Privacy Policy

PRIVACY POLICY (EU)

This privacy policy was last updated on 13.05.2026.

1. GENERAL

This Privacy Policy (“Policy”) describes how Osaühing Net Group (Estonian registry code 10585438; “Net Group”, “we,” “us,” or “our“), operating the website at www.netgroup.com and https://careers.netgroup.com/ (“Websites”), processes your personal data in connection with our business activities, including our Websites, recruitment processes, and marketing communications.

We are committed to processing personal data in a transparent, fair, and lawful manner, in full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR“) and applicable national data protection laws. Our information security practices are aligned with the requirements of the ISO/IEC 27001 standard for information security management.

This Policy applies to all individuals whose personal data is processed by Net Group, located in the European Economic Area and Switzerland. Specifically, this Policy applies to:

  • Business partners, clients, and their representatives;
  • Visitors to our Websites;
  • Job applicants and candidates who submit applications through our recruitment platform or whom we might contact otherwise;
  • Contacts who engage with our marketing communications, including newsletters and other promotional materials.

Please read this Policy carefully. By using our Websites, engaging in our services or submitting your personal data to us, you acknowledge that you have read and understood this Policy.

2. Definitions

For the purposes of this Policy, the following terms shall have the meanings set out below:

2.1.    Personal Data – any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person (Article 4(1) GDPR).

2.2.    Special Category Data – Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data Processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation (Article 9 GDPR).

2.3.    Processing – any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction (Article 4(2) GDPR).

2.4.    Data Controller – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (Article 4(7) GDPR). In the context of this Policy, the Data Controller is Net Group.

2.5.    Data Processor – a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller (Article 4(8) GDPR). Examples include TeamTailor and HubSpot, which Process Personal Data on our instructions.

2.6.    Data Subject – an identified or identifiable natural person whose Personal Data is Processed by the Data Controller.

2.7.    Consent – any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the Processing of their Personal Data for one or more specific purposes (Article 4(11) GDPR).

2.8.    Legitimate Interests – a legal basis for Processing under Article 6(1)(f) GDPR, applicable where Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject(s).

2.9.    Legal Basis – the lawful ground under Article 6 GDPR upon which the Data Controller relies to Process Personal Data.

2.10. Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed (Article 4(12) GDPR).

2.11. Third Country – any country or territory outside the European Economic Area that has not been recognized by the European Commission as providing an adequate level of data protection pursuant to Article 45 GDPR.

2.12. Cookie – a small text file placed on a user’s device by a website, used to store information about the user’s preferences, session, or behavior for functional, analytical, or marketing purposes.

2.13. TeamTailor – a cloud-based applicant tracking system used by Net Group to manage recruitment processes and candidate data, acting as a Data Processor.

2.14. HubSpot – a cloud-based customer relationship management and marketing automation platform used by Net Group to manage marketing contacts, communications, and campaign analytics.

3. Categories of Data Processed, purpose and the legal basis

We Process the following categories of Personal Data, depending on the nature of your relationship with us:

3.1. Business Relationships

  • Identity data: full name, job title, professional role, and employer organization;
  • Contact data: business email address, telephone number, office address
  • Communication data: records of correspondence, meeting notes, call logs, and email exchanges;
  • Contractual data: signed agreements, service terms, statements of work, and related documentation;
  • Financial and transactional data: invoice records, payment history, purchase orders, and billing information;
  • Financial and transactional data: invoice records, payment history, purchase orders, billing information, bank account or payment details used for the settlement of invoices, credit terms agreed under the commercial relationship, and records of outstanding or overdue payments;
  • Account and relationship data: CRM records, account history, relationship status, and engagement records maintained in HubSpot;
  • Technical access data: login credentials and access logs relating to any client-facing portals or systems;
  • Preferences and event data: communication preferences, attendance at events, and — where separately consented to — date of birth for special occasion communications.
PurposeLegal BasisExplanation
Establishing and managing the contractual relationship with the client or business partner organizationArticle 6(1)(b) — Contract performance Article 6(1)(f) — Legitimate InterestsProcessing the contact and identity data of individual representatives is necessary to perform obligations under the contract concluded with their employer organization. As the individual is not personally party to the contract, we additionally rely on Article 6(1)(f), as we have a Legitimate interest in maintaining accurate records of the persons through whom our contractual relationships are managed and performed.
   
