Xato

Privacy Policy

Last updated 11 July 2026

This Privacy Policy explains how Xato (“Xato”, “we”, “us”), based in Tallinn, Estonia, collects, uses, and protects your personal data when you visit our website or contact us. We are committed to handling your information responsibly and in accordance with the EU General Data Protection Regulation (GDPR).

1. Who we are

Xato is the data controller responsible for your personal data. If you have any questions about this policy or how we process your data, you can reach us at [email protected].

2. Information we collect

When you submit our contact form, we collect the details you provide:

  • Your name
  • Your email address
  • Your company or organisation
  • Your phone number (optional)

We also automatically receive limited technical data such as your IP address, which is used by our bot-protection provider to verify that submissions are genuine.

3. How we use your information

  • To respond to your enquiry and communicate with you
  • To provide information about our products and services you request
  • To protect our website against spam and automated abuse
  • To comply with our legal and regulatory obligations

4. Legal basis for processing

We process the information you submit through the contact form on the basis of your consent and our legitimate interest in responding to your enquiry. Where processing is required to comply with a legal obligation, that obligation is our legal basis.

5. Third-party services

We use a small number of trusted providers to operate our website and handle enquiries:

  • Cloudflare Turnstile — bot and spam protection. It may process your IP address and browser signals to verify your submission.
  • Email / SMTP provider — used to deliver the contents of your enquiry to our team.

These providers process data on our behalf and are bound by appropriate data-protection obligations.

6. Data security

All data submitted through our website is transmitted over encrypted connections (TLS). We apply appropriate technical and organisational measures to protect your information against unauthorised access, loss, or misuse.

7. Data retention

We keep enquiry data only for as long as necessary to respond to your request and to maintain a record of our correspondence, after which it is deleted or anonymised, unless a longer retention period is required by law.

8. Your rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request erasure of your data
  • Object to or restrict our processing of your data
  • Request a copy of your data in a portable format
  • Withdraw consent at any time
  • Lodge a complaint with your local data-protection authority

To exercise any of these rights, contact us at [email protected].

9. International transfers

Where data is transferred outside the European Economic Area, we ensure an adequate level of protection through appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

10. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date.

11. Contact

Xato, Tallinn, Estonia — [email protected].