Privacy Policy
Last Updated: February 8, 2026
1. INTRODUCTION AND IDENTITY OF THE CONTROLLER
This Privacy Policy explains how Weldme OÜ ("we", "us", or "our"), a private limited company incorporated under the laws of the Republic of Estonia (Registry Code: 14086560), collects, uses, and protects your personal data when you use our website, mobile applications, and AI-powered content analysis services (collectively, the "Service").
We act as the Data Controller for personal data collected through our Service.
Registered Address:
Tartu mnt 50-4, 10115 Tallinn, Estonia
Contact for Privacy Matters:
Email: [email protected]
2. CATEGORIES OF PERSONAL DATA WE PROCESS
We collect and process the following categories of personal data:
- Account Data: Name, email address, password (hashed), organization name, profile information.
- Usage Data: Log files, IP addresses, browser type and version, device information, operating system, time zone setting, access times, pages viewed, and other diagnostic data.
- Content Data: Text, images, documents, and other materials you upload to the Service for processing or analysis ("User Content").
- Payment and Transaction Data: Subscription tier, billing history, payment method details (processed securely by our third-party payment providers; we do not store full credit card numbers), VAT number, billing address.
- Communication Data: Records of your correspondence with us (email, support tickets, feedback).
- Marketing Data: Your preferences for receiving marketing communications and your interaction with those communications.
3. SOURCES OF PERSONAL DATA
- Directly from you: When you register, subscribe, upload content, contact support, or fill out forms.
- Automatically: Through cookies, log files, and analytics tools like Google Analytics when you interact with our Service.
- From Third Parties: From payment processors (confirmation of payment), login providers (e.g., "Sign in with Google/Apple" if strictly applicable), or public sources for B2B verification.
4. PURPOSES AND LEGAL BASES FOR PROCESSING
We process your data for specific purposes under the following legal bases (Article 6 GDPR):
| Purpose | Legal Basis |
|---|---|
| Providing the Service: Operating the platform, authenticating users, processing User Content, delivering generated outputs. | Performance of Contract (Art. 6(1)(b)) |
| Billing and Payments: Processing subscriptions, issuing invoices, handling refunds. | Performance of Contract (Art. 6(1)(b)) Legal Obligation (Art. 6(1)(c)) (Tax laws) |
| Customer Support: Responding to inquiries and troubleshooting issues. | Performance of Contract (Art. 6(1)(b)) Legitimate Interest (Art. 6(1)(f)) |
| Platform Security & Fraud Prevention: Detecting and preventing abuse, scraping, or unauthorized access. | Legitimate Interest (Art. 6(1)(f)) |
| Service Improvement: Analyzing usage trends to improve functionality and user experience (using aggregated/anonymized data where possible). | Legitimate Interest (Art. 6(1)(f)) |
| Marketing Communications: Sending newsletters or promotional offers. | Consent (Art. 6(1)(a)) (for B2C) Legitimate Interest (Art. 6(1)(f)) (for existing B2B customers, subject to opt-out) |
| Compliance: Complying with legal obligations (e.g., accounting, tax, regulatory requests). | Legal Obligation (Art. 6(1)(c)) |
5. AUTOMATED DECISION-MAKING AND PROFILING
We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (Article 22 GDPR). Our AI analysis is a tool for your use and review, not a fully automated decision-making process impacting your legal rights.
6. DATA RETENTION
We retain personal data only as long as necessary:
- Account Data: For the duration of your active account plus 12 months after deletion (to handle reactivation or disputes), unless a longer period is required by law.
- User Content: Processed transiently for immediate analysis. We may retain Input/Output data for up to 30 days for technical debugging and service improvement before permanent deletion, unless you explicitly save it to your account library.
- Payment & Transaction Data: 7 years as required by Estonian Accounting Act and tax laws.
- Marketing Data: Until you withdraw consent (opt-out).
- Usage Logs: Up to 12 months for security and audit purposes.
7. RECIPIENTS AND PROCESSORS
To provide the Service, we share data with trusted third-party service providers ("Processors") under strict Data Processing Agreements (DPAs):
- Cloud Hosting & Infrastructure: (e.g., AWS, Google Cloud, DigitalOcean) – hosting servers and databases.
- AI Providers: (e.g., OpenAI, Anthropic, Google) – ONLY for the purpose of generating content/analysis as requested by you. We do not allow these providers to use your data to train their general models.
- Payment Processors: (e.g., Stripe, PayPal) – handling secure payments.
- Email & Communication Services: (e.g., SendGrid, Intercom) – sending transactional emails and support.
- Analytics Providers: (e.g., Google Analytics) – analyzing website traffic (aggregated).
8. INTERNATIONAL DATA TRANSFERS
Our primary servers are located within the European Economic Area (EEA). If we transfer data to processors outside the EEA (e.g., to the US), we ensure appropriate safeguards are in place, such as:
- Adequacy Decisions: Transferring to countries deemed efficient by the European Commission.
- Standard Contractual Clauses (SCCs): Implementing EU-approved contracts with the recipient.
- Data Privacy Framework: Transferring to US companies certified under the EU-US Data Privacy Framework.
9. COOKIES AND TRACKING TECHNOLOGIES
We use cookies to maintain your session, remember preferences, and analyze usage. You can control cookies through your browser settings. Essential cookies are required for the Service to function. For non-essential cookies (analytics, marketing), we request your prior consent.
10. DATA SECURITY
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS/SSL) and at rest.
- Hashing of passwords.
- Access controls and authentication (MFA where available).
- Regular security audits and vulnerability assessments.
- Data backup and recovery procedures.
11. YOUR RIGHTS (DATA SUBJECT RIGHTS)
Under the GDPR, you have the right to:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal retention requirements).
- Restriction: Request we suspend processing of your data.
- Data Portability: Receive your data in a structured, machine-readable format.
- Object: Object to processing based on legitimate interests or direct marketing.
- Withdraw Consent: At any time, where processing is based on consent.
To exercise these rights, please contact us at [email protected]. We will respond within one month.
12. CHILDREN'S PRIVACY
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will take steps to delete it.
13. RIGHT TO LODGE A COMPLAINT
If you believe your rights have been violated, you have the right to lodge a complaint with the Estonian data protection supervisory authority:
Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
Tatari 39, 10134 Tallinn
Email: [email protected]
Website: www.aki.ee
14. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. The "Last Updated" date will be revised. Significant changes will be communicated via email or a prominent notice on the Service.