Privacy Policy

This Privacy Policy describes how Loovl OÜ processes personal data of:

1. Visitors of our public websites at loovl.eu, pulse.loovl.eu, and any related subdomain;
2. Customers who register an account to use the Pulse Analytics service ("Pulse" or the "Service");
3. Prospects who contact us by email or fill out forms on our website.

This policy explains what we collect, why, on what legal basis, how long we keep it, who we share it with, and what rights you have. It is written to comply with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Estonian Personal Data Protection Act.

What this policy is NOT: If you are a website visitor whose page view was tracked by a third party using Pulse on their site, this policy does not apply to you — please consult that website's own privacy policy. The Pulse customer (the website owner) is the data controller for your data; Loovl OÜ acts only as a processor on their behalf, governed by our Data Processing Agreement.

1. Who we are

Controller: Loovl OÜ Registry code: 17497447 VAT identifier: EE102982660 Registered address: Ravi tn 19-1, 30326, Kohtla-Järve, Ida-Virumaa, Estonia Contact for privacy matters: privacy@loovl.eu

We have not appointed a Data Protection Officer because we are below the GDPR thresholds requiring one, but privacy@loovl.eu is the dedicated channel for all privacy-related requests.

2. Personal data we collect

2.1 When you visit our public website (loovl.eu, pulse.loovl.eu)

We use our own product (Pulse Analytics) to measure aggregate website usage. This means:

• No cookies, no localStorage, no fingerprinting are used to track you.
• Your IP address is never written to any database or log. It is used only in memory to compute a daily-rotating SHA-256 hash that uniquely identifies your visit for the day, and to look up an approximate country / region / city from offline databases.
• We collect:
  • a daily-rotating pseudonymous visitor identifier (truncated SHA-256 of IP + User-Agent + daily salt + site ID) and a session identifier with the same construction plus a 30-minute time bucket;
  • browser name and version, operating system and version, device type (desktop / mobile / tablet);
  • screen resolution in pixels (width × height);
  • language of the page (from the <html lang> attribute);
  • the hostname of the visited page (relevant for sites that span multiple domains under one tracking ID, e.g. multilingual setups);
  • the page URL path (no query strings — the path part only, without ?param=value or #fragment);
  • the referring URL (the previous page that linked to the current one) and UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) parsed from the page query string for marketing attribution;
  • approximate location (country, region/state, and city) derived from the IP address via offline databases — the IP itself is discarded immediately;
  • for custom events declared by the site owner (e.g. purchase, add_to_cart, outbound), an event name and up to 16 small key-value properties that the owner explicitly chose to track. Sensitive values (phone numbers, email addresses) are masked at collection time so that, even if the site owner forgets to anonymise on their side, only the first characters and the domain remain in storage.

The full technical description of this measurement matches Annex 2 of our DPA.

Web server logs: Our web server (Nginx) records standard access logs containing IP addresses and timestamps for up to 14 days for security and abuse-prevention purposes (Section 6.2 below). These logs are not used for marketing or analytics.

2.2 When you register an account

To create and operate your Pulse account, we collect:

• Email address — your account identifier, contact channel, and verification target.
• Name — your display name in the dashboard. Optional but recommended.
• Password — stored only as a bcrypt hash (cost factor ≥ 12). We never see, store, or log the plaintext password.
• Email verification token — a one-time random token, deleted after use or expiry.

We do not store the IP address used to create your account; it is processed in memory only for the request that creates the account and discarded immediately.

2.3 When you log in

• Session cookie — an HMAC-signed cookie (__Host-sess, HttpOnly, Secure, SameSite=Lax, Path=/) that keeps you logged in. No tracking purpose. See Section 5.
• Failed login attempts — counted per email (hashed) and per IP in Redis with short TTL (1 hour), used solely for rate-limiting and brute-force protection. Counters expire automatically and are not persisted to disk.

We do not maintain a per-user history of login IPs or login timestamps. Failed-login alerts are surfaced through fail2ban at the network layer (banning abusive IPs), not through a per-user "Recent sessions" view.

2.4 When you subscribe to a paid plan

Status as of 2026-05-10: Pulse currently operates in free-only mode. Paid plans and the payment integration are not active. The text below describes the planned processing once paid plans launch — at that point we will notify all existing Customers by email at least 14 days in advance, in line with DPA §6.3, and update this section accordingly.

