top of page
Sunio LOGO.jpg

Privacy Policy

PRIVACY POLICY FOR PERSONAL DATA PROCESSING IN SUNIO GROUP OÜ AND ITS SUBSIDIARIES

Last Updated: 31st March 2025

1. Introduction

Protecting the personal data of our employees, business partners, and customers is a high priority for Sunio Group OÜ and its subsidiaries (Sunio OÜ, Galandrex Tõlkebüroo OÜ, Sunio IT OÜ, and E-Resident Store OÜ, collectively referred to as "Sunio Companies," "We," "Us," or "Our").

This Privacy Policy provides detailed information about how Sunio Companies collect, process, and share personal data in accordance with the General Data Protection Regulation (GDPR) (Regulation 2016/679 of the European Parliament and Council).

This policy applies to:

  • All business processes within Sunio Companies.

  • All digital platforms, economic software, websites, cloud services, applications, and databases used by or associated with Sunio Companies (collectively referred to as "Sunio Companies' means of work").

  • Both controllers and processors of personal data, depending on the nature of the service.

 

2. Data Subjects and Data Processing Roles

2.1. Who’s Data Do We Process?

Sunio Companies process the personal data of:

  • Employees, job applicants, representatives, and contact persons of clients.

  • Users of Sunio Companies' services, software, or digital platforms.

  • Individuals whose personal data is processed on behalf of Sunio Companies’ clients.

These individuals are collectively referred to as "Data Subjects" in this Privacy Policy.

2.2. Controller Role

When Sunio Companies determine the purposes, means, and extent of data processing, they act as a Controller.

Legal basis for processing personal data:

  • Contractual necessity – Fulfilling service agreements with clients.

  • Legitimate interest – Providing high-quality services and maintaining business operations.

  • Legal obligations – Compliance with Estonian and EU regulations.

  • Consent – Processing job applications or optional service features.

2.3. Processor Role

When Sunio Companies process personal data on behalf of clients (e.g., for accounting, tax reporting, and payment processing), they act as a Processor. In such cases, the Client is the Data Controller.

3. Data Collection and Categories of Data Processed

3.1. How Do We Collect Data?

We collect personal data directly from:

  • Clients and their representatives.

  • Business partners, employees, and subcontractors.

  • Third-party service providers (e.g., banks, payment processors, and government authorities).

3.2. Categories of Personal Data We Process

Sunio Companies do not process sensitive personal data (such as race, religion, or health data). We process the following categories of personal data:

  • Contact Details: Name, address, phone number, IP address, and email.

  • Identification Data: Date of birth, age, gender, personal identification code, client number.

  • Employment Data: Employer, job title, professional role, and preferences.

  • Financial Data: Payment information (credit card, PayPal), transaction history.

  • Verification Documents: Copies of personal identification documents, including passports, national ID cards, driver’s licenses, or similar forms of identification.

  • Proof of Address Documents: Utility bills, bank statements, or bank card statements used to verify residential address.

  • Communication Data: Emails, messages, and interactions with Sunio Companies.

  • Publicly Available Data: Social media profiles (LinkedIn, Facebook) when relevant to business interactions.

 

3.3. Use of Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance user experience, analyze website traffic, and provide personalized content. The collection and use of cookies are governed by our Cookie Policy, which provides detailed information about:

  • The types of cookies we use,

  • The purposes for which they are used,

  • How you can manage or disable cookies in your browser settings.

By continuing to use our website, you consent to the use of cookies as described in our Cookie Policy. You can review and manage your cookie preferences at any time.

For more details, please refer to our Cookie Policy.

4. Data Sharing and Disclosure

4.1. Internal Data Sharing

To ensure efficient service delivery, Sunio Companies may share personal data within the group when necessary. This helps maintain:

  • A seamless client experience across Sunio Companies.

  • Efficient service execution when multiple Sunio Companies are involved.

4.2. External Data Sharing

Sunio Companies only share personal data with trusted third parties under strict legal and contractual conditions.


4.2.1. Business Partners & Service Providers

We share personal data with third-party providers when necessary for:

  • Payment processing: Stripe, PayPal.

  • Customer verification (KYC/KYB): Sumsub.

  • Website and e-commerce services: Wix, WordPress, WooCommerce.

  • Payroll and accounting processing: Merit Palk, SmartAccounts, Directo, Merit Aktiva, Books.

  • Tax reporting: Estonian Tax and Customs Board.

  • Our contractual subcontractors.

4.2.2. Authorities & Legal Obligations

We disclose personal data to government authorities (e.g., police, tax authorities, financial intelligence unit) only when legally required

5. Data Subject Rights

Data Subjects have the following rights under GDPR:

  • Right to Access: Request details about personal data we hold.

  • Right to Rectification: Correct inaccurate or incomplete data.

  • Right to Erasure ("Right to be Forgotten"): Request deletion of personal data under certain conditions.

  • Right to Restrict Processing: Limit how we process data in specific cases.

  • Right to Data Portability: Request a copy of your data in a machine-readable format.

  • Right to Object: Object to processing based on legitimate interests.

  • Right to Withdraw Consent: Withdraw consent for processing where applicable.

To exercise any of these rights, contact us at support@sunio.ee.

 

6. Data Security and Retention

6.1. Data Security Measures

Sunio Companies implement high-level security measures to protect personal data:

  • Restricted access to authorized personnel only.

  • Regular security audits and system updates.

  • Encrypted data storage and secure backup systems.

  • Firewalls and intrusion detection systems.

6.2. Data Retention

  • We retain personal data only as long as necessary for the purposes stated in this policy.

  • Retention periods vary depending on legal requirements (e.g., accounting records must be kept for 7 years).

  • Personal data is deleted or anonymized when no longer required.

7. Sunio Companies as Data Processors

When acting as Processors, Sunio Companies:

  • Follow the instructions of the Data Controller (i.e., the Client).

  • Ensure compliance with GDPR through data processing agreements (DPAs).

  • Provide necessary assistance to Clients for regulatory compliance.

If you are a Client and require further details about our role as a Processor, please contact us.

8. Subcontractors and Data Transfers

  • Sunio Companies do not transfer personal data outside the EU unless required by law or contract.

  • We use Estonian-based cloud service providers and IT security companies to protect data.

  • All subcontractors undergo data protection compliance checks and are required to sign Data Processing Agreements (DPAs).

 

9. Changes to This Privacy Policy

  • This Privacy Policy may be updated periodically to comply with legal changes or improve data protection practices.

  • Major changes will be announced via email, our website, or social media.

 

10. Contact Information

For any privacy-related inquiries, you can contact us at:

📩 support@sunio.ee
📍 Järvevana tee 9-40, Tallinn 11314, Estonia

bottom of page