● in force v 2026.05 last updated · 1 May 2026 GDPR · EU

Privacy Policy.

This Privacy Policy explains how Luup Agency OÜ ("Luup", "we", "us", "our") collects, uses, shares, and protects personal data when you visit our website, contact us, engage us as a client, or interact with content we ship for our clients. We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and applicable local laws. If you have questions, contact us at sales@luupagency.com.

we sell
your data
never
EU-hosted
by default
where possible
cookies
essential +
opt-in only
your rights
access · erase
free, < 30 days
Section 01

Introduction & Scope

This Policy applies to:

  • Visitors to luupagency.com and any sub-domain we operate;
  • Prospects who fill out contact forms, request a call, or otherwise communicate with us;
  • Clients and their nominated points of contact during an engagement;
  • End users of websites, voice agents, automations, and content systems we ship for our clients (where we act as a processor on behalf of the client).

Where we provide Services to a Client and process personal data of the Client’s end users in the course of those Services, the Client is the controller and we are the processor; that processing is governed by the data-processing addendum ("DPA") referenced in our engagement, not this Policy. This Policy describes our processing as a controller (e.g. of leads, prospects, clients).

Section 02

Data Controller

The data controller responsible for personal data processed under this Policy is:

  • Luup Agency OÜ
  • Registered office: Tallinn, Estonia
  • Estonian commercial registry no.: [registry number]
  • VAT no.: [VAT number]
  • Contact: sales@luupagency.com
Section 03

Definitions

  • "Personal data" — any information relating to an identified or identifiable natural person.
  • "Processing" — any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
  • "Controller" — the party that determines the purposes and means of processing.
  • "Processor" — the party that processes personal data on behalf of the controller.
  • "Sub-processor" — a third party engaged by us to process personal data on our behalf.
  • Other terms have the meanings given in Article 4 of the GDPR.
Section 04

Categories of Personal Data

We may collect and process the following categories of personal data:

Identification & Contact Data

Name, email address, phone number, business email, job title, company name, postal address, billing address.

Engagement Data

Content of inquiries, project requirements, communications (email, Slack, call recordings or transcripts where you are notified), notes from discovery calls, contracts, invoices.

Technical Data

IP address (truncated where possible), browser type and version, device type, operating system, referrer, language, time zone, page-view timestamps, anonymous session identifiers.

Marketing Data

Email open and click events (only where you have consented), your preferences for receiving communications, unsubscribe history.

Financial Data

Bank or payment details necessary to issue invoices and process payments. Card data is handled by our payment processor and not stored by us.

What we do NOT collect

  • We do not knowingly collect special-category data (Article 9 GDPR) unless you voluntarily provide it (e.g. accessibility needs);
  • We do not collect data from children under 16;
  • We do not buy data from data brokers.
Section 05

How We Collect Data

  • Directly from you — via forms, email, calls, contracts, support requests.
  • Automatically — via cookies, server logs, and analytics on our website (see Section 8).
  • From third parties — LinkedIn (publicly available profile data when we research a prospect), credit-reference agencies (only where required for contracting), authorised referrers.
  • Through sub-processors — for example our CRM, calendar, and email-delivery providers, where we have configured them to capture data on our behalf.
Section 06

Purposes of Processing

  • To respond to your inquiries and prepare proposals;
  • To enter into and perform a contract with you, including invoicing, project delivery, and post-launch support;
  • To operate, maintain, and improve our website;
  • To produce case studies, testimonials, and marketing materials (with consent or under legitimate interests with the right to object);
  • To comply with legal obligations (accounting, tax, anti-money-laundering, regulatory requests);
  • To protect our rights, property, or safety, including investigating and preventing fraud, abuse, or unlawful use of our services;
  • To send you transactional and (with your consent) marketing communications.
Section 07

Legal Bases (GDPR Article 6)

We rely on the following lawful bases:

  • Contract (Art. 6(1)(b)) — to take steps at your request before entering into a contract and to perform our contract with you.
  • Legitimate interests (Art. 6(1)(f)) — for prospect outreach to business contacts, marketing of our services to existing clients, fraud prevention, network security, and to administer our business. We have considered your rights and interests and concluded our processing does not override them. You may object at any time.
  • Consent (Art. 6(1)(a)) — for non-essential cookies, marketing emails to non-clients, and any case where consent is the most appropriate basis. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with accounting, tax, AML, and regulatory laws.
Section 08

Cookies & Tracking

We use cookies and similar technologies sparingly. We classify them as:

  • Essential — required for the site to function (e.g. session, security, load balancing). No consent required.
  • Analytics — privacy-respecting analytics (Plausible / PostHog) to understand aggregate usage. Loaded only with your consent where required.
  • Marketing — we do not load advertising, retargeting, or social-media tracking pixels by default. Where used in a campaign, they will be listed in the cookie banner and only loaded with consent.

