Legal Document

Privacy Policy

Version 1.0 · Effective date: 1 March 2025 · Last updated: 16 March 2026

Contents

Data Controller
Data We Collect
How We Use Your Data
Legal Basis for Processing
Third-Party Processors
Data Retention
International Data Transfers
Your Rights
Data Security
Cookies
Children
Changes to This Policy
Contact

This Privacy Policy explains how Sakne Labs OÜ collects, uses, and protects your personal data when you use the T-Index platform. We are committed to full compliance with the EU General Data Protection Regulation (GDPR) and applicable Estonian data protection law.

1. Data Controller

The data controller responsible for your personal data is:

Sakne Labs OÜ
Kirsi 20, Tartu, Estonia
Registry code: 12207657
Email: info@saknelabs.com
Phone: +371 26172645

If you have any questions about how we handle your personal data, please contact us at the address above.

2. Data We Collect

2.1 Account & Identity Data

Email address
Password (stored as a cryptographic hash — never readable)
Account creation date and time
Date and version of consent to these terms

2.2 Company & Billing Data

Company name
Company registration number
VAT number (optional)
Billing address
Subscription plan and payment status

Payment card details are never stored by us — they are processed directly by Stripe (see Section 5).

2.3 Platform Usage Data

Machine records you create (model, serial number, installation details)
T-Index assessment scores and comments
Daily operational logs submitted by operators
Service records
Reports generated within the platform

2.4 Technical Data

IP address (logged by Firebase infrastructure)
Browser type and version
Session tokens (Firebase Authentication)
Error logs

2.5 Communication Data

Messages sent through the contact form
AI chat queries submitted via the Help section

3. How We Use Your Data

Purpose	Data used	Legal basis
Providing the T-Index platform service	Account, platform usage data	Contract performance
Processing subscription payments and issuing invoices	Company and billing data	Contract performance / legal obligation
Sending transactional emails (account confirmation, invoices)	Email address	Contract performance
Responding to support and contact requests	Email, message content	Legitimate interest
AI Help chat (Anthropic API)	Chat messages only — no account data	Legitimate interest
Security, fraud prevention, debugging	Technical data	Legitimate interest
Compliance with legal obligations (VAT records, etc.)	Billing data	Legal obligation

We do not sell your personal data. We do not use your data for advertising or profiling purposes.

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the T-Index service, manage subscriptions, and deliver invoices.
Legal obligation (Art. 6(1)(c)): Processing required by Estonian law, EU VAT regulations, or other applicable legislation.
Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, platform improvement, and support communications — where our interests do not override your fundamental rights.
Consent (Art. 6(1)(a)): Where you have explicitly agreed to specific processing (e.g., future marketing communications, if applicable).

5. Third-Party Data Processors

We share data only with trusted processors who contractually commit to GDPR-compliant handling:

Processor	Purpose	Location	Safeguard
Google Firebase (Google LLC)	Authentication, database (Firestore)	EU (europe-west)	Google Cloud DPA + SCCs
Stripe Inc.	Payment processing	EU / USA	Stripe DPA + SCCs
Cloudflare Inc.	API routing (Worker)	Global CDN	Cloudflare DPA + SCCs
Anthropic PBC	AI Help chat processing	USA	Anthropic DPA + SCCs

No data is transferred to any other third party without your explicit consent or a specific legal obligation.

6. Data Retention

Active account data: Retained for the duration of your subscription plus 30 days after cancellation.
Billing records and invoices: Retained for 7 years (Estonian Accounting Act requirement).
Assessment and machine data: Retained while your account is active. Deleted upon account deletion request.
Help chat messages: Not stored on our servers. Processed in real-time and discarded.
Contact form messages: Retained for up to 2 years for support purposes.

After the applicable retention period expires, data is permanently deleted from all systems.

7. International Data Transfers

Our primary data storage is located in the European Union (Google Firebase europe-west region). Some data may be processed by processors with infrastructure in the United States (Stripe, Cloudflare, Anthropic).

All transfers outside the EEA are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), ensuring an equivalent level of data protection.

If you are located outside the EEA (e.g., North America, Asia), your data is still processed in accordance with this policy and GDPR standards. By creating an account and using the platform, you acknowledge that your data will be processed as described.

8. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction (Art. 18): Request that we limit how we process your data.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at info@saknelabs.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee) or the supervisory authority in your country of residence.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

All data in transit is encrypted using TLS 1.2+
Firebase Firestore data is encrypted at rest by Google
Passwords are never stored — Firebase Authentication uses industry-standard hashing
Access to production data is restricted to authorized personnel only
Stripe handles all payment card data under PCI DSS Level 1 certification

In the event of a personal data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR Article 33–34.

10. Cookies & Local Storage

The T-Index platform uses the following essential technical cookies and local storage:

Firebase Authentication session token: Stores your login session. Expires on logout or after inactivity. Essential for platform operation.
UI preferences: Stores interface settings (e.g., light/dark mode) in browser local storage. No personal data.

Analytics Cookies (Optional — Requires Consent)

We use Google Analytics 4 (Google LLC) to understand how visitors interact with our website. These cookies are only activated after you give explicit consent via the cookie consent banner.

Legal basis: Consent (Art. 6(1)(a) GDPR)
Data collected: Anonymised page views, session duration, traffic sources. IP addresses are masked before processing (anonymize_ip: true).
Retention: Up to 26 months
Provider: Google LLC — Google Privacy Policy
Data transfer: Google LLC operates under EU Standard Contractual Clauses (SCCs)
No advertising: We do not use Google Analytics for advertising, remarketing, or cross-site tracking

You can withdraw your analytics consent at any time via the Cookie Preferences link in the website footer. We do not use advertising cookies, tracking pixels, or any other third-party analytics beyond Google Analytics 4.

11. Children

The T-Index platform is a B2B professional service intended for business use only. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has created an account, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Display a notice within the platform on your next login
Require re-acceptance if the changes affect the legal basis or scope of processing

Continued use of the platform after the effective date of an updated policy constitutes acceptance of the revised terms.

13. Contact & Data Protection Enquiries

Sakne Labs OÜ
Kirsi 20, Tartu, Estonia
Email: info@saknelabs.com
Phone: +371 26172645

Estonian Data Protection Inspectorate (supervisory authority):
Tatari 39, 10134 Tallinn, Estonia
www.aki.ee