Communicating in connection with the delivery of servicesArticle 6(1)(b) — Contract performance Article 6(1)(f) — Legitimate InterestsWe process contact and communication data to correspond with client representatives regarding the delivery, management, and administration of services. This processing is necessary to perform our contractual obligations and to maintain the effective operation of the commercial relationship.
   
Maintaining CRM records in HubSpotArticle 6(1)(f) — Legitimate InterestsWe maintain records of our client and business partner relationships, including contact details and interaction history, within HubSpot. We have a legitimate interest in maintaining an accurate and up-to-date record of our commercial relationships for the purposes of service delivery, business continuity, and account management.
   
Processing invoices, managing payments, and maintaining financial recordsArticle 6(1)(b) — Contract performance Article 6(1)(c) — Legal obligationProcessing financial and transactional data is necessary for the performance of the contract and for compliance with applicable tax, accounting, and financial record-keeping obligations under national law.
   
Complying with legal and regulatory obligationsArticle 6(1)(c) — Legal obligationWe may be required to Process and disclose Personal Data of client and business partner representatives in order to comply with applicable legal obligations, including anti-money laundering requirements, sanctions screening, regulatory reporting, and responses to lawful requests from public authorities or courts.
   
Establishing, exercising, or defending legal claimsArticle 6(1)(f) — Legitimate InterestsIn the event of a dispute, complaint, or legal proceedings arising from or in connection with our commercial relationship, we may need to retain and process relevant records — including correspondence, contractual documentation, and financial data — to establish, exercise, or defend our legal position. Retention for this purpose is limited to the data strictly necessary to respond to the specific claim and for the duration of the applicable statutory limitation period.
   
Sending service-related and transactional communicationsArticle 6(1)(b) — Contract performance Article 6(1)(f) — Legitimate InterestsWe may contact client and business partner representatives to provide updates directly related to the services being delivered, including notifications of changes to service terms, system updates, and operational communications. These communications are not marketing communications and do not require separate consent.
     

3.2. Website Visitors

  • Technical data: IP address, browser type and version, operating system, traffic source, preferred language, and device settings/usage;
  • Internet activity information: including, but not limited to, browsing history, search history, and information regarding a Data Subject’s interaction with the Websites, application, or advertisement;
  • Cookie-related data: session identifiers, preference settings, analytics identifiers;
  • Approximate geolocation data.
PurposeLegal BasisExplanation
Ensuring the technical functioning and security of the WebsitesArticle 6(1)(f) — Legitimate InterestsWe have a Legitimate Interest in maintaining secure, stable, and properly functioning Websites. Processing technical data such as IP addresses and device identifiers is necessary to detect and prevent unauthorized access, cyberattacks, and other security threats. This interest is not overridden by the rights of Websites visitors, as the Processing is limited in scope and essential to service integrity.
   
Analysing Websites traffic and user behaviour to improve content and user experienceArticle 6(1)(f) — Legitimate InterestsWe have a Legitimate Interest in understanding how visitors interact with our Websites in order to improve content quality, navigation, and overall user experience. Internet activity information and technical data are Processed for this purpose in an aggregated or pseudonymized form where possible.
   
Storing user preferences via cookiesArticle 6(1)(a) — Consent (where required)Where Cookies are not strictly necessary for the technical operation of the Websites — including functional, analytics, and marketing cookies — we rely on your freely given, specific, informed, and unambiguous Consent. Consent is obtained through our Cookie consent banner upon your first visit and may be withdrawn at any time.
   
Processing geolocation dataArticle 6(1)(f) — Legitimate InterestsApproximate geolocation data, derived from IP address, is used to adapt content to the visitor’s region, comply with regional legal requirements, and support security monitoring. We do not collect precise GPS-level location data.
             

3.3. Marketing

  • Identification data: full name, job title, company name; date of birth of client’s representative(s);
  • Contact data: email address, phone number;
  • Engagement data: email open rates, click-through behaviour, form submissions, event attendance;
  • Preference data: communication preferences, opt-in/opt-out records;
  • Profiling data: inferred interests and behavioural segments derived from interactions with our marketing content.