You can manage your preferences via the cookie banner on first visit and via the "Cookie settings" link in the footer at any time. You can also block or delete cookies via your browser; doing so may limit website functionality.

Section 09

Sub-Processors & Third Parties

We engage carefully selected third parties to provide infrastructure and tools. Each is bound by a data-processing agreement and processes data only on our instructions.

Provider
Purpose
Region
Safeguard
Vercel
Site hosting, edge delivery
EU / global
SCCs
Cloudflare
CDN, DDoS protection
EU / global
SCCs
Plausible / PostHog
Analytics (privacy-respecting)
EU
EU-only
Google Workspace
Email, calendar, docs
EU / US
SCCs
Slack
Internal + client comms
US (Salesforce)
SCCs
HubSpot / Pipedrive
CRM
EU / US
SCCs
Stripe
Payments, invoicing
EU / US
SCCs
Anthropic / OpenAI
AI model providers
US
SCCs · zero-retention API
ElevenLabs / Cartesia
Voice synthesis / transcription
EU / US
SCCs
Twilio / Vapi / Retell
Telephony for voice agents
EU / US
SCCs

An up-to-date list is available on request from sales@luupagency.com. We give existing clients 30 days’ written notice (where reasonably possible) of any new sub-processor handling their data, and you may object on reasonable grounds.

Section 10

International Transfers

Some sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred to a country that has not been recognised by the European Commission as providing an adequate level of protection, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where required by additional technical and organisational measures (encryption, pseudonymisation, contractual restrictions);
  • EU–US Data Privacy Framework certification of the recipient (where applicable);
  • Other appropriate safeguards under Article 46 GDPR.

You may request a copy of the relevant safeguards by writing to sales@luupagency.com.

Section 11

Retention Periods

We do not keep personal data longer than necessary. Default retention periods:

  • Inquiry forms & prospect emails — up to 24 months from last contact, then deletion or anonymisation.
  • Client engagement records — for the duration of the engagement and 7 years thereafter (Estonian accounting and tax law).
  • Invoices and accounting records — 7 years (Estonian Accounting Act).
  • Email marketing data — until consent is withdrawn or 24 months of inactivity, whichever is first.
  • Server logs & security records — 90 days.
  • Cookie data — per the lifetime declared in the cookie banner (typically 30 days to 13 months).
  • Call recordings/transcripts on our side — 30 days unless required for active dispute or longer retention is required by law.

After expiry of the applicable retention period, data is deleted, anonymised, or archived in a form that no longer permits identification.

Section 12

Your Rights (GDPR)

If you are in the EEA, the UK, or another jurisdiction with equivalent rights, you have the following rights regarding your personal data:

Art. 15
Right of access

Confirm whether we process your data and obtain a copy.

Art. 16
Right to rectification

Correct inaccurate or incomplete personal data we hold about you.

Art. 17
Right to erasure ("be forgotten")

Have your data deleted, subject to legal retention obligations.

Art. 18
Right to restrict processing

Limit our processing in specific situations.

Art. 20
Right to data portability

Receive your data in a structured, machine-readable format.

Art. 21
Right to object

Object to processing based on legitimate interests, including for direct marketing.

Art. 22
Automated decisions

Not be subject to a decision based solely on automated processing with legal effect.

Art. 7(3)
Right to withdraw consent

Withdraw any consent you previously gave, at any time.

Exercising your rights is free of charge in the vast majority of cases. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests, as permitted by Article 12(5).

Section 13

How to Exercise Your Rights

Send a request to sales@luupagency.com describing the right you wish to exercise. We will respond within 30 days of receipt; if the request is complex we may extend this by a further 60 days, and we will notify you of the extension.

We may need to verify your identity before responding to protect your data; we will only request information strictly necessary for verification.

