MAKESPACE OÜ PRIVACY POLICY (DATA PROCESSING NOTICE)

Effective Date: [Date of Publication, e.g., April 3, 2026]

This notice explains how Makespace OÜ (hereinafter "We", "Us", or "Makespace") collects, uses, stores, and protects your personal data when you use our website, client portal (hereinafter "Portal"), communicate with us via email, or enter into contracts with us.

We respect your privacy and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the applicable laws of the Republic of Estonia.

1. DATA CONTROLLER

The data controller responsible for your personal data is:

Makespace OÜ Registry code: 12935523 Address: Riia 20, Tartu 51010, Estonia Email: info@makespace.ee Website: www.makespace.ee

2. WHAT PERSONAL DATA DO WE PROCESS?

We only collect and process personal data that is necessary to provide you with our services, perform a contract, or fulfill our legal obligations. We process the following categories of data:

2.1. Client and Representative Data (Pre-contractual and Contractual Phase)

  • Name: First name and last name.

  • Personal Identification Code: Estonian personal identification code (or foreign equivalent), which is strictly necessary for the legal validation of digitally signed contracts (.asice containers) and Smart-ID/Mobile-ID authentication.

  • Contact Details: Email address, phone number, physical address.

  • Position / Right of Representation: Information verifying your authority to represent a company (e.g., Management Board Member).

2.2. Portal User Technical Data

  • Authentication Data: Identity verification logs generated when logging into the Portal using Smart-ID, Mobile-ID, or ID-card.

  • Usage Data: IP address, browser type, cookie data (see Section 9), login timestamps, session duration, and actions performed within the Portal (e.g., viewing models/drawings).

2.3. Communication Data

  • Emails: Email correspondence with us, including price inquiries, feedback, and attached files.

2.4. Project and Procurement Data (GlaiderX/Morrticodes)

We process technical data (e.g., model geometry, materials, masses, structural joints) related to specific construction projects. While this data is generally not personal data, it may be linked to a specific client or their representative. When using our Procurement AI feature (Hanke-agent), we may process the contact details of supplier representatives to collect and compare bids.

3. PURPOSES AND LEGAL BASIS FOR PROCESSING

We process your personal data only on valid legal grounds. The primary purposes and legal bases for processing are:

  • Preparing price quotes and pre-contractual communication: The legal basis is the performance of a contract (Art 6(1)(b) of the GDPR – pre-contractual steps).

  • Entering into and performing contracts (incl. digital signing via Smart-ID/Mobile-ID): The legal basis is the performance of a contract (Art 6(1)(b) of the GDPR).

  • Verifying your identity in the Portal (logging in): The legal basis is the performance of a contract (Art 6(1)(b) of the GDPR) or our legitimate interest (Art 6(1)(f) of the GDPR).

  • Fulfilling accounting and tax obligations: The legal basis is compliance with a legal obligation (Art 6(1)(c) of the GDPR – e.g., Estonian Accounting Act).

  • Managing the Portal, ensuring security, and fixing bugs: The legal basis is our legitimate interest (Art 6(1)(f) of the GDPR) in ensuring service quality and IT security.

  • Procurement and supplier management (GlaiderX Procurement AI): The legal basis is our legitimate interest (Art 6(1)(f) of the GDPR) in effective project management for the client.

  • Controlling quote downloads and QR code verification (payment discipline): The legal basis is our legitimate interest (Art 6(1)(f) of the GDPR) in protecting our intellectual property and economic interests.

  • Marketing communication (e.g., newsletters, if subscribed): The legal basis is your consent (Art 6(1)(a) of the GDPR).

4. HOW DO WE COLLECT PERSONAL DATA?

We collect your personal data primarily directly from you:

  • When you send us a price inquiry via email.

  • When you enter into a contract with us and sign it digitally.

  • When you register as a Portal user and log in using Smart-ID/Mobile-ID.

We may also collect personal data from third parties:

  • SK ID Solutions / Digital Signature API Providers: When authenticating or signing with Smart-ID, Mobile-ID, or ID-card, we receive your name and personal identification code from the service provider.

  • Public Registries: We may verify your right of representation from the Estonian Commercial Register.

5. DATA SHARING WITH THIRD PARTIES (DATA PROCESSORS)

We share your personal data with third parties only when necessary to perform a contract, provide our services, or comply with a legal obligation. Our main data processors include:

  1. Cloud Service Providers:

    • Google Ireland Limited (Firebase / Google Drive): We use Firebase real-time database and Google Drive for the secure storage of files (including signed contracts). Your data is encrypted and access is strictly limited.