We may use third party service providers, such as HubSpot, as our Customer Relationship Management and marketing platform.

PurposeLegal BasisExplanation
Sending newsletters, promotional emails, and marketing communicationsArticle 6(1)(a) — Consent (opt-in required)Sending commercial communications by electronic means requires the prior freely given, specific, informed, and unambiguous Consent of the recipient. We collect opt-in Consent through subscription forms on our Websites or at the point of engagement. You may withdraw Consent and unsubscribe at any time by clicking the “Unsubscribe” link in any marketing email or by contacting us directly. Withdrawal of Consent does not affect the lawfulness of Processing carried out prior to withdrawal.
Managing subscriptions and communication preferencesArticle 6(1)(a) — ConsentManaging your subscription status and communication preferences requires Processing your contact and preference data.
Processing contact form submissions from our WebsitesArticle 6(1)(b) — Pre-contractual steps Article 6(1)(f) — Legitimate InterestsWhen a visitor submits a contact form on our Websites, we Process the Personal Data provided — typically name, email address, company name, and the content of the inquiry — in order to respond to and manage that inquiry. Where the inquiry relates to a potential commercial engagement, we rely on Article 6(1)(b) as the processing is necessary for taking steps prior to entering into a contract at the request of the Data Subject. Where the inquiry is of a more general nature, we rely on Article 6(1)(f), as we have a Legitimate Interest in responding to and maintaining records of inbound communications. Where a contact form includes an optional marketing opt-in checkbox, any subsequent marketing communications will be sent on the basis of Consent only, independently of the basis used to process the original inquiry.
Processing the date of birth of client representatives for the purpose of sending congratulatory communications and gifts on special occasionsArticle 6(1)(a) — ConsentWe rely exclusively on freely given, specific, informed, and unambiguous Consent as the legal basis for collecting and Processing this data. Consent is obtained directly from the individual client representative — not from the client organization. The data is stored within HubSpot and used solely for the purpose of sending a congratulatory messages and/or gifts on the relevant occasion.
Tracking email engagement (opens, clicks) for campaign analyticsArticle 6(1)(a) — ConsentHubSpot enables us to track whether marketing emails have been opened and whether links within them have been clicked. This data is used to measure campaign effectiveness, optimise content, and inform future communications. Consent is captured at the point of subscription and applies to engagement tracking carried out in connection with the communications you have agreed to receive. You may opt out of tracking by adjusting your email client settings to block remote images or by contacting us.
Retargeting and behavioral advertising via CookiesArticle 6(1)(a) — ConsentRetargeting involves tracking your interactions with our Websites and delivering targeted advertisements to you on third-party platforms based on your prior browsing behaviours. Consent is obtained through our Cookie consent banner and applies specifically to the placement of marketing cookies. You may withdraw consent at any time via the Cookie Settings panel in the footer of our Websites. Withdrawal of Consent will result in the cessation of retargeting activity but will not affect advertisements you may have already seen.

3.4. Job Applicants and Candidates

  • Identification data: full name, date of birth;
  • Contact data: email address, phone number, postal address;
  • Professional data: curriculum vitae (CV), cover letter, employment history, educational qualifications, skills, professional certifications; references;
  • Assessment data: interview notes and recordings, evaluation and test scores, reference check outcomes;
  • Communications with us: content of emails, video recordings, social media messages, information you have uploaded to your account with us;
  • Public information: information collected from public sources, such as LinkedIn or your current employer’s website;
  • Background check data: the results of background screening checks conducted prior to or following an offer of employment, which may include professional license or regulatory authorization checks, criminal records, financial probity checks where required for the role and any other screening checks required or permitted by applicable law or regulation for the specific position;
  • Consent records: timestamps and scope of consent provided;
  • Any additional information voluntarily provided by the candidate during the recruitment process.

We do not intentionally collect Special Category Data (e.g., health information, ethnic origin, religious beliefs) from candidates unless strictly required by law and a specific legal basis applies. Candidates should refrain from including such Personal Data in their applications.

We may use third party service providers, such as TeamTailor and LinkedIn Recruiter. In all such arrangements, Net Group acts as the Data Controller and determines the purposes and means of Processing your Personal Data.

