Effective Date: January 3, 2026
1. Introduction
This Privacy Policy outlines our commitment to protecting the privacy and personal data of our clients and users. We are SIA Kantorovich, and this policy describes how we, as a data controller, collect, use, store, and protect personal data in compliance with the EU's General Data Protection Regulation (GDPR). The right to privacy is a fundamental human right, and we are dedicated to upholding the principles of data protection in all our operations.
2. Scope and Applicability
This policy applies to all processing of personal data of individuals residing in the European Union (EU) conducted by our company. This includes data collected through our services, website, and other interactions. It applies to any organization, regardless of size, that processes the personal data of individuals within the EU. The GDPR has an extraterritoriality principle, meaning it applies to companies located outside the EU if they offer goods or services to, or monitor the behavior of, EU residents.
3. Definitions
Personal Data: Any information relating to an identified or identifiable natural person ('data subject'). This can include names, identification numbers, location data, or online identifiers. It applies whether the data is stored online, on a computer system, or on paper in a structured file.
Sensitive Personal Data: Special categories of personal data that are more sensitive, such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation.
Processing: Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, or destruction.
Data Controller: The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purpose of this policy, SIA Kantorovich is the Data Controller.
Data Processor: A natural or legal person which processes personal data on behalf of the controller.
Data Subject: An individual whose personal data is being processed.
4. Data Protection Principles
In accordance with GDPR, we adhere to the following principles for processing personal data:
Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not further process it in a manner that is incompatible with those purposes.
Data Minimization: We ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy: We take every reasonable step to ensure that personal data is accurate and, where necessary, kept up to date.
Storage Limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Accountability: As the data controller, we are responsible for, and must be able to demonstrate, compliance with these principles. This includes maintaining records of our processing activities.
5. Lawful Basis for Processing Data
All our data processing activities are based on a lawful basis as defined in Article 6 of the GDPR. These include:
Consent: The data subject has given clear, opt-in consent for us to process their personal data for a specific purpose. It is not enough to simply opt out; you must opt in.
Contract: The processing is necessary for the performance of a contract to which the data subject is a party, such as providing IT consulting or software installation services.
Legal Obligation: The processing is necessary for us to comply with the law (e.g., retaining financial records for tax purposes).
Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. When relying on legitimate interests, we will specify them in a privacy notice.
6. Data We Collect and How We Use It
We collect personal data to provide and improve our services. This includes:
Client and User Information: Name, email address, phone number, and business contact details to manage client relationships, fulfill service contracts, and provide support.
Financial Information: Billing address, bank account details, or credit card information for processing payments for our services. This processing is necessary for the performance of a contract and for compliance with legal obligations.
Technical and Usage Data: IP addresses, browser types, and information about how you use our website and services. This may be used for our legitimate interest in improving our service offerings.
Sensitive Personal Data: We will only collect and process sensitive personal data with the explicit consent of the data subject or where processing is necessary for compliance with a legal obligation. We implement additional safeguards for this category of data.
7. Third-Party Data Sharing
We hold the privacy of your data in the highest regard. We do not sell, rent, trade, or otherwise share your personal data with third parties for their marketing or independent commercial use.
Your data will only be shared under the following limited and necessary circumstances:
With Data Processors: We may engage trusted companies or individuals to perform functions on our behalf (e.g., cloud hosting providers, payment processors). These entities act as Data Processors and are contractually bound to process your data only on our instructions and in full compliance with GDPR, maintaining strict confidentiality and security.
For Legal Reasons: We may disclose your information if we are required to do so by law, in response to a court order, subpoena, or other legal process from a competent authority.
We remain responsible for your data when it is shared with our data processors.
8. Data Subject Rights
Under GDPR, data subjects have the following rights regarding their personal data:
The Right to Be Informed: You have the right to be informed about the collection and use of your personal data.
The Right of Access: You have the right to ask for a copy of the information we hold about you.
The Right to Rectification: You have the right to ask us to correct or update any personal data that is incorrect or incomplete.
The Right to Erasure (The "Right to be Forgotten"): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing. This right may be limited by legal obligations that require us to retain data.
The Right to Restrict Processing: You have the right to request the restriction or suppression of your personal data.
The Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services.
The Right to Object: You have the right to object to the processing of your personal data in certain circumstances, such as for direct marketing.
To exercise any of these rights, please contact us using the information provided in the "Contact Us and Complaints" section of this policy.
9. Data Security and International Transfers
We are committed to ensuring the security of your personal data. We implement appropriate technical and organizational measures, such as two-factor authentication, end-to-end encryption where possible, staff training, and access controls to protect data against unauthorized access, disclosure, alteration, or destruction.
Personal data may be transferred to countries outside the EU/EEA. Such transfers will only occur if appropriate safeguards are in place, such as the use of Standard Contractual Clauses (SCCs) as approved by the European Commission, or where the transfer is based on another lawful mechanism. We offer a robust international data transfer framework as part of our Data Processing Addendum (DPA).
10. Data Retention
We will retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. When data is no longer needed, it will be securely destroyed.
11. Privacy by Design and by Default
We integrate data protection into our processing activities and business practices from the design stage. This is known as "privacy by design." We also ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. This means the most privacy-friendly settings are the default.
12. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay. We will also promptly communicate any breaches to affected customers and users when required by law.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on our website. We encourage you to review this policy periodically.
14. Contact Us and Complaints
If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our privacy practices, please contact us through our normal communication channels as provided on our company website or in your service agreement.
Data subjects also have the right to lodge a complaint with a supervisory authority (Data Protection Authority) in the EU Member State of their habitual residence, place of work, or place of the alleged infringement if they believe that the processing of their personal data infringes GDPR.