  2. Digital Signature and Identity Verification Providers:

    • SK ID Solutions AS / Signature Aggregators: Used to verify your identity and validate digital signatures (Smart-ID, Mobile-ID).

  3. Procurement and Supplier Management: When utilizing the Procurement AI feature, we may share supplier contact details to gather and compare bids effectively.

  4. Professional Advisors: Providers of accounting and legal services.

  5. Public Authorities: Police, Tax and Customs Board, or other government authorities if we have a statutory obligation to disclose data.

We do not sell or rent your personal data to third parties for marketing purposes.

5.1. Data Transfers Outside the European Economic Area (EEA)

Our cloud service providers (e.g., Google Firebase) may transfer data to countries outside the EEA (e.g., the USA). In such cases, we ensure that adequate data protection measures are implemented, for example, by relying on the European Commission's approved Standard Contractual Clauses (SCCs) or other legal mechanisms that guarantee a level of security compliant with the GDPR.

6. SECURITY OF PERSONAL DATA

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Our security measures include:

  • Encryption: All communication between the Portal, Firebase, and Google Drive is encrypted in transit. Signed files are stored in locked and encrypted Drive folders at rest.

  • Access Control: Access to databases and folders containing personal data is strictly limited to authorized Makespace personnel on a need-to-know basis. Personal identification codes are never displayed in the 3D model view or shared with background AI processes unless there is a direct legal or technical necessity.

  • Strong Authentication: Portal logins and digital signing utilize the highest security level methods available (Smart-ID, Mobile-ID, ID-card).

7. DATA RETENTION

We retain your personal data only for as long as necessary to fulfill the purposes of processing, until our legal obligation to retain the data expires, or until you withdraw your consent (if processing was based on consent).

Main retention periods:

  • Contracts and Invoices: Retained for 7 years after the end of the financial year (Estonian Accounting Act).

  • Price Quotes and Pre-sales Communication: Retained for 2 years after the last contact, unless a contract is signed.

  • Portal User Logs: Retained for 1 year, unless the logs are related to a specific project dispute or legal claim.

  • Marketing Data: Retained until consent is withdrawn or 2 years after the last contact.

After the retention period expires, personal data is permanently deleted or irreversibly anonymized.

8. YOUR RIGHTS

You have the following rights regarding your personal data:

  1. Right of Access: You have the right to request confirmation as to whether we process your personal data and to obtain a copy of it.

  2. Right to Rectification: You have the right to request the correction of inaccurate or incomplete personal data.

  3. Right to Erasure ("Right to be Forgotten"): You have the right to request the deletion of your personal data if:

    • The data is no longer necessary for the purposes it was collected.

    • You withdraw your consent (and there is no other legal basis).

    • You object to the processing, and there are no overriding legitimate grounds.

    • The data has been unlawfully processed.

  4. Right to Restriction of Processing: You have the right to request the restriction of processing under certain circumstances (e.g., if you contest the accuracy of the data).

  5. Right to Object: You have the right to object to the processing of your personal data if the processing is based on our legitimate interest or for direct marketing purposes.

  6. Right to Data Portability: You have the right to receive your personal data in a machine-readable format and request its transfer to another data controller.

  7. Right to Withdraw Consent: If processing is based on your consent, you have the right to withdraw it at any time.

To exercise your rights, please contact us at info@makespace.ee. We will respond to your request within one month.

9. COOKIES

To ensure the functionality of the Portal and improve user experience, we use cookies. A cookie is a small text file that a browser stores on your computer or device.

We may use the following types of cookies:

  • Strictly Necessary Cookies: Essential for logging into the Portal, managing sessions, and ensuring security. Without them, we cannot provide Portal services.

  • Functional Cookies: Allow us to remember your preferences (e.g., language, theme).

  • Analytical Cookies: Help us understand how users interact with the Portal so we can improve our services.

You can control and limit the use of cookies through your browser settings. Please note that disabling strictly necessary cookies may affect the functionality of the Portal.

10. CONTACT US AND COMPLAINTS

If you have any questions regarding this notice, wish to exercise your rights, or have concerns about the processing of your personal data, please contact us:

Makespace OÜ Registry code: 12935523 Email: info@makespace.ee

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon - AKI).

Andmekaitse Inspektsioon Address: Tatari 39, 10134 Tallinn, Estonia Website: www.aki.ee Email: info@aki.ee

11. CHANGES TO THIS NOTICE

We may update this notice from time to time to reflect changes in our services or legal requirements. The updated notice will be published on our website/Portal and will take effect immediately upon publication. We encourage you to review this notice regularly.