PurposeLegal BasisExplanation
Processing applications submitted in response to job postingsArticle 6(1)(b) — Necessary for taking steps prior to entering into a contractWhen a candidate submits an application for a specific vacancy, Processing their Personal Data is inherently necessary to consider and progress that application.
Evaluating candidates, conducting interviews, and making hiring decisionsArticle 6(1)(b) — Pre-contractual stepsAssessing a candidate’s suitability — through interviews, competency evaluations, reference checks, and internal scoring — constitutes Processing that is directly and objectively necessary for deciding whether to enter into an employment contract.
Identifying suitable candidates through targeted LinkedIn searchesArticle 6(1)(f) — Legitimate InterestsWe have a Legitimate Interest in proactively sourcing qualified candidates for our vacancies by searching professional networks.
Sending direct outreach messages to candidates via LinkedIn InMailArticle 6(1)(f) — Legitimate InterestsContacting a candidate directly on a professional networking platform in connection with a relevant vacancy constitutes Processing for the purposes of our legitimate interest in filling vacancies with suitable candidates.
Transferring candidate profile data from LinkedIn Recruiter into TeamTailor upon the candidate expressing interest in proceeding with a formal applicationArticle 6(1)(b) — Pre-contractual stepsWhere a candidate has responded positively to an outreach message and is actively proceeding with a formal application, the transfer of their LinkedIn profile data into TeamTailor is necessary for taking steps to initiate and administer the formal recruitment process within TeamTailor without requiring the candidate to re-submit information they have already made available on their LinkedIn profile.
Maintaining a talent pool of candidates who have consented to future considerationArticle 6(1)(a) — ConsentWhere we wish to retain a candidate’s Personal Data beyond the conclusion of an active recruitment process — for example, to consider them for future vacancies — we rely exclusively on freely given, specific, informed, and unambiguous Consent, obtained at the time of application or at the close of the recruitment process or at any other time. Candidates may withdraw their Consent at any time without detriment.
Sending automated acknowledgment and status update communications to candidatesArticle 6(1)(b) — Pre-contractual stepsCommunicating with candidates regarding the status of their application — including acknowledgment of receipt, invitations to interview, and outcome notifications — is a necessary and expected element of the pre-contractual relationship. Candidates who submit applications have a reasonable expectation of receiving such communications, and their delivery is directly linked to the management of the application process. This basis applies to automated communications sent via TeamTailor; it does not extend to general marketing or promotional communications.
Conducting background checks on candidates for roles that require such screening as a condition of employment or regulatory authorizationArticle 6(1)(c) — Legal obligation Article 6(1)(b) — Pre-contractual stepsBackground checks are conducted only where required or expressly permitted by applicable national law, or where mandated by a regulatory body as a condition of authorization to perform a specific role, such as positions involving access to vulnerable persons, regulated financial activities, classified information, or other defined high-risk functions..
Complying with legal obligations in the recruitment context and protecting our legal position in the event of claims  Article 6(1)(c) — Legal obligation Article 6(1)(f) — Legitimate InterestsCertain aspects of the recruitment process may give rise to legal obligations, including equal opportunities monitoring, record-keeping requirements under employment law, and obligations to respond to regulatory inquiries or dispute resolution proceedings. In addition, where a candidate files or threatens to file a claim against us — including claims of discrimination, unfair treatment, or breach of data protection obligations — we may need to retain and Process relevant recruitment records to establish, exercise, or defend our legal position.
Contacting referencesArticle 6(1)(a) — ConsentWe will use referee contact details solely for the purpose of conducting reference checks in connection with your application. This Processing is carried out on the basis of our Legitimate Interest in verifying information provided by candidates before making a hiring decision.

If you name an individual as your referee during the recruitment process, we will receive that person’s contact details (typically name, phone number, and/or email address) from you in order to contact them regarding your application. Before providing anyone’s contact details as a referee, you must inform that person and obtain their prior Consent to (i) their Personal Data being shared with us; (ii) us contacting them for the purpose of verifying the reference; and (iii) their Personal Data being Processed as described in this Policy. cookies

Our Websites use Cookies. For more information about cookies, please refer to our Cookie Policy.

4. Third-party websites

This Policy does not apply to third-party websites connected by links on our Websites. We cannot guarantee that these third parties handle your Personal Data in a reliable or secure manner. We recommend you read the privacy statements of these websites prior to making use of these websites.

