Privacy Notice
I. Purpose of this Privacy Notice
1.1 This Privacy Notice („Privacy Notice“) explains how Iute Group AS (“Iute“, “we“, “us“) collects and uses personal data about individuals („you“) who interact with our organisation -such as by using our website, communicating with us, or engaging with our services, including as partners or visitors. It explains what personal information we collect and how we use it.
1.2 Please read this Privacy Notice carefully before submitting your personal data to us. By providing your personal data, you acknowledge that you have read and understood this Privacy Notice.
Note! If you are applying for a position at Iute Group, please refer to our dedicated Recruitment Privacy Notice for detailed information about how we handle personal data in the recruitment process.
II. Who We Are
2.1 For the purpose of the General Data Protection Regulation (“GDPR”) the Data Controller is Iute Group AS, a company registered in Estonia. If you have any comments or questions about this Privacy Notice, feel free to contact us at dpo@iute.com.
2.2 We also act as a joint controller together with our subsidiaries in the countries where we operate. Each joint controllership agreement defines the roles and responsibilities for processing personal data. While our subsidiaries are in direct contact with customers and handle service delivery, we provide group-wide IT systems, infrastructure, backups, and strategic oversight. This means that we may access and process customer data for purposes such as service improvement, analytics, compliance, and platform management.
2.3 A summary of the relevant joint controllership arrangements is available upon request by contacting dpo@iute.com.
2.4 A list of our subsidiaries and the countries in which joint controllership agreements apply is available upon request or can be accessed via our website.
III. Personal Data We Collect
3.1 We may collect and process the following categories of personal data depending on your interaction with us:
| Purpose | Data types | Lawful Basis |
|---|---|---|
| Website use | Technical and usage information, including IP address, browser type, operating system, pages visited, and session data. | Legitimate interests – to ensure the security, functionality, and performance of our website and services. |
| Cookies and tracking | Cookie identifiers, session IDs, usage preferences, and tracking pixels. | Consent for non-essential cookies; legitimate interests or performance of a contract for strictly necessary cookies – in accordance with our Cookie Policy. |
| Communications data | Information voluntarily provided via contact forms, email, phone, or other platforms – such as name, email address, phone number, and message content. | Consent – based on article 6(1)(a) of the GDPR. You may withdraw consent at any time. |
| Recruitment | Please refer to our Recruitment Privacy Notice for detailed information on how personal data is handled in connection with job applications. | – |
| Concluding and performing contracts | Name, contact details, job title, company affiliation (if applicable). | Contract performance – necessary to enter into or perform a contract. |
| Intra-group data transfers | Since we have several group companies that are interconnected, we may share your personal data among these companies, including customer data collected by subsidiaries and accessed by us for system administration, analytics, compliance, platform operations. | Depending on the purpose – legitimate interests (ensuring service quality, operational efficiency, group-wide compliance), legal obligation (audits, regulatory reportings), contract performance (support service delivery under contracts), consent (marketing, customer research). |
| Safeguarding our rights | Any relevant data (e.g., communication logs, audit trails, contract details) needed to investigate, defend, or establish legal claims. | Legitimate interests – to defend our rights, enforce agreements, and handle disputes. |
| Legal & regulatroy obligations | Any data relevant to legal compliance, audits, or enforcement (e.g., access logs, backups, email metadata). | Legal obligation – to comply with applicable law. |
| Secure our systems, infrastructure and services against fraud | Technical logs, access records, user IDs, IP addresses, device identifiers, and other metadata. | Legitimate interests – to maintain cybersecurity, prevent fraud, and ensure the integrity and availability of our services. |
IV. Sharing Personal Data
4.1 We may share your personal data with trusted third-party processors where necessary to support our operations and deliver services. These include:
- Recruitment platforms for processing job applications (see Recruitment Privacy Notice);
- Analytics and marketing service providers to evaluate site performance (see our Cookie Policy for details);
- IT and hosting providers who assist in the operation of our website and communication tools;
- Legal or regulatory authorities when required by law.
4.2 All third-party service providers are contractually bound by strict data processing agreements (DPAs) and are required to comply with applicable data protection laws.
4.3 We do not sell, rent, or otherwise commercially share your personal data with third parties under any circumstances.
V. International Data Transfers
5.1 As a general rule we do not transfer your personal data outside the EU/EEA. However, if such a transfer is necessary – for example, when using service providers based outside the EU/EEA – we ensure that it is done lawfully and with appropriate safeguards.
5.2 This includes transfers to countries with an adequacy decision from the European Commission or under standard contractual clauses or equivalent safeguards that ensure your data remains protected.
5.3 We also implement appropriate technical and organizational measures to secure your data during and after transfer, based on what is effective and technically feasible.
5.4 If you would like more information about these transfers or the safeguards in place, please contact us using the details provided below.
VI. Data Retention
6.1 We retain personal data only as long as necessary for the purposes described above:
- Contact form submissions: up to 1 year.
- Job applications: see Recruitment Privacy Notice for more information.
- Analytics data: 2 years (if collected).
- Cookie data: see Cookie Policy for details.
6.2 We may retain data longer where legally required or if necessary to resolve disputes or enforce agreements.
6.3 If no specific retention period is stated, we determine the appropriate timeframe based on the nature of the data and the purpose for which it was collected.
VII. Your Rights as a Data Subject
7.1 To the extent required by applicable data protection regulations, you have all the rights of a data subject as regards your personal data. Such rights include the following:
- Right to access – know what personal data we hold and obtain a copy.
- Right to rectification – correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) – request deletion under certain conditions.
- Right to restrict processing – suspend processing under specific circumstances.
- Right to data portability – receive your data in a structured, commonly used format.
- Right to object – to processing based on legitimate interest.
- Right to withdraw consent – at any time without affecting past lawful processing.
- Right to lodge a complaint – with us or a supervisory authority (see below).
7.2 We will respond to your request within one month in accordance with the GDPR. No fee is required unless requests are unfounded or excessive.
7.3 To exercise your rights, contact us at dpo@iute.com. You will not be discriminated against for exercising any of your rights.
VIII. Lodging a Complaint
8.1 If you believe your rights have been violated, you can contact us at dpo@iute.com or lodge a complaint with the Data Protection Inspectorate of Estonia:
- • Email: info@aki.ee
- • Website: www.aki.ee
IX. Changes to this Notice
9.1 We reserve the right to update this Privacy Notice. All changes will be posted on this page, and significant changes will be communicated via our website.
Last updated: July 24, 2025