PRIVACY POLICY
Last updated: 30 January 2026
This Privacy Policy explains how Lioriva OÜ, a company incorporated under the laws of the Republic of Estonia (the Company, we, us, our), collects, uses, stores, and protects personal data when you access or use our website scalelab.digital and related services (the Service).
This Privacy Policy forms an integral part of the Terms of Service. We value transparency and data protection. This Policy is intended to clearly explain what personal data is processed, for what purposes, on what legal basis, how long it is retained, and what rights you have under applicable data protection laws.
This Policy is drafted in accordance with:
● Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR);
● the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus);
● Directive 2002/58/EC (ePrivacy Directive), where applicable;
● other applicable EU and Estonian civil and consumer protection laws.
1. Data Controller
The data controller responsible for processing your personal data is:
Lioriva OÜ
Registration number: 17425910
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Endla tn 16, 10142, Republic of Estonia
Email: privacy@scalelab.digital
Data Protection Officer (DPO)
The Company has not appointed a Data Protection Officer, as it is not currently required under Article 37 GDPR. For privacy-related questions or requests, contact privacy@scalelab.digital.
2. Categories of Personal Data We Process
We process only personal data necessary for providing the Service, collected:
(i) directly from you (e.g., account creation, orders, contact forms);
(ii) automatically via the Website (technical logs, identifiers);
(iii) from payment providers (transaction references, payment status only).
2.1 Identification & Contact Data
email address;
name or business name (if provided);
account credentials.
2.2 Account & Order Data
selected services and order details;
order status, delivery timelines, service completion records;
invoices and billing info;
payment status and transaction references.
The Company does not store full payment card details.
2.3 Communication Data
messages via contact forms;
emails with customer support or legal teams.
2.4 Technical & Usage Data
IP address (anonymized/truncated);
browser/device type, OS;
access logs, timestamps, interaction data (aggregated).
3. Purposes of Processing
Personal data is processed strictly for:
● providing and performing ordered Services;
● managing user accounts and order history;
● processing payments and refunds;
● confirming requirements and delivering results;
● responding to inquiries;
● ensuring platform security, integrity, and fraud prevention;
● complying with legal, accounting, regulatory obligations.
The Company does not sell personal data or use it for advertising profiling, behavioral targeting, or resale.
Confidentiality of Briefs and Deliverables
Business briefs, project materials, and deliverables contain sensitive commercial information. Access is limited to authorized personnel strictly on a need-to-know basis.
4. Privacy-by-Design & Data Minimization
The Company applies privacy-by-design and privacy-by-default (Article 25 GDPR). Personal data is:
● collected only when necessary;
● processed for clearly defined legitimate purposes;
● limited in scope, access, and retention.
Where feasible, data is anonymized, aggregated, or pseudonymized.
5. Legal Bases for Processing (GDPR)
● Article 6(1)(b) GDPR – performance of a contract;
● Article 6(1)(c) GDPR – compliance with legal obligations;
● Article 6(1)(f) GDPR – legitimate interests (security, fraud prevention, service stability, operations);
● Article 6(1)(a) GDPR – consent, where required (e.g., analytics cookies).
6. Payments
Payments are processed via certified PSPs. The Company:
● does not store full payment card data;
● receives limited transaction metadata for accounting and support.
Payment providers process personal data per their privacy policies and regulations.
7. Data Sharing & Disclosure
Personal data may be shared with:
● payment service providers;
● IT, hosting, infrastructure, security providers;
● professional advisors (legal, accounting);
● public authorities when legally required.
Third parties are bound by confidentiality. No sale or rent of personal data occurs.
7.1 Sub-processors
Sub-processors are selected and assessed to ensure GDPR compliance and act only on Company instructions, to the extent necessary to provide the Service.
8. International Data Transfers
Primarily within the EEA. Transfers outside EEA use:
● EU–U.S. Data Privacy Framework or
● Standard Contractual Clauses (SCCs).
Supplementary safeguards applied as needed.
9. Data Retention
Data is retained only as necessary:
● Account/order data – duration of contractual relationship plus statutory limits;
● Billing/tax data – per Estonian law;
● Communications – as needed for service and dispute resolution;
● Technical logs – typically deleted/anonymized within 30 days unless required longer;
● Temporary working files – until service delivery or revisions, then deleted/anonymized unless required for security/legal reasons.
10. Data Security
Technical/organizational measures (Article 32 GDPR):
● encrypted connections and secure protocols;
● access controls and role-based permissions;
● data minimization and segregation;
● monitoring for unauthorized access.
All transmissions use TLS. Access to personal/order/brief data is limited to authorized personnel. Encrypted backups and audit logs maintained.
11. Automated Decision-Making, Profiling & Human Review
No automated decision-making or profiling under Article 22 GDPR. Services are human-prepared and reviewed.
12. Personal Data Breach Handling
In case of breach likely to risk individuals’ rights/freedoms, Company will notify:
● supervisory authority;
● affected users, per Articles 33 and 34 GDPR.
13. User Rights (GDPR)
Rights include:
● access;
● rectification or erasure;
● restrict/object;
● data portability;
● withdraw consent;
● lodge complaint with authority.
Requests: privacy@scalelab.digital
Communications preferences: opt out of non-essential communications; service communications are mandatory while account/order active.
14. Cookies & Tracking
Cookies used per Cookies Policy. Non-essential cookies require consent. Consent banner used to manage preferences.
15. Third-Party Links
Website may link to third-party sites. Company not responsible for their privacy practices.
16. Children’s Privacy
Service not for individuals under 18. Personal data of minors will be deleted if identified.
17. Changes to This Privacy Policy
Updates may reflect legal, technical, or operational changes. Latest version always on Website, effective upon publication.
18. Supervisory Authority
Right to lodge complaint with competent authority. In Estonia:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Address: Tatari 39, 10134 Tallinn, Estonia
Website: https://www.aki.ee
19. Contact
For privacy-related questions or requests, contact: privacy@scalelab.digital