This exclusion does not apply to third parties whom Net Group has instructed to Process the Personal Data on our behalf or whom we have entered into a Data Processing Agreement. Where such an agreement is in place, the third-party acts as a Data Processor on our behalf and is contractually bound to Process your Personal Data only in accordance with our documented instructions, to implement appropriate technical and organizational security measures, and to comply with applicable data protection laws. A current list of our Data Processors is available upon request by contacting us at the details set out in Section 10 (Contact Information).

5. Security Measures

We take the security of your Personal Data seriously and implement comprehensive technical and organizational measures to protect it against unauthorized access, loss, destruction, alteration, or disclosure. Our information security management is aligned with the ISO/IEC 27001 standard.

5.1. Technical Measures

  • ISO/IEC 27001 and 27002 Certification: we are certified to ISO/IEC 27001, the internationally recognized standard for Information Security Management Systems (ISMS);
  • Hardware security: physical and technical controls are applied to all hardware containing or processing personal data, including physical access restrictions, device encryption, secure end-of-life disposal, asset inventory management, and remote wipe capabilities for portable devices;
  • Vulnerability Detection: we operate a structured vulnerability management program comprising regular automated scanning, periodic penetration testing, continuous threat intelligence monitoring, and a prioritized patch management process with defined remediation timelines;
  • Website Hardening and Security Features: our web properties are hardened against common vulnerabilities including those in the OWASP Top 10;
  • HTTP Strict Transport Security (HSTS) and Security Headers: we implement a full suite of HTTP security headers across our web properties;
  • (START)TLS / SSL / DANE Encryption: all data in transit is encrypted using secure TLS versions. Outdated protocol versions are disabled. STARTTLS is enforced for email transmission between mail servers. SSL/TLS certificates are actively monitored and renewed. DANE is implemented where supported to provide cryptographic binding of certificates to domain names via DNSSEC;
  • DKIM, SPF, DMARC, and DNS Security: we publish and enforce SPF, DKIM, and DMARC policies to authenticate outbound email and protect against spoofing and phishing. Our DMARC policy is configured at enforcement level (quarantine or reject). DNSSEC is applied where applicable, and MTA-STS is published to enforce TLS for inbound email delivery;
  • Login Security: access to systems Processing Personal Data is protected by enforced Multi-Factor Authentication (MFA), a technical password policy, Single Sign-On (SSO) where supported, Role-Based Access Control (RBAC) on a need-to-know basis, secure session management with automatic timeout, Privileged Access Management (PAM) for administrative accounts, and comprehensive audit logging of all authentication events.

5.2. Organizational Measures

  • Information security policy: a comprehensive Information Security Management System is maintained and regularly reviewed;
  • Personnel training: all employees with access to Personal Data receive regular data protection and information security training;
  • Confidentiality obligations: all employees and contractors are bound by confidentiality obligations;
  • Vendor management: third-party processors are required to implement appropriate security measures;
  • Incident response: a formal security incident response process is in place, including procedures for detecting, reporting, investigating, and containing security incidents.

5.3.    Personal Data Breach Notification

In the event of a Personal Data Breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the Data Breach, in accordance with Article 33 GDPR. Where the Data Breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, as required by Article 34 GDPR.

6. Data Minimization and Accuracy

6.1. Data Minimization

We apply the principle of data minimization in all our Personal Data Processing activities. In accordance with Article 5(1)(c) GDPR, we collect and Process only Personal Data that is: (i) sufficient to properly fulfill the stated Processing purpose; (ii) directly related and necessary to the specific purpose for which it is collected; and (iii) we do not collect Personal Data beyond what is required for the identified purpose, and we do not repurpose Personal Data for uses incompatible with the original purpose of collection.

6.2. Data Accuracy

In accordance with Article 5(1)(d) GDPR, we take reasonable steps to ensure that Personal Data we hold is accurate, complete, and kept up to date where necessary for the purposes for which it is processed.

7. Disclosure of Personal Data to Third Parties

7.1. General Principles

We do not sell, rent, or otherwise make Personal Data available to third parties for their own independent commercial or marketing purposes. Where Personal Data is disclosed to third parties acting as Data Processors on our behalf, we ensure that a Data Processing Agreement compliant with Article 28 GDPR is in place prior to any Processing commencing.

