VoltiBack to home

Privacy Policy

Last updated: 10 May 2026

1. Data controller

For the purposes of this Privacy Policy, the data controller is Volti lahenduse OÜ (registry code 17495075, VAT number EE102982686), registered in Tartu, Estonia, email info@volti.ee.

Volti lahenduse OÜ acts as a data controllerfor its own users (your company’s employees) — login credentials, profile information. For your clients’ data and inspection-report content (site addresses, drawings, inspection photos), Volti lahenduse OÜ acts as a data processor and your company is the controller. Detailed terms are in the Data Processing Agreement (DPA).

2. What data we collect

2.1 Account and user data

  • name, email address, phone number;
  • role within the organisation, permissions, last-login timestamp;
  • password (stored only as a one-way bcrypt hash);
  • authentication tokens (Laravel Sanctum) and session metadata.

2.2 Client and contact data

  • client (legal entity) name, registry code, address;
  • contact person names, email addresses, phone numbers, job titles;
  • shared-report viewing PIN codes (hashed).

2.3 Site and inspection data

  • installation site address, designation, drawings (DWG, PDF, images);
  • inspection-check results, inspector name, date, free-text comments;
  • inspection photos and their metadata (EXIF GPS coordinates are automatically stripped on upload — see SEC-022);
  • digital signatures (ASiC-E containers signed via Estonian eID / Mobile-ID) and signer-certificate metadata.

2.4 Technical data

  • IP address, browser type, operating system;
  • request logs (URL, timestamp, response code) retained for 90 days for security and debugging.

3. Lawful bases

  • Performance of contract (GDPR art 6(1)(b)) — account creation, authentication, service delivery, invoicing.
  • Legitimate interest (GDPR art 6(1)(f)) — service security, abuse prevention, system notices, product development.
  • Legal obligation (GDPR art 6(1)(c)) — accounting, tax filings, document-retention obligations under Estonian electrical safety law.
  • Consent (GDPR art 6(1)(a)) — marketing emails, non-essential cookies.

4. Retention

  • Account and user data: for the lifetime of the account + 90 days after closure.
  • Inspection reports and signed PDFs: at least 7 yearsper Estonian electrical-safety regulation (Equipment Safety Act and the regulation “Electrical installations subject to audit and the requirements for electrical installation audits and presentation of audit results”); the customer may configure longer retention in account settings.
  • Accounting documents: 7 years (Estonian Accounting Act § 12).
  • Log files: 90 days.
  • After expiry, data is deleted or anonymised.

5. Recipients and sub-processors

We use the following sub-processors, all within the EU/EEA:

  • Hetzner Online GmbH (Germany) — server hosting and database.
  • Hetzner Storage Box (Germany) — file storage (drawings, photos, signed containers).
  • SK ID Solutions AS (Estonia) — Mobile-ID and Smart-ID authentication and signing.
  • RIA (Estonia) — ID-card validity checks via OCSP/CRL.
  • Stripe Payments Europe, Ltd (Ireland) — card payment processing and invoicing.

The full and current list of sub-processors is on a separate page. We notify customers of new sub-processors at least 30 days in advance.

6. Transfers outside the EU/EEA

We currently do not transfer personal data outside the EU/EEA. If this changes, we will use European Commission-approved Standard Contractual Clauses (SCC) and update this policy.

7. Data-subject rights

You have the right at any time to:

  • access your data and receive a copy (right of access);
  • request correction of inaccurate data;
  • request deletion (right to be forgotten) where there is no legal basis to keep it;
  • request restriction of processing;
  • receive your data in a structured format (data portability);
  • object to processing based on legitimate interest;
  • withdraw consent at any time (without affecting the lawfulness of prior processing).

To exercise any of these rights, write to privacy@volti.ee. We respond within 30 days. Account owners can also export data and delete the account directly from the in-app settings.

8. Cookies

See the separate Cookie Policy. In short: strictly-necessary cookies (authentication, session) are always set; analytics and marketing cookies require your separate consent.

9. Security

  • traffic is encrypted via TLS 1.2+;
  • passwords are hashed with bcrypt;
  • database access is restricted to the server’s local network;
  • backups: twice daily, stored on two separate servers in Finland and Sweden;
  • we notify affected individuals of security incidents within 72 hours per GDPR art 33 and 34.

10. Supervisory authority

You can lodge a complaint with the Estonian Data Protection Inspectorate: Tatari 39, 10134 Tallinn, email info@aki.ee, www.aki.ee.

11. Changes to this policy

We publish changes on this page and, where the change is material, notify users by email at least 30 days in advance.

12. Contact

For privacy questions, contact privacy@volti.ee. General contact: info@volti.ee.