Legal

Privacy Policy

Last updated: February 2026  ·  Stoic X OÜ  ·  GDPR compliant

Data Controller
Who is responsible for your data
Controller
Stoic X OÜ
Address
Sepapaja tn 6, 15551 Tallinn, Estonia
Contact
ops@stoic.io
Applicable Law
EU General Data Protection Regulation (GDPR) 2016/679 and Estonian Personal Data Protection Act
Data We Collect
Contact & enquiry data
Data
Name, work email address, company name, message content
How collected
Contact form, email correspondence, or direct outreach
Purpose
Responding to assessment requests, scoping engagements, and business communication
Legal basis
Art. 6(1)(b) GDPR — performance of a contract or pre-contractual steps
Retention
3 years from last contact, or for the duration of the contractual relationship
Technical & usage data
Data
IP address, browser type, pages visited, referrer URL, time of visit
How collected
Server logs generated automatically when you visit this website
Purpose
Website security, abuse prevention, and aggregate analytics
Legal basis
Art. 6(1)(f) GDPR — legitimate interest in securing and operating the website
Retention
30 days, then automatically deleted
Engagement & contract data
Data
Scope of work documents, signed authorisation letters, NDA content, engagement reports
Purpose
Delivery of penetration testing and red team services, legal compliance
Legal basis
Art. 6(1)(b) GDPR — contractual obligation; Art. 6(1)(c) — legal obligation
Retention
7 years from contract end, in compliance with Estonian accounting and tax law
Cookies
Cookie usage
This website does not use tracking cookies, advertising cookies, or third-party analytics services. We do not use Google Analytics, Meta Pixel, or any similar tracking technology.
If any functional cookies are set in the future (e.g. to remember form state), this policy will be updated and consent obtained in accordance with Art. 6(1)(a) GDPR and the ePrivacy Directive.
Data Sharing & Transfers
Third parties
Sale of data
We never sell, rent, or trade personal data.
Service providers
We may share data with vetted processors (e.g. email hosting, cloud infrastructure) under binding data processing agreements. All processors are contractually bound to GDPR obligations.
Legal disclosure
We may disclose data if required by Estonian or EU law, court order, or to protect against fraud or security threats.
International transfers
Data is processed within the EU/EEA. Any transfer outside the EEA is conducted under Standard Contractual Clauses (SCCs) approved by the European Commission.
Your Rights Under GDPR
Rights you can exercise at any time
Right of Access

Request a copy of the personal data we hold about you (Art. 15 GDPR).

Right to Rectification

Request correction of inaccurate or incomplete data (Art. 16 GDPR).

Right to Erasure

Request deletion of your data where there is no legal basis for continued processing (Art. 17 GDPR).

Right to Restriction

Request that we limit how we use your data while a dispute is resolved (Art. 18 GDPR).

Right to Portability

Receive your data in a structured, machine-readable format (Art. 20 GDPR).

Right to Object

Object to processing based on legitimate interest at any time (Art. 21 GDPR).

To exercise any of these rights, contact us at ops@stoic.io. We will respond within 30 days. We may need to verify your identity before processing the request.
Supervisory Authority
Right to lodge a complaint
Authority
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website
www.aki.ee
Email
info@aki.ee
You have the right to lodge a complaint with the Estonian Data Protection Inspectorate if you believe your data has been processed unlawfully. You may also contact the supervisory authority of your EU member state of residence.
Security
How we protect your data
As a cybersecurity firm, data security is not an afterthought — it is our business. We apply industry-standard technical and organisational measures including encryption in transit and at rest, access control with least-privilege principles, and regular internal security reviews. Engagement data and client information is handled under strict confidentiality obligations.
Changes to This Policy
Policy updates
We may update this Privacy Policy from time to time. The date at the top of the page reflects the most recent revision. Material changes will be communicated directly to clients with active contracts. Continued use of this website after changes constitutes acceptance of the updated policy.