Where the data was provided to us by a Client (and we are the processor), we will direct you to the Client (the controller) and assist them in fulfilling your request.

Section 14

Marketing & Communications

We send three categories of email:

  • Transactional — project updates, contracts, invoices, important account notifications. Sent under the contract; cannot be unsubscribed without ending the engagement.
  • Service-related — ToS or Privacy Policy changes, security or breach notifications, sub-processor changes. Sent under legal obligation; cannot be unsubscribed.
  • Marketing — occasional notes on what we’re shipping, case studies, hiring announcements. Only sent with your consent (or to existing clients on a soft opt-in under Estonian/EU rules), and you can unsubscribe with one click via the link in every email.
Section 15

Automated Decisions & AI

We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing.

Some of our internal tools use AI (lead scoring, ICP fit, response drafting). Outputs from such tools are recommendations only and are reviewed by a human before any decision is taken. AI outputs may be inaccurate; you have the right under Article 22 to obtain human intervention, express your view, and contest any decision.

When we provide AI-driven services to clients (voice agents, content generation, automations), the legal characterisation depends on the configuration and is governed by the DPA agreed with the client.

Section 16

Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS) and at rest (AES-256 or equivalent) for sensitive data;
  • Strong access controls: SSO, MFA, principle of least privilege, role-based access;
  • Logging and monitoring of access to systems containing personal data;
  • Hardened deployment infrastructure on reputable cloud providers;
  • Regular security review of dependencies and sub-processors;
  • Confidentiality obligations for all personnel and contractors;
  • Backups and tested recovery procedures.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work hard and continuously to protect the data entrusted to us.

Section 17

Data Breach Notification

If we become aware of a personal-data breach affecting your personal data, we will:

  • Notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours where required by Article 33 GDPR;
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34);
  • Document the breach, its effects, and remedial actions taken, regardless of whether notification is required.

For breaches affecting personal data we process on a Client’s behalf, we notify the Client as controller without undue delay per the DPA.

Section 18

Children’s Data

Our website and services are intended for businesses and adults. We do not knowingly collect personal data from children under 16 years of age. If you believe we have inadvertently collected such data, please contact sales@luupagency.com and we will delete it promptly.

Section 19

Processor Role (B2B Engagements)

When we provide Services to a Client and process personal data of the Client’s end users, customers, or employees, we act as the processor and the Client is the controller. The relationship is governed by the DPA referenced in our SOW. In that capacity:

  • We process personal data only on documented instructions from the Client;
  • We do not use such personal data for our own purposes (including model training of third-party providers, where opt-out is configurable);
  • We ensure persons authorised to process the data are bound by confidentiality;
  • We assist the Client in fulfilling data-subject requests and notification obligations;
  • We delete or return all such personal data at the end of the engagement, unless retention is required by law.
Section 20

Changes to This Policy

We may update this Policy from time to time. The current version is always available at /privacy with a "last updated" date and version. For changes that materially affect your rights or our processing of your personal data, we will use commercially reasonable efforts to notify you in advance (e.g. by email or by an in-product banner).

Section 21

Complaints

If you believe we have processed your personal data unlawfully, please contact sales@luupagency.com first — we genuinely want to fix it. You also have the right to lodge a complaint with a data-protection supervisory authority, including:

  • Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — Tõnismägi 3, 15197 Tallinn, Estonia · aki.ee
  • Or the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
Section 22

Contact & DPO

For privacy questions, data-subject requests, or to exercise any of your rights, contact:

Luup Agency OÜ · Privacy
Email · sales@luupagency.com
Legal · sales@luupagency.com
General · sales@luupagency.com
Postal · Tallinn, Estonia
Reg. no. · [Estonian registry number]
Contact us →

We have not appointed a formal Data Protection Officer because our processing does not meet the thresholds in Article 37 GDPR. The Privacy contact above is empowered to handle data-protection matters and will involve external legal counsel where appropriate.

Closed loopShip in daysTallinn / BaliNow booking May
Luup Agency

Luup builds the AI systems your business needs to grow — websites, voice agents, automation, and the Content Factory. Shipped in days, not months.

★ Now bookingEU + APAC
The newsletter

Occasional notes on
what’s actually working.

No spam. Cancel anytime. Occasional notes only.
Contact
DOC · LUUP-FOOT-001 · © 2026 Luup Agency · All rights reserved