7.2. Categories of Third-Party Recipients

We engage a number of technology and platform providers who Process Personal Data on our behalf as Data Processors. Prior to engaging any such provider, we conduct reasonable due diligence to assess their technical competence and their ability to implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

We also engage third-party IT infrastructure, cloud hosting, and managed services providers to host and operate our systems. All such providers act as Data Processors and are subject to appropriate contractual controls.

Where a client account becomes overdue, we may engage debt recovery agencies to assist with the recovery of outstanding amounts. Such agencies act as Data Processors and process identity data, contact data, financial and transactional data, and debt recovery correspondence on our behalf and in accordance with our instructions.

We may also disclose personal data to our legal counsel where necessary for the purposes of obtaining legal advice, managing disputes, conducting litigation, or responding to regulatory proceedings. Similarly, we may share personal data with our auditors and accountants for the purposes of statutory audit, financial reporting, and tax compliance.

We may be required to disclose personal data to public authorities, regulatory bodies, law enforcement agencies, or courts where we are under a legal obligation to do so. This may include disclosure to tax and revenue authorities in connection with our statutory financial reporting and record-keeping obligations; to data protection supervisory authorities in connection with regulatory investigations, audits, or notifications of personal data breaches; to law enforcement agencies pursuant to a lawful request, court order, or applicable legislation; to anti-money laundering and sanctions compliance bodies where required under applicable financial crime prevention legislation; and to courts and tribunals in connection with legal proceedings to which we are a party.

7.3. International Transfers

Where personal data is transferred to a recipient located outside the European Economic Area, we ensure that an appropriate safeguard is in place in accordance with Chapter V GDPR. We do not transfer Personal Data to recipients in third countries except where one of the following conditions is satisfied:

  • The European Commission has adopted an adequacy decision in respect of the recipient country, determining that it provides a level of data protection essentially equivalent to that guaranteed within the EEA, pursuant to Article 45 GDPR;
  • Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR have been incorporated into a binding agreement with the recipient;
  • The recipient is subject to Binding Corporate Rules approved by a competent supervisory authority pursuant to Article 47 GDPR, where the recipient forms part of a group of undertakings that has adopted such rules;
  • A supplementary measure has been implemented alongside the applicable transfer mechanism where a Transfer Impact Assessment indicates that the safeguard alone is insufficient to ensure an essentially equivalent level of protection in the recipient country, taking into account the legal framework and practice of the recipient jurisdiction, including any access rights afforded to public authorities; or
  • In limited and exceptional circumstances, one of the derogations available under Article 49 GDPR applies, including where the transfer is necessary for the performance of a contract with the Data Subject or for the implementation of pre-contractual measures taken at the Data Subject’s request; where the transfer is necessary for the establishment, exercise, or defence of legal claims; or where the Data Subject has given explicit informed consent to the proposed transfer after having been informed of the possible risks of such transfers.

8. Data Retention

8.1. General Principle

We retain Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law. Once the applicable retention period has expired, Personal Data is securely deleted, destroyed, or anonymized in accordance with our internal data retention and disposal procedures. Where full deletion is not immediately practicable due to technical constraints (for example, in backup systems), the data is isolated from active Processing and scheduled for deletion at the earliest opportunity.

8.2. Retention Periods by Data Category

CategoryRetention Period
Identity and contact data of client and business partner representatives; correspondence and communication records related to the contractual relationshipDuration of the business relationship + 3 years following last interaction
Contractual documentation (signed agreements, statements of work, service terms)Duration of the contractual relationship + 3 years following termination
Invoice records, payment documentation, and billing data7 years from the date of the relevant transaction
CRM records maintained in HubSpot (account history, engagement data, relationship records)Duration of the business relationship + 3 years following last interaction
Legal claim-related recordsUntil final resolution of the claim + applicable statutory limitation period
Marketing consent records (opt-in timestamp, consent mechanism, scope)Duration of the marketing relationship + 3 years following withdrawal of consent or last interaction
Marketing communication preferences and subscription statusUntil consent is withdrawn or the individual unsubscribes + 3 years to maintain suppression records
Email engagement data (opens, clicks, campaign analytics)2 years from the date of the relevant campaign or interaction
Active application data for job applicants and candidatesDuration of the recruitment process + 18months following conclusion of the process
Unsuccessful candidate data — no talent pool consent providedDeleted within 18months of the conclusion of the recruitment process
Talent pool data — candidate has provided consentUp to 18 months from the date of consent, unless consent is renewed prior to expiry
Hired candidate data (all recruitment data relating to a candidate who accepts an offer of employment)Transferred to the employee personnel file upon commencement of employment and governed by the applicable employee data retention policy
IP address and device information, browser data, web server logs, technical visit data, analytics tools, statistical and aggregated analytics data, security event logs, security monitoring tools18 months from the date of collection or from the date of the relevant event
Cookie consent records12 months from the date of consent, renewed upon re-consent

