115 Tallinn, Estonia
• Estonian DPA: Andmekaitse Inspektsioon (AKI)
• EU Data Protection Authorities: List of National DPAs
• UK Information Commissioner's Office: ico.org.uk
• Swiss FDPIC: edoeb.admin.ch
• California Privacy Protection Agency: cppa.ca.gov

Appendix A — CCPA/CPRA Categories Disclosure (Past 12 Months)

Sale or Share of Personal Information: SOLGREEN has not sold and does not sell Personal Information. SOLGREEN has not shared and does not share Personal Information for cross-context behavioral advertising.

Retention: As set out in Section 8 above.