Privacy Policy
Last updated:
1. Who we are
This Privacy Policy explains how On Tap OÜ ("On Tap", "we", "us", or "our") processes personal data when you visit carboncommerce.store (the "Site"), contact us, subscribe to our communications, attend our events, apply for roles, or use related services described here.
Controller: On Tap OÜ
Registered address: Pärnu mnt 141-43, 11314 Tallinn, Estonia
Email: [email protected]
2. Scope
This Policy applies to visitors and users of the Site and to individuals who interact with us for business purposes (prospects, clients, suppliers, and candidates). It does not cover third-party websites or services linked from our Site.
3. Personal data we collect
3.1 Data you provide
- Contact details (name, business email, phone, company, role)
- Enquiry content (messages, requirements, files you upload)
- Marketing preferences (newsletter opt-in, topics of interest)
- Event registrations (dietary/access needs only when volunteered)
- Support information (if you access a customer portal we operate)
- Recruitment data (CV/resumé, cover letter, work history, portfolio)
3.2 Data we collect automatically
- Device and browsing data (IP address, user-agent, pages viewed, timestamps, referring URL)
- Cookie identifiers and similar technologies (see Cookies below)
- Basic location derived from IP (city/region level)
- Security data (anomaly detection, firewall/WAF logs)
3.3 Data from other sources
- Business contact data from partners or public sources (e.g., LinkedIn, company websites)
- Enrichment from our CRM/marketing tools (where permitted by law)
4. Purposes, legal bases, and retention
We process personal data only where we have a valid legal basis under the EU General Data Protection Regulation (GDPR). The table below summarises our main activities.
| Activity | Typical data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Website enquiries & contact forms | Name, business email, phone, company, message | Respond to your request; pre-contract discussions | Legitimate interests (B2B outreach) or steps prior to contract | 24 months from last interaction |
| Sales & CRM | Business contact data, comms history | Manage opportunities and business relationships | Legitimate interests | 3 years from last meaningful contact (or sooner on objection) |
| Marketing communications | Name, business email, preferences | Send newsletters, thought leadership, event invites | Consent (EEA) or legitimate interests (B2B soft opt-in where permitted) | Until you unsubscribe + 24 months on suppression list |
| Events & webinars | Registrant details, attendance | Registration, logistics, follow-up | Contract, legitimate interests, consent where required | 24 months after event |
| Customer support/portals | Business contact, ticket content, audit logs | Provide support and manage accounts | Contract | Term of contract + up to 6 years (claims limitation) |
| Recruitment | Application data, interview notes | Evaluate and manage applications | Legitimate interests; consent to retain for future roles | 12 months (or longer with consent) |
| Site analytics | Cookie IDs, IP (abbreviated), page events | Understand site performance and content effectiveness | Consent (analytics/marketing cookies) | Up to 14 months (tool-dependent) |
| Security & operations | IP addresses, log data, WAF/CDN logs | Maintain availability, prevent abuse, audit access | Legitimate interests; legal obligations | Typically 12 months (shorter or longer where required) |
| Finance & compliance | Invoicing, contract and KYC data | Satisfy tax, accounting and legal requirements | Legal obligations | As required by law (e.g., up to 7 years for accounting records) |
5. Cookies and similar technologies
We use cookies, SDKs and similar technologies to operate the Site, remember choices, and (with your consent in the EEA) to measure and improve marketing performance (e.g., analytics and advertising tags). Read more in our separate Cookie Policy.
6. Who we share data with
- Hosting, CDN and security providers
- Analytics and marketing platforms
- Email and communications providers
- CRM, sales and support tools
- Recruitment and HR tools
- Professional advisers and authorities where required by law
7. International data transfers
- We rely on an adequacy decision where available (e.g., for the United Kingdom, currently extended to 27 December 2025), or
- We use Standard Contractual Clauses (SCCs) and, where appropriate, supplementary measures.
8. Your rights (EEA/UK)
- Access your personal data and obtain a copy
- Rectify inaccurate or incomplete data
- Erase data (right to be forgotten)
- Restrict processing
- Portability of data you provided
- Object to processing based on legitimate interests, including direct marketing
- Withdraw consent at any time
9. How to contact us
Controller: On Tap OÜ
Postal address: Pärnu mnt 141-43, 11314 Tallinn, Estonia
Email: [email protected]
If you are located in the EEA/UK and believe your rights have been infringed, you also have the right to lodge a complaint with your local data protection authority. In Estonia, this is the Andmekaitse Inspektsioon.
10. Security
We apply technical and organisational measures appropriate to the risks, including: network and application security controls, access management, logging and monitoring, encryption in transit, employee confidentiality obligations, and regular assessments.
11. Children’s privacy
Our Site and services are intended for business users and are not directed to children. We do not knowingly collect personal data from children.
12. Changes to this Policy
We may update this Policy from time to time. Significant changes will be highlighted on the Site or communicated to you directly where appropriate.
Local supervisory authority (Estonia)
Andmekaitse Inspektsioon – Estonian Data Protection InspectorateTatari 39, 10134 Tallinn, Estonia
[email protected]
+372 627 4135
https://www.aki.ee/en