8.3. Review and Deletion Procedures

  • Periodic review: retention schedules are reviewed at least annually to ensure continued compliance with applicable law and alignment with our Processing activities;
  • Automated deletion: where technically feasible, automated deletion workflows are configured within TeamTailor, HubSpot, and our other systems to delete or anonymize data upon expiry of the applicable retention period;
  • Manual review: for data categories not subject to automated deletion, a manual review process is conducted on a scheduled basis to identify and remove data that has exceeded its retention period;
  • Deletion upon request: where a data subject submits a valid erasure request under Article 17 GDPR, data is deleted within 30 days of receipt of the verified request, subject to any overriding legal obligations that require continued retention;
  • Backup systems: personal Data contained in backup systems is deleted in accordance with our backup rotation schedule.

8.4. Exceptions to Retention Periods

Notwithstanding the periods set out above, we may retain Personal Data for longer than the standard retention period where: (i) retention is required by applicable law, court order, or regulatory obligation; (ii) the data is necessary for the establishment, exercise, or defence of legal claims; (iii) a supervisory authority has requested preservation of the data in connection with an investigation; or (iv) the Data Subject has consented to extended retention for a specific purpose.

In all such cases, retention beyond the standard period is documented, limited to the minimum necessary, and subject to periodic reassessment.

9. Accessing and modifying your data

If you have any questions or want to know which Personal Data we have about you, please contact us. You can contact us by using the information below. You have the following rights:

  • You have the right to know why your Personal Data is needed, what will happen to it, and how long it will be retained for.
  • You have the right to access your Personal Data that is known to us.
  • You have the right to supplement, correct, have deleted or blocked your Personal Data whenever you wish.
  • If you give us your Consent to Process your data, you have the right to revoke that Consent and to have your Personal Data deleted.
  • You have the right to request all your Personal Data from the Data Controller and transfer it in its entirety to another Data Controller.
  • You may object to the Processing of your data. We comply with this, unless there are justified grounds  to continue Processing.

To exercise any of the above rights, please submit a written request to us using the contact details in Section 10. We will respond to your request within one (1) month of receipt. In cases of complexity or multiple requests, this period may be extended by a further two months, of which we will notify you.

We may need to verify your identity or the basis of representation before Processing your request. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.

If you believe that our Processing of your Personal Data infringes applicable data protection law, you have the right to file a complaint to a Data Protection Authority. For more information, please contact your local data protection authority or the Estonian Data Protection Inspectorate (https://www.aki.ee/; in**@*ki.ee; Tatari 39, Tallinn 10134, +372 627 4135).

10. Amendments to this POLICY

We reserve the right to make amendments to this Policy. The Policy is reviewed at least annually to ensure continued compliance with applicable law and alignment with our Processing activities. It is recommended that you consult this privacy statement regularly in order to be aware of any changes. In addition, we will actively inform you wherever possible.

11. Contact Information

If you have any questions, concerns, or requests regarding this Policy or our Processing of your Personal Data, please contact us at:

Net Group Privacy and Data Protection Inquiries:  pr*****@******up.com

Recruitment-related data requests: Email: [Email]

Marketing opt-out and preferences (HubSpot): You may unsubscribe from marketing communications at any time by clicking the “Unsubscribe” link at the bottom of any marketing email, or by contacting us at: [Email].

Let the success
journey begin

Our goal is to help take your organization to new heights of success through innovative digital solutions. Let us work together to turn your dreams into reality.

Get in touch
 info@netgroup.com