Privacy Policy

---

1. Controller / Data Controller
Copperstream Capital OÜ
Registered address: Roseni Tn 9-16, Estonia
Business registry number: 16151600
Email: info@copperstream.capital

2. Introduction & Scope
We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, share and protect personal data, and your rights in relation to that data.

This policy applies to personal data collected via our website (e.g. contact forms, newsletter signups) or other services we provide (e.g. consulting, events).
We process personal data of individuals located in Estonia or the EU, and this processing is subject to the EU General Data Protection Regulation (GDPR) and Estonia’s implementing legislation (Personal Data Protection Act). DLA Piper Data Protection+2CaseGuard+2

3. What personal data we collect & how
We collect personal data that you provide voluntarily, and/or automatically via the website’s technical infrastructure. Types of data may include:

• Contact information: name, email address, phone number, job title, organization
• Communications: correspondence, inquiries, messages via contact form or email
• Website usage / technical data: IP address, device type, browser type, pages visited, time stamps, cookies and analytics data
• Other data: optionally, any additional information you provide (e.g. for event registration, feedback, downloads)

We may also collect data from third-party sources (e.g. LinkedIn, business directories) where publicly available, but only when lawful and justified.

4. Legal basis for processing
We rely on one or more of the following legal grounds:

• Consent: when you provide explicit consent (e.g. newsletter subscription, contact form)
• Contract / pre-contractual actions: when processing is necessary to perform or prepare a contract (e.g. consulting agreement)
• Legitimate interests: for marketing, communication, website improvement, analytics — provided your rights are not overridden
• Compliance with legal obligations: e.g. record-keeping, reporting duties

5. Purpose of processing & use of data
We use personal data for the following purposes:

• Responding to inquiries, providing consulting services
• Sending newsletters, marketing communications (if consented)
• Managing events or webinars
• Improving website performance, analytics, security
• Fulfilling legal obligations (accounting, audit, compliance)
• Communicating with clients and partners

6. Data sharing / recipients / processors
We may share personal data with:

• Third-party service providers / processors (e.g. email service, hosting provider, analytics tools) under contract and with sufficient guarantees
• Legal or regulatory authorities when required by law
• Potential buyers or advisors in case of business restructuring, reorganization, sale (with safeguards)

We will ensure such recipients adhere to data protection obligations (e.g. through data processing agreements, standard contractual clauses).

7. International data transfers
If personal data is transferred outside the European Economic Area (EEA), we will do so only if:

• The recipient country is deemed by the EU to provide adequate protection; or
• Appropriate safeguards are in place (e.g. Standard Contractual Clauses, binding corporate rules); or
• You have explicitly consented to the transfer; or
• Other legal basis permitted under GDPR

8. Data retention / storage period
We retain personal data only as long as necessary for the purpose for which it was collected or as required by law (e.g. accounting records). After that, data will be erased or anonymized.
Example retention periods (adjust to your practice):

• Inquiries / contact form data: retained for up to 3–5 years
• Newsletter / marketing contacts: until consent withdrawal
• Contractual client data: until end of client relationship plus any legally required retention period

9. Security measures
We implement technical and organizational measures to protect personal data — e.g.:

• Encryption, pseudonymization where appropriate
• Access controls and least privilege principle
• Regular security reviews, backups, incident response procedures

10. Rights of data subjects
Under the GDPR and Estonian law, you have the following rights:

• Right of access — request a copy of your personal data
• Right to rectification — correct inaccuracies
• Right to erasure (“right to be forgotten”) under certain circumstances
• Right to restrict processing
• Right to data portability (where processing is based on consent or contract)
• Right to object to processing (especially for direct marketing or when based on legitimate interest)
• Right to withdraw consent at any time (for processing based on consent)
• Right to lodge a complaint with a supervisory authority (in Estonia: Estonian Data Protection Inspectorate / Andmekaitse Inspektsioon)

Requests will be handled within statutory timeframes (usually one month, possibly extended to three months in complex cases)

11. Cookies / tracking technologies
We use cookies and similar technologies to enhance user experience, analyze usage, and provide functionality.

• You may accept or decline non-essential cookies
• Cookie banner / consent mechanism should be in place
• For detailed information, see our separate Cookie Policy

12. Changes to this Privacy Policy
We may update this policy from time to time (e.g. due to legal changes or changes in processing).
Major changes will be communicated (e.g. via email or notice on website) before they take effect.
Effective date: [date]