Privacy Policy

The controller of your personal data is:

• Online Logistics OÜ
• Registry code: 12753288
• Address: Masina tn 22, Tallinn 10113, Harju maakond, Estonia
• Email: info@kinnisvarakuulutaja.ee

We have not appointed a Data Protection Officer because our processing does not meet the thresholds in GDPR Art. 37(1). For any data-protection question, write to info@kinnisvarakuulutaja.ee.

This Policy covers personal data processed when you:

• visit any page of the Service;
• create or use an Account;
• publish or manage a Listing;
• send or receive an Inquiry;
• save Listings or build a comparison;
• subscribe to the newsletter;
• contact us; or
• otherwise interact with the Service.

When you act as a Seller and you receive a Buyer's Inquiry, you become an independent data controller of that Buyer's data. Your obligations as a Seller-controller are set out in Section 7 of the Terms of Service.

We process the following categories of data:

• Account data — email address, display name, login method (magic-link or Google account identifier), email-verification timestamp, role (buyer / seller / admin), and Account preferences.
• Listing data — property address, district, city, area, rooms, year built, condition, price, deal type (sale or rent), photos and other media, descriptions, highlights, floor, parking, heating, the Account that owns the Listing, and Listing status (draft, pending, live, expired, removed).
• Inquiry data — sender name, email, optional phone number, message body, the Listing it relates to, and the timestamp.
• Saved-listings & compare data — for signed-in users, the IDs of Listings you save or add to compare. For signed-out users, this stays in your browser only.
• Marketplace metrics — view counts, save counts, and Inquiry counts per Listing. Aggregated for the Seller dashboard and our own analytics.
• Newsletter data — your email address, the consent timestamp, and the page you signed up from.
• Communications — messages you send to info@kinnisvarakuulutaja.ee or other published inboxes, and our replies.
• Technical data — IP address, browser user-agent, language preference, time of request, request path, response status, and error diagnostics, processed for security, abuse prevention, and reliability.
• Cookies and similar identifiers — see Section 6.

We do not knowingly process special categories of personal data (GDPR Art. 9). Please do not include such data in Listings, or Inquiries.

We obtain personal data:

• directly from you, when you create an Account, publish a Listing, send an Inquiry, subscribe to the newsletter, or contact us;
• from Google, when you choose Google sign-in (your name, email address, and Google account identifier);
• automatically from your device, when you visit the Service (technical data and cookies described in Section 6);
• from public registries, only as aggregated statistics (e.g. Maa-amet apartment-price statistics for the weekly market pulse) — no personal data is read from those sources.

We use the following categories of cookies and local-storage items:

• Strictly necessary — sign-in session, CSRF token, language preference, cookie-consent state. These are set on every visit and do not require consent because they are essential for the Service.
• Analytics — Google Analytics 4 (G-BDB0N1KRVE) loaded through Google Tag Manager (GTM-KW67X48M). These cookies are set only after you give consent in the cookie banner and help us understand how the Service is used. You can withdraw consent any time through the cookie-settings link.
• Marketing — Meta Pixel and similar tools for campaign measurement and showing more relevant Kinnisvarakuulutaja content on other platforms. These are used only after you consent to marketing cookies.
• Local storage — saved Listings and compared Listings for signed-out users are stored only in your browser and never reach our servers unless you sign in.

A detailed cookie list (name, purpose, duration, provider) will be maintained on the cookie-settings page.

