Privacy policy
Last updated:
About this policy
This policy explains how Jagelski & Partners OÜ collects, uses, shares, and protects personal data when a person visits this website, makes an enquiry, subscribes to updates, or engages the firm. It applies to every individual whose personal data the firm processes as a controller. It is published in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, “IKS”).
It sits alongside the Disclaimer, the Terms of service, and the Cookie policy, which together form the firm’s website legal framework.
Who is the controller
The data controller is Jagelski & Partners OÜ, an Estonian private limited company (osaühing) registered in the Estonian Commercial Register (Äriregister). Full registration details (registry code, VAT identification, registered office, and management board) are published in the Legal Notice on the Disclaimer page.
References in this policy to “the firm”, “we”, “us”, and “our” mean the data controller.
For privacy questions, requests by data subjects, and complaints, please use:
- Email: hello@jagelski.com
- Telephone: +372 527 5237
- Postal mail: see registered office in the Legal Notice on the Disclaimer page.
Data protection officer
The firm has assessed Article 37 GDPR and has determined that it is not required to appoint a Data Protection Officer. The firm is not a public authority, does not carry out large-scale systematic monitoring of data subjects, and does not process special categories of personal data on a large scale. Privacy queries are handled by the firm’s senior management at the contact details above.
Personal data we collect
The firm collects different categories of personal data depending on how an individual interacts with it.
Website visitors. When a person visits this website, technical data is collected, including IP address, device and browser information, referring URL, pages viewed, and timestamps. With consent, analytics tools collect aggregated usage data. Cookies and similar technologies are described in the Cookie policy.
Enquiries and lead-form submissions. When a person submits a contact form, lead form, or written enquiry, the firm collects: name, business email, telephone number (where provided), company name, role, country or jurisdiction of business, services of interest, business description, and the content of the message.
Newsletter and marketing subscribers. Where a person opts in to updates, the firm collects email address and, optionally, name and area of interest.
Prospective and engaged clients. As part of due diligence, onboarding, and service delivery, the firm collects identification data (full name, date of birth, nationality, residential address, government-issued identification details), corporate role data, beneficial-ownership information, business and financial data (sources of funds and wealth, anticipated activity, regulatory status), risk and screening data (sanctions, politically-exposed-person, and adverse-media results obtained from regulated screening providers), and supporting documentation.
Communications. The firm retains business correspondence, meeting notes, call summaries, and engagement records relevant to the services performed.
Sources of data
Most personal data is provided directly by the data subject or by the corporate client they represent. Some data is obtained from third-party screening providers (sanctions, politically-exposed-person, and adverse-media databases), from publicly available registers (commercial registers, beneficial-ownership registers, regulator websites, sanctions lists), and from professional advisers and Partners introduced as part of the services.
The firm does not knowingly seek to collect special categories of personal data within the meaning of Article 9 GDPR. Where such data is incidentally received (for example, in a copy of an identity document), it is processed only to the extent necessary for the purposes set out below.
Why we use your data, and the legal basis for using it
| Purpose | Categories of data | Lawful basis |
|---|---|---|
| Responding to enquiries and assessing whether to enter into a contract | Enquiry and contact data | Pre-contractual steps at the data subject’s request, and our legitimate interest in operating the firm: Article 6(1)(b) and (f) GDPR |
| Performing consultancy services and Engagement Letters | Client identification, corporate, financial, and communication data | Performance of a contract: Article 6(1)(b) GDPR |
| Introducing clients to vetted third-party regulated providers | Client identification and business data | Performance of a contract and our legitimate interest in delivering the agreed services: Article 6(1)(b) and (f) GDPR |
| KYC, anti-money-laundering, counter-terrorist-financing, and sanctions screening | Identification, beneficial-ownership, screening, and source-of-funds data | Compliance with legal obligations under Estonian and EU law, and our legitimate interest in protecting the firm against financial-crime risk: Article 6(1)(c) and (f) GDPR |
| Direct marketing to existing business clients about related services | Contact data | Our legitimate interest, with an unsubscribe link in every message: Article 6(1)(f) GDPR, read with the Estonian Electronic Communications Act and Article 13(2) of the ePrivacy Directive |
| Newsletter and marketing communications to non-clients | Email and preference data | Consent: Article 6(1)(a) GDPR |
| Website analytics, where non-essential cookies are used | Cookie and analytics data | Consent: Article 6(1)(a) GDPR |
| Website operation and security, where strictly necessary cookies are used | Limited technical data | Our legitimate interest in operating a secure website: Article 6(1)(f) GDPR |
| Establishing, exercising, or defending legal claims | All relevant categories | Our legitimate interest, and where applicable, legal obligations: Article 6(1)(c) and (f) GDPR |
| Tax, accounting, and statutory record-keeping | Invoicing and counterparty data | Compliance with legal obligations, including the Estonian Accounting Act (Raamatupidamise seadus): Article 6(1)(c) GDPR |
Where processing relies on consent, the data subject can withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal. Where processing relies on legitimate interest, the firm has carried out a balancing assessment and is satisfied that those interests are not overridden by the rights of the data subject. The data subject may object at any time on grounds relating to their particular situation.
Who we share your data with
Personal data is disclosed only where necessary, and only to categories of recipients that are bound by appropriate confidentiality and data-protection obligations. Specific recipients are not named on this page, because identities are commercially confidential and vary from engagement to engagement. The firm provides further detail to a data subject on reasoned written request.
