URBALT is in open beta. We're welcoming our first users. Some details below may still change before the full launch.

Privacy Policy

Platform: URBALT (urbalt.ee) · Version 2.0 (GDPR Compliant) · March 20, 2026

1. General Provisions

1.1. This Policy describes how the URBALT platform (hereinafter — the "Platform") collects, uses, and protects users' personal data.

1.2. The Platform processes personal data in accordance with the EU General Data Protection Regulation (GDPR).

1.3. Data controller: URBALT

[email protected]

2. Data We Collect

Depending on the verification level:

  • Email: email address
  • Identity Provider (e.g., Google): name, email
  • Phone: phone number
  • iD (Smart-ID / ID-card): name, surname, personal code
  • Technical data: IP address, session identifiers. Server logs are stored for up to 30 days for security and diagnostic purposes.

3. Purposes and Legal Bases

We process data on the following bases:

3.1. Contract performance (Art. 6(1)(b) GDPR):

  • account registration;
  • providing access to the service.

3.2. Legitimate interests (Art. 6(1)(f) GDPR):

  • fraud prevention;
  • user protection;
  • service improvement.

3.3. Legal obligations (Art. 6(1)(c) GDPR):

  • cooperation with law enforcement.

4. Data Retention

4.1. Data is stored while the account is active.

4.2. After account deletion, a 30-day recovery period applies during which the account can be restored. After this period, personal data is anonymized.

  • Anonymized records may be retained for up to 6 months for fraud prevention and dispute resolution;
  • Financial transaction data may be retained for up to 7 years to comply with tax legislation;
  • If a legal hold applies (active dispute, law enforcement request), data is retained until the hold is resolved.

5. Data Sharing

5.1. We do not sell personal data.

5.2. Data may be shared with:

  • government authorities upon lawful request;
  • technical partners (e.g., Smart-ID, payment providers).

5.3. If data is transferred outside the European Economic Area, appropriate data protection safeguards are applied.

6. Automated Decisions

6.1. The Platform may use automated systems for:

  • content moderation;
  • trust level assessment;
  • listing ranking.

6.2. Such decisions may affect content visibility and access to Platform features.

7. User Rights

The User has the right to:

  • request access to their data;
  • correct data;
  • delete data ("right to be forgotten");
  • restrict processing, except where processing is necessary for platform operation, security, or legal obligations;
  • request a copy of their personal data in a structured, machine-readable format (data portability);
  • file a complaint with a supervisory authority.

8. Data Provision Requirement

Providing data is necessary to use the Platform.

Without providing certain data, access to features may be restricted.

9. Contact

For data protection inquiries: [email protected]

10. Third-Party Service Providers (Sub-Processors)

URBALT relies on the following third-party service providers to operate the Platform. Each one processes only the data needed for its specific function and is bound by a Data Processing Agreement under GDPR Article 28.

  • Hetzner Cloud (Cloud hosting) — all platform data (databases, files, application logs). Helsinki, Finland (EU).
  • Google OAuth (OAuth Sign-In) — email, name, Google ID, IP address at login. Ireland (EU) + USA (SCC).
  • Sentry (Backend error monitoring) — stack traces, request metadata (no full PII). Ireland (EU).
  • Backblaze B2 (Database backups) — encrypted database backups. Netherlands (EU).
  • Zoho Mail (Email and support) — email content, addresses, support tickets. EU data center.
  • Cloudflare (CDN, DDoS protection, DNS) — IP addresses, request metadata, performance data. Distributed (EU + global).
  • UptimeRobot (Uptime monitoring) — URL endpoints, response times. USA (no PII).
  • Umami Analytics (Anonymous analytics) — session statistics, page views (no personal identifiers). Self-hosted (Hetzner).
  • Google Search Console (SEO administration tool (we use it)) — aggregated indexing and ranking statistics (no individual user data). Ireland (EU).
  • Bing Webmaster Tools (SEO administration tool (we use it)) — aggregated indexing and ranking statistics (no individual user data). Microsoft cloud.

Stripe payment processor will be added when the Platform launches paid features. We will update this list and notify users in advance.

11. Data Residency

Most of your data is stored in the European Union (Hetzner Helsinki, Backblaze Netherlands, Sentry Ireland, Zoho EU data center). Some services may transfer data to the United States under the EU-approved Standard Contractual Clauses (SCC), including Google OAuth login flows, Cloudflare edge CDN nodes, and UptimeRobot.

All transfers outside the European Economic Area are protected by appropriate safeguards under GDPR Chapter V.

12. Privacy Contact

For all data protection inquiries, GDPR rights requests, or privacy concerns, please contact: [email protected]

We aim to respond within 30 days as required by GDPR. For urgent matters, you may also write to [email protected].

13. Transition Period (Founder-Operated Infrastructure)

Urban Riders Baltic OÜ is the controller of the URBALT platform.

During the early transition period after incorporation, some technical accounts used for hosting, email, DNS, backups, monitoring and development may still be registered under the founder's personal email or personal service accounts. These accounts are used solely for operating URBALT on behalf of Urban Riders Baltic OÜ.

Urban Riders Baltic OÜ is migrating these accounts, contracts and billing details to company-controlled accounts where technically and commercially possible. This transition does not change the controller identity, the purposes of processing, or your rights under GDPR.