Privacy Policy

This site (norvalda.studio) is operated by Vorantis OÜ, a private limited company registered in Estonia.

• Registry code: 16847291 (Estonian Business Registry)
• Address: Telliskivi 60a, 10412 Tallinn, Estonia
• Contact: privacy@norvalda.studio

For the purposes of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), Vorantis OÜ is the data controller for personal data processed through this site and the services we provide.

We collect only what we need to run the business and respond to you.

• Contact form submissions: name, email, company, message content, and any optional context fields you fill in.
• Email correspondence: message threads you initiate with us at hello@norvalda.studio or any other address on this site.
• Client engagement data: if we enter a paid engagement, we process commercial data needed to deliver work (project briefs, billing details, access credentials you choose to share).
• Technical request data: standard server logs (IP address, user agent, requested URL, timestamp) retained for security and abuse prevention.
• Locale and theme preferences: stored locally in your browser, not transmitted to us.

We do not run third-party advertising networks, social media pixels, or cross-site tracking. We do not buy or sell personal data.

Each category of data has a defined purpose:

• Contact form & email: to reply to your inquiry, scope a possible engagement and send you a written quote.
• Client data: to perform the contract you signed with us (delivery, invoicing, support).
• Server logs: to keep the site reachable, detect abuse and meet our security obligations.

We do not use your data for automated decision-making or profiling that produces legal effects on you.

We rely on the following legal bases:

• Art. 6(1)(b) — performance of a contract or steps prior to entering a contract: when you submit the contact form or correspond with us about a possible engagement, and during paid client work.
• Art. 6(1)(c) — legal obligation: retention of invoices and accounting records required by Estonian law (Raamatupidamise seadus — typically 7 years).
• Art. 6(1)(f) — legitimate interests: server logging, fraud and abuse prevention, internal record-keeping, and minimal aggregated analytics where used.

We do not currently rely on consent (Art. 6(1)(a)) for any processing on this site, because we do not run non-essential cookies, marketing emails to non-clients, or third-party trackers.

We use a small, deliberately short list of sub-processors. Each is bound by a data processing agreement and provides GDPR-appropriate safeguards.

• Vercel Inc. (USA) — hosting and CDN for the website. Data: request metadata, server logs.
• Resend, Inc. (USA / EU) — transactional email delivery (form replies, quotes). Data: your email address and message content.
• Stripe Payments Europe Ltd. (Ireland) — payment processing for client invoices. Data: billing name, company, email, payment card metadata (we never see full card numbers).
• Google Workspace (Google Ireland Ltd.) — business email and document storage. Data: any correspondence and project documents.

We do not share personal data with advertisers, data brokers or social networks. We may disclose data to public authorities where legally required (e.g. court order, tax inspection).

We keep data only as long as we have a defined reason to.

• Contact inquiries that do not lead to engagement: 24 months, then deleted.
• Active client records: for the duration of the engagement plus 7 years (Estonian accounting law).
• Invoices and tax records: 7 years from the end of the financial year (statutory requirement).
• Server logs: 30 days, then deleted or aggregated beyond identifiability.
• Email correspondence: retained while operationally useful, reviewed and pruned at least annually.

You have the following rights in relation to your personal data:

• Access (Art. 15): a copy of the data we hold about you.
• Rectification (Art. 16): correction of inaccurate or incomplete data.
• Erasure (Art. 17): deletion, where there is no overriding legal reason to retain.
• Restriction (Art. 18): pause processing in defined situations.
• Portability (Art. 20): a machine-readable copy of data you provided to us.
• Objection (Art. 21): to processing based on legitimate interests.
• Withdraw consent at any time, where processing is consent-based, without affecting prior lawful processing.
• Lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — aki.ee.

To exercise any of these rights, write to privacy@norvalda.studio. We aim to respond within 30 days.

Some sub-processors are based outside the European Economic Area (notably in the United States). Where this is the case we rely on:

• The European Commission's adequacy decision for the EU–U.S. Data Privacy Framework, where the recipient is certified, or
• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914), supplemented by technical and organisational measures.

You can request a summary of the safeguards in place by contacting privacy@norvalda.studio.

We use a minimal set of essential cookies and browser storage entries only — for locale, theme and basic security. We do not use tracking, advertising or third-party analytics cookies.

See the dedicated Cookie Policy for the full list.

Privacy questions, data subject requests and complaints:

• Email: privacy@norvalda.studio
• Post: Vorantis OÜ, Telliskivi 60a, 10412 Tallinn, Estonia

Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn — aki.ee.