The categories of recipients are:
- regulated banking and payment institutions;
- licensed corporate formation and licensing specialists;
- capital placement and advisory partners;
- professional advisers, including legal, accounting, and audit firms;
- IT, hosting, email, document-management, and cloud service providers acting as processors;
- compliance, KYC, and sanctions and politically-exposed-person screening providers;
- regulatory authorities, courts, tax authorities, and law-enforcement agencies, where disclosure is required by law or by a binding order; and
- prospective acquirers, investors, and their advisers in connection with a corporate transaction, subject to appropriate confidentiality.
Where third parties act as data processors on the firm’s behalf, they are engaged under written agreements that meet Article 28 GDPR.
International data transfers
The firm operates internationally. Where personal data is transferred outside the European Economic Area, transfers are made on one of the following bases:
- to a country recognised by the European Commission as offering an adequate level of protection;
- under the European Commission’s Standard Contractual Clauses, supplemented where necessary by additional technical, organisational, and contractual measures, following a transfer impact assessment; or
- in the limited circumstances permitted by Article 49 GDPR, including where transfer is necessary for the performance of a contract requested by the data subject, or for the establishment, exercise, or defence of legal claims.
A copy of the safeguards applied to a particular transfer is available on reasoned written request to the contact address above.
How long we keep your data
The firm retains personal data only for as long as necessary for the purposes for which it was collected, including any related legal, accounting, or reporting obligations. Indicative retention periods are set out below.
| Data category | Retention period |
|---|---|
| Website analytics data, where consent is given | As set out in the Cookie policy, generally up to 13 months |
| Unanswered or non-progressing enquiries | Up to 24 months from last contact |
| Newsletter and marketing data | Until the subscriber withdraws consent or, in the case of soft opt-in, objects |
| Client engagement records and Deliverables | The duration of the engagement, plus 7 years from completion (Estonian Accounting Act) |
| KYC, AML, and sanctions-screening records | 5 years from the end of the business relationship, in line with the Money Laundering and Terrorist Financing Prevention Act (Rahapesu ja terrorismi rahastamise tõkestamise seadus), extendable where required |
| Records relevant to actual or threatened legal claims | Until the relevant limitation period has expired and any claim is finally resolved |
After the applicable retention period, data is deleted or anonymised. Where deletion is not technically practicable (for example, in routine system back-ups), the firm isolates the data and prevents its further use.
Your rights
Subject to the conditions in the GDPR, every data subject has the right to:
- access their personal data and request a copy;
- request correction of inaccurate or incomplete data;
- request erasure of data that is no longer necessary or that is processed unlawfully;
- request restriction of processing in defined circumstances;
- receive certain data in a portable, machine-readable format and have it transmitted to another controller;
- object to processing carried out on the basis of legitimate interest, including direct marketing;
- withdraw consent at any time, where processing is based on consent; and
- not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
The firm does not carry out solely automated decision-making within the meaning of Article 22 GDPR. Screening tools may be used as part of compliance, but a qualified person reviews the result before any decision affecting the data subject is taken.
To exercise a right, please write to the contact address above. The firm responds within one month, with a possible extension of two further months for complex or numerous requests, in which case the data subject is informed of the extension and the reasons for it. The firm may need to verify identity before responding, particularly where the request relates to sensitive data.
If a data subject believes the firm has not handled personal data correctly, the data subject has the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, “AKI”):
- Address: Tatari 39, 10134 Tallinn, Estonia
- Email: info@aki.ee
- Telephone (general): +372 627 4135
- Advisory line: +372 5620 2341 (Mon to Thu, 13:00 to 16:00)
- Website: aki.ee
A data subject may also approach the supervisory authority of their EU country of residence, or take the matter to a competent court.
How we keep data secure
The firm applies organisational and technical measures appropriate to the risk, including access controls based on need-to-know, encryption in transit and where appropriate at rest, secure document handling, multi-factor authentication for administrator access, vendor due diligence on processors, and staff confidentiality undertakings. Security measures are reviewed periodically and following any incident.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the firm notifies the Estonian Data Protection Inspectorate without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in line with Article 33 GDPR. Where the breach is likely to result in a high risk, affected data subjects are notified without undue delay under Article 34 GDPR.
Children
The services are directed at businesses, not at individuals under the age of majority. The firm does not knowingly collect personal data from children. Under §8 of the Estonian Personal Data Protection Act, where consent is required from a child for an information-society service, the consent of a child of at least 13 years of age is valid; below that age, parental consent is required. If a parent or guardian believes a child has provided personal data without authority, please contact the firm so that the data can be deleted.
Cookies and similar technologies
Cookies and comparable technologies on this website are described in detail in the Cookie policy, including the categories used, retention periods, third-party processors, and the mechanisms for managing or withdrawing consent.
Changes to this policy
The firm may update this policy to reflect legal, regulatory, or operational changes. The current version is published on this page, with the last-updated date and version number above. Material changes are signposted prominently on the website for at least thirty (30) days before they take effect. Where a change requires a new lawful basis, the firm seeks consent or another appropriate basis before relying on it.
Contact
For privacy questions and rights requests:
Jagelski & Partners OÜ
Email: hello@jagelski.com
Telephone: +372 527 5237
Registered office and registry details: see Legal Notice on the Disclaimer page.
This policy is published in English. A translation may be made available for convenience. In the event of any discrepancy between the English text and a translation, the English text prevails.