When paid plans launch, payments will be processed by a third-party Merchant of Record (the specific provider will be named here and in our Sub-processors list before activation). They will collect:

• Name and billing address
• Email address
• Payment instrument data (card number, etc. — handled by the Merchant of Record and their PCI-DSS-compliant payment processors; we will never see or store full card numbers)
• VAT identifier (if you provide one for B2B)
• Country, for tax purposes

We will receive from the Merchant of Record: your name, email, country, last 4 digits of the payment instrument, subscription status, and invoice history. This data will be stored alongside your account record to display billing information in the dashboard.

We will link the Merchant of Record's privacy policy here once the provider is activated.

2.5 When you contact us

If you email us or send a support request, we keep the message, your email address, and any attachments for as long as needed to handle your inquiry, then archive for up to 24 months for follow-up reference.

2.6 Customer support and product analytics inside the dashboard

When you use the Pulse dashboard:

• We log application errors with minimal context (timestamp, anonymised user identifier, route, error message) to maintain reliability. No request bodies, no event data.
• We do not record sessions, mouse movements, keystrokes, or "session replay" of any kind.
• We do not use third-party product-analytics tools (no Mixpanel, no Amplitude, no Segment, no Google Analytics).

2.7 Special categories of data

We do not knowingly collect special categories of personal data (Article 9 GDPR — health, biometric, religious, political, etc.). Please do not submit such data to us.

3. Why we process this data and on what legal basis

We do not engage in automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR).

4. How long we keep your data

When the retention period expires, we permanently delete the data through automated processes (cron jobs, ClickHouse TTL, scheduled deletes), unless an ongoing legal claim, fraud investigation, or legal obligation requires longer retention.

5. Cookies and similar technologies

We use the minimum cookies strictly necessary to operate the Service. We do not need a cookie consent banner under the EU ePrivacy Directive because we do not set any non-essential cookies, but we describe them below for transparency.

We do not use any third-party cookies. We do not use Google Analytics, Facebook Pixel, advertising cookies, or any cross-site tracking technology.

The Pulse measurement on loovl.eu does not set any cookies on your browser.

6. Who we share your data with

We share personal data only with the parties strictly necessary to operate the Service. The complete and current list of Sub-processors who process Pulse customers' data on our behalf is published at /legal/subprocessors and notice of changes is given as set out in our DPA.

For data of website visitors and customers covered by this policy, the relevant recipients are:

• Hetzner Online GmbH (Germany / Finland) — hosting and infrastructure for loovl.eu, pulse.loovl.eu, databases, and backups. All data is processed within the European Economic Area.
• A third-party Merchant of Record — planned payment processor. Not currently active (Section 2.4). When activated, it will receive only billing data; the specific provider and any applicable cross-border transfer safeguards will be disclosed here and in our Sub-processors list at least 14 days before activation.
• Estonian and EU public authorities — only when legally required (court order, tax authority request, regulator inquiry). We will notify you of such requests unless legally prohibited.
• Professional advisors (auditors, lawyers, accountants) — bound by professional confidentiality, on a need-to-know basis.

We do not sell, rent, or trade personal data with anyone for marketing or advertising purposes.

7. International data transfers

The infrastructure that processes your account data, login data, and Pulse measurement data is located entirely within the European Economic Area (Germany and Finland, Hetzner data centres).

As of 2026-05-29, no personal data is transferred outside the EEA. Pulse currently operates in free-only mode and the payment integration is not active.

When paid plans launch, billing data may be shared with a third-party Merchant of Record for payment processing. If that provider is established within the EEA, no transfer outside the EEA occurs; if it is outside the EEA, the transfer will rely on a valid mechanism (an adequacy decision or Standard Contractual Clauses), which we will disclose here before activation. We additionally apply data-minimisation safeguards: only Customer billing data is shared — never Data Subject data of your website visitors. Existing Customers will be notified by email at least 14 days in advance of activation.

8. Legitimate interest assessment (LIA)

Where we rely on legitimate interest (Article 6(1)(f) GDPR), we have balanced our interest against your rights and freedoms. Our reasoning, in summary:

• Aggregate analytics on loovl.eu: Our interest is to understand usage and improve the website. The processing is performed in a privacy-by-design way (cookieless, no IP storage, daily-rotated hash, no fingerprinting, no cross-site tracking). The impact on visitors is minimal; the data cannot identify you individually. The benefit to us and our users (a working, improving website) outweighs the marginal privacy impact.
• Abuse and fraud prevention: Logging IP and login attempts is essential to prevent brute-force attacks, account takeover, and bot-driven account creation. Without this, the Service could not provide a baseline level of security to you and other users. Retention is short (90 days max).
• Defending legal claims: Standard practice; retention is bounded by statute of limitations.

