GDPR
Our compliance with EU data protection law · Last updated April 2026
This page describes how Estaty complies with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and, where applicable, the UK GDPR. We are committed to protecting the rights of individuals under these frameworks.
1. Data Controller
For the purposes of GDPR, Estaty is the data controller of the personal data you provide when creating an account and using the platform. As a user, you are the data controller of the lead data collected through your public profile and listing pages. Estaty acts as a data processor in relation to that lead data.
If you need a Data Processing Agreement (DPA) for GDPR compliance, please contact hello@estaty.io and we will provide one.
2. Legal Bases for Processing
We process your personal data under the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) — necessary to perform the Service |
| Processing payments and billing | Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) |
| Sending transactional emails | Contract (Art. 6(1)(b)) — necessary to perform the Service |
| Sending optional marketing/notification emails | Consent (Art. 6(1)(a)) — you can opt out at any time |
| Analytics and platform improvement | Legitimate interests (Art. 6(1)(f)) — improving the Service |
| Legal compliance and dispute resolution | Legal obligation (Art. 6(1)(c)) |
3. Your Rights Under GDPR
If you are located in the EU, UK, or EEA, you have the following rights:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion of your personal data ('right to be forgotten').
- Right to restriction (Art. 18): request that we limit processing of your data in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing.
- Right not to be subject to automated decision-making (Art. 22): we do not make solely automated decisions that significantly affect you.
To exercise any of these rights, submit a Data Subject Access Request (DSAR) by emailing hello@estaty.io with the subject line 'GDPR Request'. We will respond within 30 days. We may ask you to verify your identity before processing the request.
4. Data Retention
- Account data: retained for the duration of your account. Deleted within 30 days of account closure.
- Billing records: retained for 7 years as required by financial regulations.
- Server logs: retained for 90 days for security and debugging purposes.
- Lead data: retained until you delete it from your dashboard or close your account.
5. International Data Transfers
Our primary infrastructure is hosted in the EU (Supabase EU West region, Vercel Edge Network). Where personal data is processed by sub-processors outside the EU/EEA (such as Lemon Squeezy, based in the US), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
- Adequacy decisions where applicable.
- Data Processing Agreements with each sub-processor.
6. Sub-Processors
We use the following sub-processors to provide the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU (West) |
| Vercel | Hosting and serverless functions | EU / Global CDN |
| Lemon Squeezy | Payment processing | USA |
| Resend | Transactional email delivery | USA |
| Anthropic | AI description generation | USA |
7. Data Protection Officer
Estaty does not currently meet the threshold requiring a formally designated Data Protection Officer (DPO). Privacy and data protection matters are handled directly by the Estaty team. For data protection enquiries, contact hello@estaty.io.
8. Supervisory Authority
If you are based in the EU and believe we have not complied with GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. A full list of EU supervisory authorities is available at edpb.europa.eu.
We would, however, always appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please email hello@estaty.io in the first instance.
9. Changes to This Page
We will update this page as our practices evolve or as GDPR guidance changes. The 'Last updated' date will reflect the most recent revision.