Privacy Policy

Last updated: 29 October 2025

Erphitea OÜ (“Erphitea,” “we,” “us” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you:

• visit erphitea.com (the “Site”); or

• engage our architectural-visualisation services (the “Services”).

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and Brazil’s LGPD, as applicable.

1. Data Controller & DPO

Controller: Erphitea OÜ

Registry code: 17272613

Registered seat: Ahtri 12, 15551 Tallinn, Estonia

Data Protection Officer: info@erphitea.com

All privacy-related notices and requests (access, rectification, deletion, etc.) should be sent to that address.

2. What Data We Collect & Why

We collect the following categories of personal data:

Contact Data

  • Examples: Name, company name, email address, phone number

  • Legal basis: Performance of contract (GDPR art. 6(1)(b)) or your consent (art. 6(1)(a))

Project Data

  • Examples: Architectural drawings, 3-D model files, design notes

  • Legal basis: Performance of contract (art. 6(1)(b))

Payment Data

  • Examples: Invoice address, VAT number, transaction IDs

  • Legal basis: Legal obligation (art. 6(1)(c))

Website Usage Data

  • Examples: IP address, browser type, pages visited, clicks, form submissions, cookie identifiers

  • Legal basis: Legitimate Interest (art. 6(1)(f)) for technical logging (e.g., IP address), site security, and core performance; Your Consent (art. 6(1)(a)) for analytics, advertising, and associated identifiers.

Advertising Data

  • Examples: Ad click identifiers (GCLID), Conversion ID, Audience segments.

  • Legal basis: Your Consent (art. 6(1)(a)).

Marketing Preferences

  • Examples: Newsletter opt-in status, communications history

  • Legal basis: Your consent (art. 6(1)(a))

We do not collect special-category data (art. 9) unless you voluntarily provide it (for example, health details under an NDA).

Except where needed to perform our contract or comply with law, you may choose not to provide any of the personal data listed above; however, this may limit our ability to deliver certain Services (e.g. quotes, invoicing, support).

3. How We Use & Share Your Data

  • Provide & support Services (quoting, delivery, support)

  • Billing & compliance (invoicing, tax)

  • Site operations (security, performance, analytics)

  • Marketing emails (only if you opt-in)

  • For internal analytics (e.g. to improve our marketing and sales)

  • For Advertising Measurement & Optimization: To measure the performance and conversion rate of our Google Ads campaigns, attribute sales/leads back to specific ads, and optimize bidding using data collected from Google Tags (including modeled data when consent is denied).

  • For Personalized Advertising (Remarketing): To create custom audiences based on your past visits and behavior on the Site (e.g., pages visited, forms submitted) in order to display relevant advertisements to you on Google and third-party partner websites.

  • Fraud prevention

Shared with:

  • Cloud hosts under EU safeguards

  • Payment processors under PCI-DSS

  • Email & marketing (e.g. Mailchimp) under GDPR-compliant contracts

  • Professional advisers (accountants, lawyers) bound by NDA

  • Authorities (tax, legal, where required)

Data transfers outside the EEA rely on an EU adequacy decision or Standard Contractual Clauses.

We do not carry out any profiling or automated decision-making under GDPR Art. 22.

We do not sell your personal information under any circumstances.

4. System Logs & Maintenance

We collect server logs (IP, timestamps, errors) and perform regular backups and vulnerability scans to keep the Site secure and running smoothly.

5. Cookies & Tracking technologies

We use essential cookies for core Site functionality (e.g., security and site performance).

For analytics and advertising, we use non-essential cookies and other tracking technologies. These are only activated if you grant explicit consent via our consent banner. You can disable non-essential cookies via our banner or your browser settings.

Data Stitching and Contact Unification: We use the HubSpot tracking code across our Site to uniquely identify individual visitors. When a visitor submits a form or provides their contact details, we link their anonymous website activity history (pages visited, time on site) to their known CRM contact record. This process allows us to understand the full user journey and personalize our subsequent communications.

Tracking Tools & Purposes

We use Google Tag Manager (GTM) to centrally manage and deploy all analytics and advertising tags, which include:

  • Google Analytics 4 (GA4): We use GA4 to collect non-personal data on visitor behavior (pages viewed, time on site, traffic source, etc.) for general site improvement and to establish Key Events (Conversions).

  • Google Ads Conversion Tracking: We use dedicated Google Ads tags to precisely measure conversions (actions) taken after interacting with our advertisements (e.g., form submissions, contact clicks). This data is vital for optimizing our bidding strategies and campaign performance.

  • Google Ads Remarketing: This feature uses cookies to segment visitors based on their past activity on the Site, allowing us to show them personalized ads (remarketing) when they visit other websites.

Data Collected & Your Controls

Data Category: Identifiers

Examples of Data Collected: Unique cookie ID, device identifier, Ad Click Identifier (GCLID)

Data Category: Technical Data

Examples of Data Collected: IP address (used for general location), browser type, date/time of visit.

Important Note on PII: We do not send Personally Identifiable Information (PII) to Google Analytics.

Your Controls and Opt-Out Options:

You have the following rights regarding non-essential cookies and tracking:

  • Consent Management: You can manage or withdraw your non-essential cookie preferences at any time via our consent banner (or cookie settings link).

  • General Opt-Out: You can disable all non-essential cookies via your browser settings.

  • Personalized Ads Opt-Out: You can opt-out of Google's use of personalized advertising cookies by visiting Google’s Ad Settings.

For more information on how Google uses data when you use our services, please review Google's Privacy & Terms.

6. Data Retention

  • Project files & invoices: 10 years (Estonian tax law)

  • Contact/marketing data: until consent withdrawn or 2 years after last contact

  • Analytics logs: up to 14 months

Expired data is securely deleted or irreversibly anonymised.

7. Your Privacy Rights

Under GDPR, CCPA & LGPD you may:

1. Access your data

2. Correct inaccuracies

3. Erase data (“right to be forgotten”)

4. Restrict or object to processing

5. Port your data to another controller

6. Withdraw consent at any time

Supervisory authorities

  • EU / Estonia: Estonian Data Protection Inspectorate (www.aki.ee)

  • CZ: Czech Personal Data Protection Office (https://uoou.gov.cz)

  • California: Office of the California Attorney General (www.oag.ca.gov/privacy/ccpa)

  • Brazil: National Data Protection Authority (ANPD) (https://www.gov.br/anpd)

To exercise any right, contact info@erphitea.com. We’ll verify your identity before acting.

You will not be denied services or charged different prices for exercising your data rights.

8. Data Security

  • Encryption, wherever possible

  • Access controls: authorised personnel under confidentiality obligations

  • MFA (multi-factor authentication) on all used cloud hosts

  • Monitoring: regular vulnerability scans & backups

9. Third-Party Links & Content

Our Site may embed or link to third parties. We aren’t responsible for their practices; please review their privacy policies.

10. Children

We do not knowingly collect data from anyone under 16. If we learn we have, we’ll delete it immediately.

11. Changes to this Policy

We may update this at any time. Material changes will be posted here and, where practical, emailed to you. Continued use of the Site or Services indicates acceptance.

12. Governing Law & Jurisdiction

Data-protection issues are governed by Estonian law and, where applicable, overseen by the Estonian Data Protection Inspectorate (AKI) or local courts under EU rules.

© 2025 Erphitea OÜ. All rights reserved.