You can object to processing based on legitimate interest at any time (Section 9.6).

9. Your rights

Under the GDPR you have the following rights, exercisable at any time by emailing privacy@loovl.eu from the email address associated with your account, or by another means that allows us to verify your identity:

9.1 Right of access (Art. 15)

You can request a copy of all personal data we hold about you, plus the information described in this policy (purposes, categories, recipients, retention).

9.2 Right to rectification (Art. 16)

You can request correction of inaccurate or incomplete data. Most fields are editable directly in the dashboard.

9.3 Right to erasure / "right to be forgotten" (Art. 17)

You can delete your account at any time from the dashboard. This triggers permanent deletion of your account data and all associated event data within 30 days, except where retention is required by law (e.g. accounting records — Section 4).

9.4 Right to restriction of processing (Art. 18)

You can ask us to limit what we do with your data while a dispute is being resolved.

9.5 Right to data portability (Art. 20)

For data you have provided to us under a contract or consent, we will give you a structured, commonly used, machine-readable copy. CSV export of your event data is available directly from the dashboard.

9.6 Right to object (Art. 21)

You can object to processing based on legitimate interest (Section 8) or to direct marketing. For direct marketing, the objection is absolute. For other legitimate-interest processing, we will weigh your specific situation and either stop processing or explain why we believe our interest overrides.

Browser-level opt-out for visitor tracking. If you are a visitor to a website that uses Pulse (rather than a Pulse account holder), you can disable Pulse measurement on your browser at any time without contacting us. Open your browser's developer console (F12 in most browsers) on any page that uses Pulse and run:

localStorage.setItem('pulse-opt-out', '1')

After this, the Pulse tracker on any website using Pulse in this browser will detect the flag on every page load and exit before sending any data. The opt-out persists until you clear browser storage. To re-enable, run localStorage.removeItem('pulse-opt-out').

Do-Not-Track signal. Pulse also respects the browser-level Do-Not-Track (DNT) signal where the browser exposes it (navigator.doNotTrack === '1'). If you have enabled DNT in your browser settings, the Pulse tracker exits silently before sending any data. The DNT specification was deprecated by W3C in 2019 and has no legal weight, but we honor the signal as a matter of policy because our product is positioned around respecting the visitor's stated preference.

9.7 Right to withdraw consent (Art. 7(3))

Where processing is based on consent (e.g. marketing emails), you can withdraw consent at any time by clicking the unsubscribe link or by emailing us. Withdrawal does not affect the lawfulness of past processing.

9.8 Right not to be subject to automated decision-making (Art. 22)

We do not make automated decisions producing legal or similarly significant effects on you.

9.9 Response time

We will respond to all rights requests within 30 days. We may extend by a further two months for complex requests, in which case we will inform you within the first 30 days. Requests are free of charge unless they are manifestly unfounded or excessive.

9.10 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):

• Web: https://www.aki.ee/en
• Email: info@aki.ee
• Address: Tatari 39, 10134 Tallinn, Estonia

You may also lodge a complaint with the supervisory authority of the EU/EEA Member State where you live or work.

10. Security

We implement appropriate technical and organisational measures to protect your data, described in Annex 2 of our DPA. In summary: TLS 1.2+ in transit (HSTS enforced); AES-256 encryption applied to MariaDB backups (which contain account email and hashed credentials) before storage; strict SSH key access control; bcrypt password hashing (cost factor ≥ 12); network firewall isolating internal database services to localhost; fail2ban; per-IP and per-email rate-limiting; Subresource Integrity (SRI) on vendor scripts; and a documented incident-response procedure.

In the event of a personal data breach affecting your data, we will notify the Estonian Data Protection Inspectorate within 72 hours where required, and notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Articles 33 and 34 GDPR).

11. Children

The Service is not directed to children under the age of 16. We do not knowingly process personal data of children under 16. If you believe we have inadvertently collected such data, please contact privacy@loovl.eu and we will delete it.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, the Service, or legal requirements. The "Effective date" at the top will be updated. For material changes affecting how we use your data, we will notify registered customers at least 30 days in advance by email and through the dashboard.

The current version is always available at https://loovl.eu/legal/privacy.

13. Contact

For any privacy question, request, or complaint:

Email: privacy@loovl.eu Postal address: Loovl OÜ, Ravi tn 19-1, 30326, Kohtla-Järve, Ida-Virumaa, Estonia

We aim to respond to privacy inquiries within five (5) business days.