— privacy
Privacy policy
Last updated · 1 May 2026
This policy explains how Samarkand Industries OÜ (“Samarkand”, “we”, “us”) processes personal data when you visit estokad.com or use the Estøkad platform. It applies to website visitors, sign-ups, and customer end-users whose data flows through Estøkad as a processor on the customer’s behalf.
1. Who we are
Samarkand Industries OÜ is an Estonian private limited company (osaühing) registered under commercial register code 17492007. Registered office: Narva mnt 5, 10117 Tallinn, Harjumaa, Estonia.
Privacy queries: privacy@samarkandindustries.com.
2. What data we collect
Visitors
When you browse estokad.com, our analytics provider (Kontrol Sentinel, EU residency) sees the URL of each page visited, your approximate region, your device class, and a randomly generated session identifier. We do not collect IP addresses in identifiable form. The consent banner on first visit is the legal basis (Article 6(1)(a) GDPR).
Sign-ups and customer accounts
When you sign up, we collect your email, the workspace name you choose, and the billing details Stripe provides us (card last four digits, country, name on the card). Legal basis: performance of contract (Article 6(1)(b) GDPR).
Editors and team members
For each user invited to a workspace, we store the email address, name (if provided), and membership role. Authentication uses magic links (Resend, EU region) or passkeys (the public key only — the private key never leaves your device).
Audit log
Every meaningful action in a workspace produces an audit row: actor, action, target, timestamp. The audit chain is the spine of our compliance posture; legal basis is legitimate interest (Article 6(1)(f) GDPR), bounded by GDPR data-minimisation principles.
3. Customer content
When you push content, schemas, or assets into Estøkad, that data is processed on your behalf — you are the controller, we are the processor. Our role is governed by the Data Processing Addendum, which forms part of these terms.
4. Where data is stored
Customer content lives in the European region the customer chose at signup — Frankfurt, Brussels, Paris, Amsterdam, Luxembourg, or Zurich. Per-country residency is the brand promise; we do not move data across regions to serve uptime targets.
Control plane data (account, billing, support tickets) lives in eu-fra-1 (Frankfurt, Germany). It contains no customer content — only the routing data necessary to operate the platform.
5. How long we keep it
| Category | Retention |
|---|---|
| Customer content | For the duration of the subscription, plus 30 days for export requests. |
| Audit log | 2 years by default; 7 years for customers on the audit-retention module. |
| Billing records | 7 years (Estonian commercial law, Raamatupidamise seadus § 12). |
| Analytics | 13 months from collection. |
| Marketing emails | Until you unsubscribe; minimum two-year suppression after unsubscribe. |
6. Your rights
Under the GDPR, you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and the right to data portability. Send a request to privacy@samarkandindustries.com. We respond within 30 days.
For customer end-users (people whose data is in a customer’s workspace), the request goes to the customer, not to us — we are processor, not controller. We can route your request to the right customer if you tell us which workspace.
7. Sub-processors
We rely on a small set of vetted sub-processors. The full list with categories and countries lives in the customer Studio under /settings/compliance/sub-processors and is included in every DORA evidence pack. We notify customers in advance of changes via the same surface.
8. International transfers
We deliberately do not transfer customer content out of the EU. Our payment processor is Stripe Payments Europe Ltd. (Ireland); our error reporting is Sentry on its EU instance (de.sentry.io); transactional email runs on Resend’s EU region. Where any sub-processor handles control-plane data outside the EU, the relevant Standard Contractual Clauses are in place — listed in the sub-processor register.
9. Cookies
See our Cookie policy for the specifics, including how to change your consent.
10. Children
Estøkad is not directed at children under 16. We do not knowingly process the personal data of children. If you believe a child’s data has reached us, contact privacy@samarkandindustries.com and we will delete it.
11. Complaints
If you believe our processing is unlawful, you have the right to lodge a complaint with the Estonian supervisory authority — Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia.
12. Changes
We may update this policy. Material changes are announced at least 30 days in advance via email to workspace owners. The date at the top of this page reflects the last revision.