We share personal data with the following categories of recipients:

• The public, for Listing content (it is intentionally public) and for the Seller display name attached to a Listing.
• The relevant Seller, for Inquiry data (necessary to operate the marketplace).
• Our processors, who act only on our documented instructions:
• Vercel Inc. (United States) — application hosting, edge delivery; EU regions in use.
• Neon, Inc. (United States) — managed PostgreSQL database; EU region in use.
• Cloudflare, Inc. (United States) — R2 object storage for Listing photos and CDN delivery; EU regions in use.
• Resend (United States) — transactional email delivery (magic links, notifications).
• Google LLC / Google Ireland Limited — sign-in (OAuth), Cloud Translation, Google Analytics 4, Google Tag Manager, Google Search Console.
• Meta Platforms Ireland Limited (Ireland; data may transfer to Meta Platforms Inc. in the United States under Standard Contractual Clauses) — analytics and advertising through Meta Pixel for marketing cookies you consent to.
• Anthropic, PBC (United States; transfers governed by Standard Contractual Clauses and Anthropic's data-processing agreement) — large-language-model requests for AI content support, translation checks, social copy, and Listing quality review.
• Estonian Land Board (Maa-amet) — map tiles and public statistics; we do not share any personal data with Maa-amet.
• Public authorities, courts, regulators, when we are legally required or when it is necessary to establish, exercise, or defend a legal claim.
• Successors, in the event of a merger, acquisition, restructuring, or sale of assets, subject to the same protections as in this Policy.

We do not sell personal data.

We use Anthropic and Google AI services to:

• machine-translate Listing text into English and Russian;
• create post copy for our own marketplace social channels based on your Listing;
• check Listing content against our brand and legal-quality expectations;
• identify potentially low-quality or fraudulent Listings.

The legal basis is our legitimate interest (GDPR Article 6(1)(f)) in operating, protecting, marketing, and improving the Service. AI prompt inputs are not retained by the providers longer than needed to process each request, according to their data-processing terms. We do not use this AI processing to make automated decisions about you with legal or similarly significant effects under GDPR Article 22.

You can opt out of AI processing by writing to info@kinnisvarakuulutaja.ee. Opting out means your Listing will not be used for automated translation or content generation; the service continues with a manual workflow.

Some of our processors are headquartered in the United States. Where data is transferred outside the European Economic Area (EEA), we rely on:

• the EU-US Data Privacy Framework for processors that are certified (currently Google LLC); and
• the European Commission's Standard Contractual Clauses (SCCs), supplemented as needed, for other transfers.

Wherever a processor offers an EU region, we use it.

We keep personal data only as long as needed for the purposes for which it was collected, plus any retention required by law. Specifically:

Backups containing the above data may persist for up to 90 days after the underlying record is deleted, after which the backup rotates out.

Under the GDPR you have the right to:

• access your personal data and obtain a copy;
• rectify inaccurate or incomplete data;
• erase your data (the "right to be forgotten"), subject to our retention obligations;
• restrict processing in certain situations;
• object to processing based on legitimate interest;
• portability — receive your data in a structured, machine-readable format and transmit it to another controller;
• withdraw consent at any time, where processing is based on consent (this does not affect lawfulness of prior processing); and
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not perform such automated decision-making).

To exercise any of these rights, write to info@kinnisvarakuulutaja.ee. We will respond within one month of receiving the request, with a possible extension of up to two further months for complex requests.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):

• Tatari 39, 10134 Tallinn, Estonia
• aki.ee
• info@aki.ee

We use technical and organisational measures appropriate to the risk, including:

• HTTPS/TLS for all data in transit;
• access controls, role separation, and audit logs for our internal systems;
• magic-link authentication and OAuth for Account sign-in;
• restricted API keys for third-party services;
• regular review of dependencies and security advisories;
• principle of least privilege for staff access to production data.

No internet system can be guaranteed fully secure. If you believe your Account has been compromised, write to info@kinnisvarakuulutaja.ee without delay.

The Service is intended for users aged 18 or older. Do not use the Service or provide personal data if you are under 18. If we learn that we have collected data from a person under 18, we will delete it.

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. Manual moderation is performed by people.

We may update this Policy from time to time. The "Last updated" date at the top reflects the current version. Material changes — including new categories of data, new purposes, or new processors that materially affect you — will be notified at least 14 days in advance by email or by an in-product banner.

For any privacy question or to exercise your rights:

Online Logistics OÜ
Registry code 12753288
Masina tn 22, Tallinn 10113, Harju maakond, Estonia
info@kinnisvarakuulutaja.ee